summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLinux Build Service Account <lnxbuild@localhost>2018-06-03 19:10:46 -0700
committerGerrit - the friendly Code Review server <code-review@localhost>2018-06-03 19:10:45 -0700
commit3c78eaa8124c0aa8a1872becc113c904453b5067 (patch)
tree50dd9428c48a7df2ce5b50e99377c89b6bfb7a61
parentfd95dadf54bf08e910a4cad0bbce8d25e8813429 (diff)
parent49662914af86d4b7ef721a87c07f1dbff8c96387 (diff)
Merge "soc: msm: add size check to fix out of bounds on ANC"
-rw-r--r--drivers/soc/qcom/qdsp6v2/audio_anc.c20
-rw-r--r--include/uapi/linux/msm_audio_anc.h7
2 files changed, 19 insertions, 8 deletions
diff --git a/drivers/soc/qcom/qdsp6v2/audio_anc.c b/drivers/soc/qcom/qdsp6v2/audio_anc.c
index e0abd2b58027..65c585886453 100644
--- a/drivers/soc/qcom/qdsp6v2/audio_anc.c
+++ b/drivers/soc/qcom/qdsp6v2/audio_anc.c
@@ -53,6 +53,9 @@ static size_t get_user_anc_cmd_size(int32_t anc_cmd)
case ANC_CMD_ALGO_MODULE:
size = sizeof(struct audio_anc_algo_module_info);
break;
+ case ANC_CMD_ALGO_CALIBRATION:
+ size = sizeof(struct audio_anc_algo_calibration_info);
+ break;
default:
pr_err("%s:Invalid anc cmd %d!",
__func__, anc_cmd);
@@ -77,6 +80,7 @@ static int call_set_anc(int32_t anc_cmd,
case ANC_CMD_RPM:
case ANC_CMD_BYPASS_MODE:
case ANC_CMD_ALGO_MODULE:
+ case ANC_CMD_ALGO_CALIBRATION:
ret = msm_anc_dev_set_info(data, anc_cmd);
break;
default:
@@ -176,6 +180,12 @@ static long audio_anc_shared_ioctl(struct file *file, unsigned int cmd,
sizeof(union audio_anc_data));
ret = -EINVAL;
goto done;
+ } else if ((data->hdr.anc_cmd_size + sizeof(data->hdr)) > size) {
+ pr_err("%s: anc_cmd size %d + anc cmd hdr size %zd is is greater than user buffer siz %d!\n",
+ __func__, data->hdr.anc_cmd_size, sizeof(data->hdr),
+ size);
+ ret = -EFAULT;
+ goto done;
}
switch (cmd) {
@@ -194,15 +204,9 @@ static long audio_anc_shared_ioctl(struct file *file, unsigned int cmd,
goto done;
if (data == NULL)
goto done;
- if ((sizeof(data->hdr) + data->hdr.anc_cmd_size) > size) {
- pr_err("%s: header size %zd plus ype size %d larger than data buffer size %d\n",
- __func__, sizeof(data->hdr),
- data->hdr.anc_cmd_size, size);
- ret = -EFAULT;
- goto done;
- } else if (copy_to_user((void *)arg, data,
+ if (copy_to_user(arg, data,
sizeof(data->hdr) + data->hdr.anc_cmd_size)) {
- pr_err("%s: Could not copy cal type to user\n",
+ pr_err("%s: Could not copy anc data to user\n",
__func__);
ret = -EFAULT;
goto done;
diff --git a/include/uapi/linux/msm_audio_anc.h b/include/uapi/linux/msm_audio_anc.h
index 028d381bc1a6..d628f7ce9267 100644
--- a/include/uapi/linux/msm_audio_anc.h
+++ b/include/uapi/linux/msm_audio_anc.h
@@ -16,6 +16,7 @@
#define ANC_CMD_RPM 2
#define ANC_CMD_BYPASS_MODE 3
#define ANC_CMD_ALGO_MODULE 4
+#define ANC_CMD_ALGO_CALIBRATION 5
/* room for ANC_CMD define extend */
#define ANC_CMD_MAX 0xFF
@@ -39,10 +40,16 @@ struct audio_anc_algo_module_info {
int32_t module_id;
};
+struct audio_anc_algo_calibration_info {
+ int32_t payload_size;
+ /* num bytes of payload specificed in payload_size followed */
+};
+
union audio_anc_data {
struct audio_anc_rpm_info rpm_info;
struct audio_anc_bypass_mode bypass_mode_info;
struct audio_anc_algo_module_info algo_info;
+ struct audio_anc_algo_calibration_info algo_cali_info;
};
struct audio_anc_packet {