Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cf83f81f authored by Walter Yang's avatar Walter Yang Committed by Gerrit - the friendly Code Review server
Browse files

ASoC: msm-cpe-lsm: cleanup ioctl functions 



Some of the ioctl command handling is not properly using the
copy_from_user interface. Fix these issues and cleanup the ioctl
functions to make sure there is no illegal memory access.

CRs-Fixed: 1090482
Change-Id: Ib18e4b132d3487a3103335768aad5df2ebe13f2d
Signed-off-by: default avatarWalter Yang <yandongy@codeaurora.org>
parent 02f0c5a1

sound/soc/msm/msm-cpe-lsm.c

+17 −51
Original line number Diff line number Diff line
@@ -1195,13 +1195,6 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream, 
		dev_dbg(rtd->dev,

			"%s: %s\n",

			__func__, "SNDRV_LSM_REG_SND_MODEL_V2");

		if (!arg) {

			dev_err(rtd->dev,

				"%s: Invalid argument to ioctl %s\n",

				__func__,

				"SNDRV_LSM_REG_SND_MODEL_V2");

			return -EINVAL;

		}



		memcpy(&snd_model, arg,

			sizeof(struct snd_lsm_sound_model_v2));
@@ -1348,13 +1341,6 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream, 
		dev_dbg(rtd->dev,

			"%s: %s\n",

			__func__, "SNDRV_LSM_EVENT_STATUS(_V3)");

		if (!arg) {

			dev_err(rtd->dev,

				"%s: Invalid argument to ioctl %s\n",

				__func__,

				"SNDRV_LSM_EVENT_STATUS(_V3)");

			return -EINVAL;

		}



		/*

		 * Release the api lock before wait to allow
@@ -1486,12 +1472,6 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream, 
		break;



	case SNDRV_LSM_SET_PARAMS:

		if (!arg) {

			dev_err(rtd->dev,

				"%s: %s Invalid argument\n",

				__func__, "SNDRV_LSM_SET_PARAMS");

			return -EINVAL;

		}

		memcpy(&det_params, arg,

			sizeof(det_params));

		if (det_params.num_confidence_levels <= 0) {
@@ -2412,20 +2392,6 @@ done: 
}



#ifdef CONFIG_COMPAT

struct snd_lsm_event_status32 {

	u16 status;

	u16 payload_size;

	u8 payload[0];

};



struct snd_lsm_event_status_v3_32 {

	u32 timestamp_lsw;

	u32 timestamp_msw;

	u16 status;

	u16 payload_size;

	u8 payload[0];

};



struct snd_lsm_sound_model_v2_32 {

	compat_uptr_t data;

	compat_uptr_t confidence_level;
@@ -2457,16 +2423,12 @@ struct snd_lsm_module_params_32 { 
};



enum {

	SNDRV_LSM_EVENT_STATUS32 =

		_IOW('U', 0x02, struct snd_lsm_event_status32),

	SNDRV_LSM_REG_SND_MODEL_V2_32 =

		_IOW('U', 0x07, struct snd_lsm_sound_model_v2_32),

	SNDRV_LSM_SET_PARAMS32 =

		_IOW('U', 0x0A, struct snd_lsm_detection_params_32),

	SNDRV_LSM_SET_MODULE_PARAMS_32 =

		_IOW('U', 0x0B, struct snd_lsm_module_params_32),

	SNDRV_LSM_EVENT_STATUS_V3_32 =

		_IOW('U', 0x0F, struct snd_lsm_event_status_v3_32),

};



static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream,
@@ -2554,7 +2516,7 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
				err);

	}

		break;

	case SNDRV_LSM_EVENT_STATUS32: {

	case SNDRV_LSM_EVENT_STATUS: {

		struct snd_lsm_event_status *event_status = NULL;

		struct snd_lsm_event_status u_event_status32;

		struct snd_lsm_event_status *udata_32 = NULL;
@@ -2596,7 +2558,6 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
		} else {

			event_status->payload_size =

				u_event_status32.payload_size;

			cmd = SNDRV_LSM_EVENT_STATUS;

			err = msm_cpe_lsm_ioctl_shared(substream,

						       cmd, event_status);

			if (err)
@@ -2641,10 +2602,10 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
		kfree(udata_32);

	}

		break;

	case SNDRV_LSM_EVENT_STATUS_V3_32: {

	case SNDRV_LSM_EVENT_STATUS_V3: {

		struct snd_lsm_event_status_v3 *event_status = NULL;

		struct snd_lsm_event_status_v3_32 u_event_status32;

		struct snd_lsm_event_status_v3_32 *udata_32 = NULL;

		struct snd_lsm_event_status_v3 u_event_status32;

		struct snd_lsm_event_status_v3 *udata_32 = NULL;

		int u_pld_size = 0;



		dev_dbg(rtd->dev,
@@ -2683,7 +2644,6 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
		} else {

			event_status->payload_size =

				u_event_status32.payload_size;

			cmd = SNDRV_LSM_EVENT_STATUS_V3;

			err = msm_cpe_lsm_ioctl_shared(substream,

						       cmd, event_status);

			if (err)
@@ -2787,13 +2747,6 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
			return -EINVAL;

		}



		if (!arg) {

			dev_err(rtd->dev,

				"%s: %s: No Param data to set\n",

				__func__, "SET_MODULE_PARAMS_32");

			return -EINVAL;

		}



		if (copy_from_user(&p_data_32, arg,

				   sizeof(p_data_32))) {

			dev_err(rtd->dev,
@@ -2871,6 +2824,19 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
		kfree(params32);

		break;

	}

	case SNDRV_LSM_REG_SND_MODEL_V2:

	case SNDRV_LSM_SET_PARAMS:

	case SNDRV_LSM_SET_MODULE_PARAMS:

		/*

		 * In ideal cases, the compat_ioctl should never be called

		 * with the above unlocked ioctl commands. Print error

		 * and return error if it does.

		 */

		dev_err(rtd->dev,

			"%s: Invalid cmd for compat_ioctl\n",

			__func__);

		err = -EINVAL;

		break;

	default:

		err = msm_cpe_lsm_ioctl_shared(substream, cmd, arg);

		break;