The range checking between "WCD_CPE_IMAGE_FNAME_MAX" and
"copy_count" is off-by-one due to the size of array
"core->dyn_fname" is "WCD_CPE_IMAGE_FNAME_MAX". Subtract
one from the range checking to fix this issue.
Change-Id: I87fd55206f79ad7b13c3878f6642bf5579303b17
Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>
In the ioctl function, driver allocates memory to store data
internally before calling copy_to_user to copy data to user-space.
It is possible that kernel internal information can be leaked to
user space through this if the allocated memory is not completely
overwritten with valid data. Use kzalloc to fix this.
CRs-fixed: 2026045
Change-Id: I754ae2157034a135aaca4a15badf10d2567b7ed6
Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>
Set address to NULL on error to ensure a stale address is not used.
CRs-Fixed: 2038685
Signed-off-by: Siena Richard <sienar@codeaurora.org>
Change-Id: I17e7b7b404625d21721b2466e70fa8be2370b517
* Due to gts210vewifi being unable to register sound
card reliably this method doesn't always work.
Change-Id: Id965d0c653a5318d90fcfe4a3ad4eb2c936213c2
Eagle driver is not in use any more.
Remove the code and associated calls
to it.
CRs-Fixed: 1103106
Change-Id: Ice5333861beda9538f0783b70b3267523d16fd2b
Signed-off-by: Alexy Joseph <alexyj@codeaurora.org>
Pointer after kfree is not sanitized.
Set pointer to NULL.
CRs-Fixed: 2008031
Change-Id: Ia59a57fcd142a6ed18d168992b8da4019314afa4
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
Add out of bounds check in routing put functions
for the mux value before accessing the texts
pointer of soc_enum struct with mux as index.
CRs-fixed: 1097569
Change-Id: Ib9ef8d398f0765754b0f79666963fac043b66077
Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
Add backend user count checking to protect the index
boundary.
Change-Id: Ic1b61d1f7130252cc54da0b16553858714988dbd
CRs-Fixed: 2009216
Signed-off-by: Walter Yang <yandongy@codeaurora.org>
If two ioctls are triggered with different commands,
there is a possibility to access freed confidence level
memory. To resolve this acquire lock in ioctl.
Also release mutex lock properly in error cases.
CRs-Fixed: 1103085
Change-Id: I7d6b2eff21c8297e5f0755a0c141254be32f777d
Signed-off-by: Yeleswarapu Nagaradhesh <nagaradh@codeaurora.org>
Allow to set volume in ASM for the loopback driver. Without the
get() function the corresponding volume mixer control is
failing to set volume.
CRs-Fixed: 1034862
Change-Id: I621dd9de3a8d4a0f4102227989e1dd17638c20ea
Signed-off-by: Surendar karka <sukark@codeaurora.org>
Completely deallocate the cal block if creation fails to ensure no
memory leaks are present.
CRs-Fixed: 1112751
Change-Id: I76916c8b3f7e8e9b864dc39dab96f7d330774473
Signed-off-by: Siena Richard <sienar@codeaurora.org>
A conditional branch is skipped due to incorrect string comparison.
It is fixed by using "strcmp" to perform string comparison.
CRs-fixed: 1085889
Change-Id: I12be44ac272fc5079230feb6ae24c68ccde99cf2
Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>
Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>
In case of memory allocation failure, _vol_cmd_cnt is not reset.
In _volume_cmds_free, null pointer dereference would happen for
_vol_cmds[i].
To prevent it, reset _vol_cmd_cnt when memory allocation fails.
CRs-Fixed: 1089598
Change-Id: Icb998549cdb999c6db2fd52aef505f200e630da5
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
Some of the ioctl command handling is not properly using the
copy_from_user interface. Fix these issues and cleanup the ioctl
functions to make sure there is no illegal memory access.
CRs-Fixed: 1090482
Change-Id: Ib18e4b132d3487a3103335768aad5df2ebe13f2d
Signed-off-by: Walter Yang <yandongy@codeaurora.org>
Add overflow check for param length to prevent
heap overflow while allocating memory for
ADM parameters.
CRs-Fixed: 1103334
Change-Id: I1163aeaabbc84dba4cd0739a35ecbdee18b42717
Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
A copy_from_user is not always expected to succeed. Therefore, check
for an error before operating on the buffer post copy.
Change-Id: Ibba9a47c84e735d30e32eeac5b80d51044b7a9e8
CRs-Fixed: 1094852
Signed-off-by: Siena Richard <sienar@codeaurora.org>
To avoid buffer overflow, validate input length used to
set Dolby params.
Change-Id: I3f9d6040f118f63b60c20c83b0d8cae638f4a530
CRs-Fixed: 1095947
Signed-off-by: Sharad Sangle <assangle@codeaurora.org>
Range checking is added to prevent buffer overflow that due to inputs
can be set by user space.
CRs-Fixed: 1098363
Change-Id: I057261291806240ee6d7b8106a5e83a7665e013d
Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>
Add restriction in msm_dolby_dap_param_to_get_control_get
to avoid reading buffer data with index over buffer size.
