summaryrefslogtreecommitdiff
path: root/sound/soc/msm
diff options
context:
space:
mode:
Diffstat (limited to 'sound/soc/msm')
-rw-r--r--sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c14
-rw-r--r--sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c12
-rw-r--r--sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c5
-rw-r--r--sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c32
-rw-r--r--sound/soc/msm/qdsp6v2/q6afe.c7
-rw-r--r--sound/soc/msm/qdsp6v2/q6asm.c19
-rw-r--r--sound/soc/msm/qdsp6v2/q6core.c3
-rw-r--r--sound/soc/msm/qdsp6v2/q6lsm.c9
-rw-r--r--sound/soc/msm/qdsp6v2/q6voice.c7
9 files changed, 104 insertions, 4 deletions
diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c
index b02ab78684fb..6dc8289ffce1 100644
--- a/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c
+++ b/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c
@@ -1,4 +1,5 @@
/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -644,6 +645,12 @@ static int hpcm_start_vocpcm(char *pcm_id, struct hpcm_drv *prtd,
}
}
+ if (*no_of_tp != no_of_tp_req && *no_of_tp > 2) {
+ pr_err("%s:: Invalid hpcm start request\n", __func__);
+ memset(&prtd->start_cmd, 0, sizeof(struct start_cmd));
+ return -EINVAL;
+ }
+
if ((prtd->mixer_conf.tx.enable || prtd->mixer_conf.rx.enable) &&
*no_of_tp == no_of_tp_req) {
voc_send_cvp_start_vocpcm(voc_get_session_id(sess_name),
@@ -743,6 +750,13 @@ void hpcm_notify_evt_processing(uint8_t *data, char *session,
return;
}
+ if (prtd->mixer_conf.sess_indx < VOICE_INDEX ||
+ prtd->mixer_conf.sess_indx >= MAX_SESSION) {
+ pr_err("%s:: Invalid session idx %d\n",
+ __func__, prtd->mixer_conf.sess_indx);
+ return;
+ }
+
if (notify_evt->tap_point == VSS_IVPCM_TAP_POINT_TX_DEFAULT) {
tp = &prtd->session[prtd->mixer_conf.sess_indx].tx_tap_point;
tmd = &prtd->mixer_conf.tx;
diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
index 5f4225e675ad..bf2620c999b1 100644
--- a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
+++ b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
@@ -1,5 +1,5 @@
-/* Copyright (c) 2012-2020, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+/* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -1004,6 +1004,14 @@ static int msm_pcm_capture_copy(struct snd_pcm_substream *substream,
goto fail;
}
+ if ((size == 0 || size < prtd->pcm_count) && ((offset + size) < prtd->pcm_count)) {
+ memset(bufptr + offset + size, 0, prtd->pcm_count - size);
+ if (fbytes > prtd->pcm_count)
+ size = xfer = prtd->pcm_count;
+ else
+ size = xfer = fbytes;
+ }
+
if (copy_to_user(buf, bufptr+offset, xfer)) {
pr_err("Failed to copy buf to user\n");
ret = -EFAULT;
diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c
index 27f90c270e13..96c59cad19c3 100644
--- a/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c
+++ b/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c
@@ -2072,6 +2072,11 @@ static void msm_pcm_routing_process_voice(u16 reg, u16 val, int set)
session_id = msm_pcm_routing_get_voc_sessionid(val);
+ if (!session_id) {
+ pr_err("%s: Invalid session_id %x\n", __func__, session_id);
+ return;
+ }
+
pr_debug("%s: FE DAI 0x%x session_id 0x%x\n",
__func__, val, session_id);
diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c
index b2387a746f61..38aaa6cb8d30 100644
--- a/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c
+++ b/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c
@@ -1,5 +1,6 @@
/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
*
+ * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved.
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
* only version 2 as published by the Free Software Foundation.
