summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVignesh Kulothungan <vigneshk@codeaurora.org>2019-02-28 14:55:05 -0800
committerGerrit - the friendly Code Review server <code-review@localhost>2019-03-26 19:46:09 -0700
commit108157a5513047abcd84b1d2dfc575de05daccd5 (patch)
treed9f916fd1d034f8efc5026267d05d4def82bd0f9
parent90059640cc78a46b8201bc33a6c65361d1ae19de (diff)
msm: asm: validate ADSP data before access
Validate buffer index obtained from ADSP token before using it. CRs-Fixed: 2372302 Change-Id: I5c3b1634bd08b516844638dd67f726a882edfc17 Signed-off-by: Vignesh Kulothungan <vigneshk@codeaurora.org>
Diffstat
-rw-r--r--sound/soc/msm/qdsp6v2/q6asm.c22
1 files changed, 22 insertions, 0 deletions
diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
index fc9d2706500b..eb3b42f47974 100644
--- a/sound/soc/msm/qdsp6v2/q6asm.c
+++ b/sound/soc/msm/qdsp6v2/q6asm.c
@@ -1962,6 +1962,7 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
data->dest_port);
if ((data->opcode != ASM_DATA_EVENT_RENDERED_EOS) &&
(data->opcode != ASM_DATA_EVENT_EOS) &&
+ (data->opcode != ASM_SESSION_EVENTX_OVERFLOW) &&
(data->opcode != ASM_SESSION_EVENT_RX_UNDERFLOW)) {
if (payload == NULL) {
pr_err("%s: payload is null\n", __func__);
@@ -2177,6 +2178,17 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
}
spin_lock_irqsave(&port->dsp_lock, dsp_flags);
buf_index = asm_token._token.buf_index;
+ if (buf_index < 0 ||
+ buf_index >= port->max_buf_cnt) {
+ pr_debug("%s: Invalid buffer index %u\n",
+ __func__, buf_index);
+ spin_unlock_irqrestore(&port->dsp_lock,
+ dsp_flags);
+ spin_unlock_irqrestore(
+ &(session[session_id].session_lock),
+ flags);
+ return -EINVAL;
+ }
if (data->payload_size >= 2 * sizeof(uint32_t) &&
(lower_32_bits(port->buf[buf_index].phys) !=
payload[0] ||
@@ -2287,6 +2299,16 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
}
spin_lock_irqsave(&port->dsp_lock, dsp_flags);
buf_index = asm_token._token.buf_index;
+ if (buf_index < 0 || buf_index >= port->max_buf_cnt) {
+ pr_debug("%s: Invalid buffer index %u\n",
+ __func__, buf_index);
+ spin_unlock_irqrestore(&port->dsp_lock,
+ dsp_flags);
+ spin_unlock_irqrestore(
+ &(session[session_id].session_lock),
+ flags);
+ return -EINVAL;
+ }
port->buf[buf_index].used = 0;
if (lower_32_bits(port->buf[buf_index].phys) !=
payload[READDONE_IDX_BUFADD_LSW] ||
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-22 09:36:50 +0000