Change-Id: I2bd443d4db1a272d20341fbb5b15891a8acf0bc8
CRs-Fixed: 1096076
Signed-off-by: Yidong Huang <yidongh@codeaurora.org>
The heap buffer pointed to out_buffer and in_buffer are allocated
but uninitlalized. It may cause information leak.
Change to kzalloc instead of kmalloc when allocating kernel buffers
to avoid information leak.
CRs-Fixed: 1087020
Change-Id: I6f9b7a630158355a7f920dcf9cfffe537b1c6a85
Signed-off-by: Meng Wang <mwang@codeaurora.org>
Overflow check is added for sound model size to prevent
heap overflow while allocating memory for sound model data.
CRs-Fixed: 1100682
Change-Id: Id38523a5e79028c692670e84d5fe924a855a5a10
Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
Return an error code to ensure valid length value is valid.
CRs-fixed: 1102987
Change-Id: I6a679d08342d1da58c20b5c3d4e436dd335764ae
Signed-off-by: kunleiz <kunleiz@codeaurora.org>
The size of the physical memory allocated for ION buffers
are of type size_t. Change updates the type of variables
sent to ION drivers to size_t to avoid any mismatch.
Change-Id: I3d33ed922b979652c64027e6f1c6f0a8ed4850a3
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
In case of large value for bufcnt_t or bufcnt,
cmd_size may overflow. Buffer size allocated by cmd_size might
be not as expected.
Possible buffer overflow could happen.
CRs-Fixed: 1084210
Change-Id: I9556f18dd6a9fdf3f76c133ae75c04ecce171f08
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
When variable bufsz equals to 0, there would be infinite loop
at q6asm_audio_client_buf_alloc.
Fix the potential bug by checking bufsz beforehand.
CRs-Fixed: 1072280
Change-Id: I9640112b8945dc603e3af55fc1096bea9f7e6634
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
Some of the ioctl command handling is not properly using the
copy_from_user interface. Fix these issues and cleanup the ioctl
functions to make sure there is no illegal memory access.
CRs-Fixed: 1087469
Change-Id: Ieb1beb92e7854a05b8045de0ce179d12c9a6da74
Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>
Add check in tasha_mad_input_put function to
return error on out of bounds access using
mad input value.
CRs-fixed: 1096799
Change-Id: Iddaa3fef362f7cb1919aa3bd8dd4b83133fe7c97
Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
Add check in tomtom_mad_input_put function to
return error on out of bounds access using
mad input value.
CRs-fixed: 1096799
Change-Id: Ied86bf88301e555b25eaa190d2d786cdad691ccd
Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
Add check in taiko_mad_input_put function to
return error on out of bounds access using
mad input value
CRs-fixed: 1096799
Change-Id: I75ce9e881cf05a50e874a555b2f8bd3286cdaed4
Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
Update machine driver AFE API calls compatible
with adsp version AVS 2.6 and AVS 2.7
Update of mclk flag in suspend call.
Change-Id: Id0b300bcf585895cc659a1882710d825d0e7a808
Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
Signed-off-by: Divya Narayanan Poojary <dnaray@codeaurora.org>
In Q6 asm and afe drivers, add API support
for AVS 2.7. Update compress driver to use
ASM volume gain compatible to verion used
Change-Id: I152a3410c99cfa37dca0eadb30b97f121f5d0a89
Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
Signed-off-by: Divya Narayanan Poojary <dnaray@codeaurora.org>
Q6 core service provides API to query ADSP
version. Update the apr with get()/set()
to use this adsp version by platform/machine drivers
Change-Id: Icf480991b4b7847cd872ab7286ed1132facff0a4
Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
Signed-off-by: Divya Narayanan Poojary <dnaray@codeaurora.org>
Timeout error is observed while waiting for
ADM_CMD_SET_PP_PARAMS_V5 command's response.
Fix the condition logic in wait_event_timeout()
to match the value set in adm_callback() when
response to ADM_CMD_SET_PP_PARAMS_V5 is received.
CRs-Fixed: 1030674
Change-Id: I711c860dc3de479eec0d22369d19615aef572ea1
Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
validation of the codec variable passed to the snd_soc_read
and snd_soc_write functions are missing and can lead to DoS
as referred in CVE-2016-6690
Bug:28838221
Change-Id: I5020f77e252bade5e97efb592afb71fe1b18d952
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
Signed-off-by: Srinivasa Rao Kuppala <srkupp@codeaurora.org>
Removed 20ms delay in RX chain PMD as it is not required.
This improves device switch and tear down latency.
CRs-Fixed: 1070432
Change-Id: Id6996dff163f390a662f628da710d8bb238f7fca
Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
Before accessing io mapped address, check if
qdsp6 is ready to avoid dataabort issue.
Change-Id: Ia65875cd1087520befa0d12f928dc3fd1478031a
Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
Set token value with port index and copp id so that
correct wait queue handle can be deduced in the
callback of adm_set_stereo_to_custom_stereo command.
Change-Id: Ica4c1442c1143f46de2baa6eaf1890ad0cb4b742
Signed-off-by: Shiv Maliyappanahalli <smaliyap@codeaurora.org>
The params array is used without initialization, which may cause
security issues. Initialize it as all zero after the definition.