@@ -371,6 +372,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt,
switch (prtd->mode) {
case MODE_AMR_WB:
case MODE_AMR: {
+ if (pkt_len <= DSP_FRAME_HDR_LEN) {
+ pr_err("%s: pkt_len %d is < required len\n",
+ __func__, pkt_len);
+ spin_unlock_irqrestore(&prtd->dsp_ul_lock,
+ dsp_flags);
+ return;
+ }
/* Remove the DSP frame info header. Header format:
* Bits 0-3: Frame rate
* Bits 4-7: Frame type
@@ -391,6 +399,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt,
case MODE_4GV_NB:
case MODE_4GV_WB:
case MODE_4GV_NW: {
+ if (pkt_len <= DSP_FRAME_HDR_LEN) {
+ pr_err("%s: pkt_len %d is < required len\n",
+ __func__, pkt_len);
+ spin_unlock_irqrestore(&prtd->dsp_ul_lock,
+ dsp_flags);
+ return;
+ }
/* Remove the DSP frame info header.
* Header format:
* Bits 0-3: frame rate
@@ -428,6 +443,14 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt,
buf_node->frame.frm_hdr.timestamp = timestamp;
voc_pkt = voc_pkt + DSP_FRAME_HDR_LEN;
+ if (pkt_len <= 2 * DSP_FRAME_HDR_LEN) {
+ pr_err("%s: pkt_len %d is < required len\n",
+ __func__, pkt_len);
+ spin_unlock_irqrestore(&prtd->dsp_ul_lock,
+ dsp_flags);
+ return;
+ }
+
/* There are two frames in the buffer. Length of the
* first frame:
*/
@@ -463,6 +486,15 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt,
buf_node->frame.frm_hdr.timestamp = timestamp;
voc_pkt = voc_pkt + DSP_FRAME_HDR_LEN;
+ if (pkt_len <= 2 * DSP_FRAME_HDR_LEN) {
+ pr_err(
+ "%s: pkt_len %d is < required len\n",
+ __func__, pkt_len);
+ spin_unlock_irqrestore(
+ &prtd->dsp_ul_lock,
+ dsp_flags);
+ return;
+ }
/* There are two frames in the buffer. Length
* of the second frame:
*/
diff --git a/sound/soc/msm/qdsp6v2/q6afe.c b/sound/soc/msm/qdsp6v2/q6afe.c
index 610604fcfe15..21370dbadb5b 100644
--- a/sound/soc/msm/qdsp6v2/q6afe.c
+++ b/sound/soc/msm/qdsp6v2/q6afe.c
@@ -5475,6 +5475,13 @@ static int afe_sidetone_iir(u16 tx_port_id)
pr_debug("%s: adding 2 to size:%d\n", __func__, size);
size = size + 2;
}
+
+ if (size > MAX_SIDETONE_IIR_DATA_SIZE) {
+ pr_err("%s: iir_config size is out of bounds:%d\n", __func__, size);
+ mutex_unlock(&this_afe.cal_data[cal_index]->lock);
+ ret = -EINVAL;
+ goto done;
+ }
memcpy(&filter_data.iir_config, &st_iir_cal_info->iir_config, size);
mutex_unlock(&this_afe.cal_data[cal_index]->lock);
diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
index 2f8c1e80ce32..70ae79f5f6d1 100644
--- a/sound/soc/msm/qdsp6v2/q6asm.c
+++ b/sound/soc/msm/qdsp6v2/q6asm.c
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
* Author: Brian Swetland <swetland@google.com>
*
* This software is licensed under the terms of the GNU General Public
@@ -11,6 +12,7 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
+ * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include <linux/fs.h>
#include <linux/mutex.h>
@@ -2274,6 +2276,15 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
config_debug_fs_read_cb();
+ if (data->payload_size != (READDONE_IDX_SEQ_ID + 1) * sizeof(uint32_t)) {
+ pr_err("%s: payload size of %d is less than expected size\n",
+ __func__, data->payload_size);
+ spin_unlock_irqrestore(
+ &(session[session_id].session_lock),
+ flags);
+ return -EINVAL;
+ }
+
