Merge "dsp: asm: validate ADSP data size before access"

/*

 * Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.

 * Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.

 * Author: Brian Swetland <swetland@google.com>

 *

 * This software is licensed under the terms of the GNU General Public

		data->dest_port);

	if ((data->opcode != ASM_DATA_EVENT_RENDERED_EOS) &&

	    (data->opcode != ASM_DATA_EVENT_EOS) &&

	    (data->opcode != ASM_SESSION_EVENTX_OVERFLOW) &&

	    (data->opcode != ASM_SESSION_EVENT_RX_UNDERFLOW)) {

		if (payload == NULL) {

			pr_err("%s: payload is null\n", __func__);

		if (payload == NULL || (data->payload_size < (2 * sizeof(uint32_t)))) {

			pr_err("%s: payload is null or invalid size[%d]\n", __func__, data->payload_size);

			spin_unlock_irqrestore(

				&(session[session_id].session_lock), flags);

			return -EINVAL;

			}

			spin_lock_irqsave(&port->dsp_lock, dsp_flags);

			buf_index = asm_token._token.buf_index;

			if (buf_index < 0 || buf_index >= port->max_buf_cnt) {

				pr_debug("%s: Invalid buffer index %u\n",

				__func__, buf_index);

				spin_unlock_irqrestore(&port->dsp_lock,

								dsp_flags);

				spin_unlock_irqrestore(

					&(session[session_id].session_lock),

					flags);

				return -EINVAL;

			}

			if (lower_32_bits(port->buf[buf_index].phys) !=

			payload[0] ||

			msm_audio_populate_upper_32_bits(

			}

			spin_lock_irqsave(&port->dsp_lock, dsp_flags);

			buf_index = asm_token._token.buf_index;

			if (buf_index < 0 || buf_index >= port->max_buf_cnt) {

				pr_debug("%s: Invalid buffer index %u\n",

				__func__, buf_index);

				spin_unlock_irqrestore(&port->dsp_lock,

								dsp_flags);

				spin_unlock_irqrestore(

					&(session[session_id].session_lock),

					flags);

				return -EINVAL;

			}

			port->buf[buf_index].used = 0;

			if (lower_32_bits(port->buf[buf_index].phys) !=

			payload[READDONE_IDX_BUFADD_LSW] ||