CRs-Fixed: 1062271
Change-Id: If462fe3d82f139d72547f82dc7eb564f83cb35bf
Signed-off-by: Walter Yang <yandongy@codeaurora.org>
Change all audio driver to use %pK instead
of %p. %pK hides addresses when the users doesn't
have kernel permissions. If address information
is needed echo 0 > /proc/sys/kernel/kptr_restrict.
CRs-Fixed: 1052832
Change-Id: I9ff5cf06b019c566973eb609bf5d37969b98d31d
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
Change cpe driver to use %pK instead of %p.
%pK hides addresses when the users doesn't
have kernel permissions. If address information
is needed echo 0 > /proc/sys/kernel/kptr_restrict.
CRs-Fixed: 1052832
Change-Id: I741d9e5c5b415011348e862c3f1ee4fe28c3969f
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
Initialize param length with user space argument and
check the condition for maximum length in
SND_AUDIOCODEC_EAC3 format.
CRs-Fixed: 1032820
Change-Id: I710c1f743d7502e93989e8cc487078366570e723
Signed-off-by: Surendar karka <sukark@codeaurora.org>
Schmitt trigger result is wrong if PA is enabled.
So, don't check for cross connection when PA is enabled.
CRs-Fixed: 1061507
Change-Id: Iad71abbed72aa40b5c839260f5c297a885f7d128
Signed-off-by: Yeleswarapu Nagaradhesh <nagaradh@codeaurora.org>
Cross connection sometimes gets detected late. The issue faced is
cable is reported as headset initially, cross connection is
detected later. But before confirming cross connection, playback
starts on headset, so checking for cross connection is not
confirmed. Cable remains reported as headset. So check for cross
connection just before reporting headset.
CRs-Fixed: 1028002
Change-Id: Ida4f277f13c9a193cd7c92063b99bcf1104f107e
Signed-off-by: Divya Ojha <dojha@codeaurora.org>
The overflow check is required to ensure that user space data
in kernel may not go beyond buffer boundary.
CRs-Fixed: 1064411
Change-Id: I54c28a8942cf1a6a47a4e8272f3159b35d753ead
Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
dummy_codec is not initialized before use, which
could cause kernel panic. Initialize dummy_codec before use.
Change-Id: Iedf7a3accbd14138ab7ed9e4e36a98fd7ca9a839
Signed-off-by: Meng Wang <mwang@codeaurora.org>
In lsm-related driver files, some pointers are not set as NULL
after the memory is freed, which will leave many dangling pointers.
Set them to NULL explicitly to avoid potential risk.
CRs-Fixed: 880388
Change-Id: I44925240705608510266a51225cc02611637c571
Signed-off-by: Walter Yang <yandongy@codeaurora.org>
After SSR, observe tones heard with high volume.
compander and hph_mode mixer controls are reset
in post reset callback which will not be in
sync with userspace settings. Avoid reset of
compander and hph_mode controls in post reset
callback.
CRs-Fixed: 1010471
Change-Id: Iacb3e27a35027037613e82e483b10b635d492a75
Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
Non DAP modules are disabled when DAP is enabled, and when DAP
is disabled they are suppose to move to a state as set in the
calibration data. Modules which dont have an explicit enable param
remain disabled even when DAP is disabled. Hence send an explicit
enable command to DSP for all modules followed by the
calibration data, this ensures correct state of all modules.
Change-Id: I6f8873bb11d96a20f6401eba5fe2979b6a14e11e
CRs-Fixed: 1049611
Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
Add support for standalone enablement of ldo_h
in wcd9335 hardware. This is required to enable
certain audio TX use-cases.
CRs-fixed: 1032443
Change-Id: Iea068907241b42846d95d8e62e59409cdd29ca42
Signed-off-by: Phani Kumar Uppalapati <phaniu@codeaurora.org>
Signed-off-by: SoumyaManagoli <smanag@codeaurora.org>
A big negative data length value can bypass the current check,
update the condition to ensure that only valid data length is used
to copy the params.
CRs-Fixed: 1041130
Change-Id: I6e1a58e901e4c042acfb0ab0a6223dec2949aefe
Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
For the audio get calibration ioctl compare the allocated
buffer size to the size of the header and cal type header
to ensure the buffer is big enough.
CRs-Fixed: 1038127
Change-Id: I851b4454e8420706ad3263d67e892720d46e5718
Signed-off-by: Ben Romberger <bromberg@codeaurora.org>
A big negative data length value can bypass the current check,
update the condition to ensure that only valid data length is used
to copy the params.
CRs-Fixed: 1041130
Change-Id: I6e1a58e901e4c042acfb0ab0a6223dec2949aefe
Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
Supported sample rates list in tash_mad1 DAI is not matching with
the given minimum and maximum sample rates
Added additional supported sample rates
Change-Id: Ia44f8dc2f6ab4c59fae7de6d9cebe073bed3ed31
Signed-off-by: Pavan Chikkala <pavanc@codeaurora.org>