Merge "ASoC: q6asm: use session lock to avoid use-after-free"

struct audio_session {

	struct audio_client *ac;

	spinlock_t session_lock;

	struct mutex mutex_lock_per_session;

};

/* session id: 0 reserved */

static struct audio_session session[ASM_ACTIVE_STREAMS_ALLOWED + 1];

		if (session[n].ac == ac)

			return n;

	}

	pr_debug("%s: cannot find matching audio client. ac = %pK\n",

		__func__, ac);

	return 0;

}

	pr_debug("%s: sessionid[%d]\n", __func__, ac->session);

	session_id = ac->session;

	mutex_lock(&session[session_id].mutex_lock_per_session);

	rtac_remove_popp_from_adm_devices(ac->session);

	spin_lock_irqsave(&(session[session_id].session_lock), flags);

	session[ac->session].ac = NULL;

	kfree(ac);

	ac = NULL;

	spin_unlock_irqrestore(&(session[session_id].session_lock), flags);

	mutex_unlock(&session[session_id].mutex_lock_per_session);

}

static uint32_t q6asm_get_next_buf(struct audio_client *ac,

	int rc;

	uint32_t sz = 0;

	uint64_t actual_sz = 0;

	int session_id = 0;

	if (!data || !ac) {

		pr_err("%s: %s is NULL\n", __func__,

		goto done;

	}

	session_id = q6asm_get_session_id_from_audio_client(ac);

	if (!session_id) {

		rc = -EINVAL;

		goto done;

	}

	if (data->event_type >= ARRAY_SIZE(adsp_reg_event_opcode)) {

		pr_err("%s: event %u out of boundary of array size of (%lu)\n",

		       __func__, data->event_type,

		goto done;

	}

	mutex_lock(&session[session_id].mutex_lock_per_session);

	if (!q6asm_is_valid_audio_client(ac)) {

		rc = -EINVAL;

		goto fail_send_param;

	}

	q6asm_add_hdr_async(ac, &hdr, sz, TRUE);

	atomic_set(&ac->cmd_state_pp, -1);

	hdr.opcode = adsp_reg_event_opcode[data->event_type];

	rc = 0;

fail_send_param:

	mutex_unlock(&session[session_id].mutex_lock_per_session);

	kfree(asm_params);

done:

	return rc;

	struct asm_stream_cmd_set_pp_params *asm_set_param = NULL;

	int pkt_size = 0;

	int ret = 0;

	int session_id = 0;

	if (ac == NULL) {

		pr_err("%s: Audio Client is NULL\n", __func__);

		return -EINVAL;

	}

	session_id = q6asm_get_session_id_from_audio_client(ac);

	if (!session_id)

		return -EINVAL;

	pkt_size = sizeof(struct asm_stream_cmd_set_pp_params);

	/* Add param size to packet size when sending in-band only */

	if (param_data != NULL)

	if (!asm_set_param)

		return -ENOMEM;

	mutex_lock(&session[session_id].mutex_lock_per_session);

	if (!q6asm_is_valid_audio_client(ac)) {

		ret = -EINVAL;

		goto done;

	}

	if (ac->apr == NULL) {

		pr_err("%s: AC APR handle NULL\n", __func__);

		ret = -EINVAL;

		goto done;

	}

	q6asm_add_hdr_async(ac, &asm_set_param->apr_hdr, pkt_size, TRUE);

	/* With pre-packed data, only the opcode differs from V2 and V3. */

	}

	ret = 0;

done:

	mutex_unlock(&session[session_id].mutex_lock_per_session);

	kfree(asm_set_param);

	return ret;

}

	memset(session, 0, sizeof(struct audio_session) *

		(ASM_ACTIVE_STREAMS_ALLOWED + 1));

	for (lcnt = 0; lcnt <= ASM_ACTIVE_STREAMS_ALLOWED; lcnt++)

	for (lcnt = 0; lcnt <= ASM_ACTIVE_STREAMS_ALLOWED; lcnt++) {

		spin_lock_init(&(session[lcnt].session_lock));

		mutex_init(&(session[lcnt].mutex_lock_per_session));

	}

	set_custom_topology = 1;

	/*setup common client used for cal mem map */