TechPanelGM/kernel_xiaomi_sm8250
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge tag 'LA.UM.9.12.1.r1-09700-SMxx50.QSSI12.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel into android13-4.19-kona

Browse Source 
"LA.UM.9.12.1.r1-09700-SMxx50.QSSI12.0"

* tag 'LA.UM.9.12.1.r1-09700-SMxx50.QSSI12.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel:
  dsp: q6voice: Adds checks for an integer overflow
  asoc: Fix out-of-bound write
  dsp: q6voice: Adds checks for an integer overflow
  dsp: q6lsm: Check size of payload before access
  Fix for OOB access issue
  Audio legacy: Integer overflow in msm_lsm_ioctl_compat during audio playback usecase. size = sizeof(p_info_32) + p_info_32.param_size; This overflow issue may result heap overflow during copying the data: memcpy(param_info_rsp, &p_info_32, sizeof(p_info_32));
  ASoC: Resolve use after free in listen sound client
  dsp: q6lsm: Add check for payload buffer
  ASoC: msm-pcm-voip: Avoid interger underflow
  soc: swr-mstr: Store and compare dev_addr along with dev_num

 Conflicts:
	techpack/audio/asoc/msm-compress-q6-v2.c
	techpack/audio/asoc/msm-pcm-routing-v2.c

Change-Id: I76045565c18bea94657ac7bbb46a49058f108f8d
This commit is contained in:
Michael Bestas
2024-10-10 14:06:25 +03:00
parent 30a1ea9e89 68df146c40
commit bcb290148a
6 changed files with 29 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
techpack/audio/asoc/msm-compress-q6-v2.c
View File

@@ -1,6 +1,6 @@
// SPDX-License-Identifier: GPL-2.0-only
/* Copyright (c) 2012-2020, The Linux Foundation. All rights reserved.
* Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
* Copyright (c) 2022, 2024 Qualcomm Innovation Center, Inc. All rights reserved.
*/
@@ -3950,7 +3950,7 @@ static int msm_compr_channel_map_put(struct snd_kcontrol *kcontrol,
pr_debug("%s: fe_id- %llu\n", __func__, fe_id);
if (fe_id >= MSM_FRONTEND_DAI_MM_SIZE) {
if (fe_id >= MSM_FRONTEND_DAI_MAX) {
pr_err("%s Received out of bounds fe_id %llu\n",
__func__, fe_id);
rc = -EINVAL;
@@ -3992,7 +3992,7 @@ static int msm_compr_channel_map_get(struct snd_kcontrol *kcontrol,
int rc = 0, i;
pr_debug("%s: fe_id- %llu\n", __func__, fe_id);
if (fe_id >= MSM_FRONTEND_DAI_MM_SIZE) {
if (fe_id >= MSM_FRONTEND_DAI_MAX) {
pr_err("%s: Received out of bounds fe_id %llu\n",
__func__, fe_id);
rc = -EINVAL;

6
techpack/audio/asoc/msm-pcm-routing-v2.c
View File

@@ -1,6 +1,6 @@
// SPDX-License-Identifier: GPL-2.0-only
/* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.
* Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
* Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include <linux/init.h>
@@ -1656,7 +1656,7 @@ static int msm_pcm_routing_channel_mixer_v2(int fe_id, bool perf_mode,
int j = 0, be_id = 0;
int ret = 0;
if (fe_id >= MSM_FRONTEND_DAI_MM_SIZE) {
if (fe_id >= MSM_FRONTEND_DAI_MAX) {
pr_err("%s: invalid FE %d\n", __func__, fe_id);
return 0;
}
@@ -1723,7 +1723,7 @@ static int msm_pcm_routing_channel_mixer(int fe_id, bool perf_mode,
return ret;
}
if (fe_id >= MSM_FRONTEND_DAI_MM_SIZE) {
if (fe_id >= MSM_FRONTEND_DAI_MAX) {
pr_err("%s: invalid FE %d\n", __func__, fe_id);
return 0;
}

3
techpack/audio/asoc/msm-qti-pp-config.c
View File

@@ -1,5 +1,6 @@
// SPDX-License-Identifier: GPL-2.0-only
/* Copyright (c) 2012-2020, The Linux Foundation. All rights reserved.
* Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include <linux/err.h>
@@ -179,7 +180,7 @@ static int msm_qti_pp_put_dtmf_module_enable
fe_id = ((struct soc_multi_mixer_control *)
kcontrol->private_value)->shift;
if (fe_id >= MSM_FRONTEND_DAI_MM_SIZE) {
if (fe_id >= MSM_FRONTEND_DAI_MAX) {
pr_err("%s: invalid FE %d\n", __func__, fe_id);
return -EINVAL;
}

15
techpack/audio/dsp/q6adm.c
View File

@@ -1593,16 +1593,11 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv)
if (data->opcode == APR_BASIC_RSP_RESULT) {
pr_debug("%s: APR_BASIC_RSP_RESULT id 0x%x\n",
__func__, payload[0]);
if (!((client_id != ADM_CLIENT_ID_SOURCE_TRACKING) &&
((payload[0] == ADM_CMD_SET_PP_PARAMS_V5) ||
(payload[0] == ADM_CMD_SET_PP_PARAMS_V6)))) {
if (data->payload_size <
(2 * sizeof(uint32_t))) {
pr_err("%s: Invalid payload size %d\n",
__func__, data->payload_size);
return 0;
}
if (data->payload_size <
(2 * sizeof(uint32_t))) {
pr_err("%s: Invalid payload size %d\n",
__func__, data->payload_size);
return 0;
}
if (payload[1] != 0) {

8
techpack/audio/dsp/q6lsm.c
View File

@@ -1,7 +1,7 @@
// SPDX-License-Identifier: GPL-2.0-only
/*
* Copyright (c) 2013-2020, Linux Foundation. All rights reserved.
* Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
* Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include <linux/fs.h>
#include <linux/mutex.h>
@@ -2036,6 +2036,12 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv)
return 0;
}
if (data->payload_size < (2 * sizeof(uint32_t))) {
pr_err("%s: payload has invalid size[%d]\n", __func__,
data->payload_size);
return -EINVAL;
}
command = payload[0];
retcode = payload[1];
sid = (data->token >> 8) & 0x0F;

12
techpack/audio/dsp/q6voice.c
View File

@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0-only
/*
* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.
* Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include <linux/slab.h>
#include <linux/kthread.h>
@@ -7917,7 +7918,7 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv)
VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_READY) {
int ret = 0;
u16 cvs_handle;
uint32_t *cvs_voc_pkt;
uint32_t *cvs_voc_pkt, tot_buf_sz;
struct cvs_enc_buffer_consumed_cmd send_enc_buf_consumed_cmd;
void *apr_cvs;
@@ -7946,9 +7947,14 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv)
VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_CONSUMED;
cvs_voc_pkt = v->shmem_info.sh_buf.buf[1].data;
if (__builtin_add_overflow(cvs_voc_pkt[2], 3 * sizeof(uint32_t), &tot_buf_sz)) {
pr_err("%s: integer overflow detected\n", __func__);
return -EINVAL;
}
if (cvs_voc_pkt != NULL && common.mvs_info.ul_cb != NULL) {
if (v->shmem_info.sh_buf.buf[1].size <
((3 * sizeof(uint32_t)) + cvs_voc_pkt[2])) {
if (v->shmem_info.sh_buf.buf[1].size < tot_buf_sz) {
pr_err("%s: invalid voc pkt size\n", __func__);
return -EINVAL;
}