dev_vdbg(ac->dev, "%s: ReadDone: status=%d buff_add=0x%x act_size=%d offset=%d\n",
__func__, payload[READDONE_IDX_STATUS],
payload[READDONE_IDX_BUFADD_LSW],
@@ -2380,6 +2391,14 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
__func__, data->payload_size);
break;
case ASM_SESSION_CMDRSP_GET_MTMX_STRTR_PARAMS_V2:
+ payload_size = sizeof(struct asm_mtmx_strtr_get_params_cmdrsp);
+ if (data->payload_size < payload_size) {
+ pr_err("%s: insufficient payload size = %d\n",
+ __func__, data->payload_size);
+ spin_unlock_irqrestore(
+ &(session[session_id].session_lock), flags);
+ return -EINVAL;
+ }
q6asm_process_mtmx_get_param_rsp(ac, (void *) payload);
break;
case ASM_STREAM_PP_EVENT:
diff --git a/sound/soc/msm/qdsp6v2/q6core.c b/sound/soc/msm/qdsp6v2/q6core.c
index 417c5d0a12d1..8e1cb3a8b43b 100644
--- a/sound/soc/msm/qdsp6v2/q6core.c
+++ b/sound/soc/msm/qdsp6v2/q6core.c
@@ -1,4 +1,5 @@
/* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -87,7 +88,7 @@ static struct generic_get_data_ *generic_get_data;
static int parse_fwk_version_info(uint32_t *payload, uint16_t payload_size)
{
size_t ver_size;
- int num_services;
+ uint16_t num_services;
pr_debug("%s: Payload info num services %d\n",
__func__, payload[4]);
diff --git a/sound/soc/msm/qdsp6v2/q6lsm.c b/sound/soc/msm/qdsp6v2/q6lsm.c
index 90822aada3b6..807a4df9a2ba 100644
--- a/sound/soc/msm/qdsp6v2/q6lsm.c
+++ b/sound/soc/msm/qdsp6v2/q6lsm.c
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2013-2020, Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -338,6 +339,10 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle,
struct apr_hdr *msg_hdr = (struct apr_hdr *) data;
pr_debug("%s: enter wait %d\n", __func__, wait);
+ if (mmap_handle_p) {
+ pr_err("%s: Invalid mmap_handle\n", __func__);
+ return -EINVAL;
+ }
if (wait)
mutex_lock(&lsm_common.apr_lock);
if (mmap_p) {
@@ -381,6 +386,7 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle,
if (wait)
mutex_unlock(&lsm_common.apr_lock);
+ mmap_handle_p = NULL;
pr_debug("%s: leave ret %d\n", __func__, ret);
return ret;
}
@@ -1395,7 +1401,8 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv)
case LSM_SESSION_CMDRSP_SHARED_MEM_MAP_REGIONS:
if (atomic_read(&client->cmd_state) == CMD_STATE_WAIT_RESP) {
spin_lock_irqsave(&mmap_lock, flags);
- *mmap_handle_p = command;
+ if (mmap_handle_p)
+ *mmap_handle_p = command;
/* spin_unlock_irqrestore implies barrier */
spin_unlock_irqrestore(&mmap_lock, flags);
atomic_set(&client->cmd_state, CMD_STATE_CLEARED);
diff --git a/sound/soc/msm/qdsp6v2/q6voice.c b/sound/soc/msm/qdsp6v2/q6voice.c
index e437a1c7985f..996567ff3a0e 100644
--- a/sound/soc/msm/qdsp6v2/q6voice.c
+++ b/sound/soc/msm/qdsp6v2/q6voice.c
@@ -2545,6 +2545,13 @@ static int voice_send_cvs_register_cal_cmd(struct voice_data *v)
goto unlock;
}
+ if (col_data->cal_data.size > MAX_COL_INFO_SIZE) {
+ pr_err("%s: Invalid cal data size %zu!\n",
+ __func__, col_data->cal_data.size);
+ ret = -EINVAL;
+ goto unlock;
+ }
+
memcpy(&cvs_reg_cal_cmd.cvs_cal_data.column_info[0],
(void *) &((struct audio_cal_info_voc_col *)
col_data->cal_info)->data,
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-21 23:45:42 +0000