Merge tag 'LA.UM.9.2.c25-03000-SDMxx0.0' of https://git.codelinaro.or…

…g/clo/la/kernel/msm-4.4 into lineage-20.0 "LA.UM.9.2.c25-03000-SDMxx0.0" * tag 'LA.UM.9.2.c25-03000-SDMxx0.0' of https://git.codelinaro.org/clo/la/kernel/msm-4.4: q6lsm: Address use after free for mmap handle msm-pcm-host-voice: Check validity of session idx. Change-Id: I57021e6bb30d6a252ae7a9f3dbdc57e7a93ab8cc Signed-off-by: Nanhumly <[email protected]>
Diva-Room · Sep 7, 2023 · 313bce8 · 313bce8
2 parents 84588d6 + ca9d5a4
commit 313bce8
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c
@@ -743,6 +743,13 @@ void hpcm_notify_evt_processing(uint8_t *data, char *session,
 		return;
 	}
 
+	if (prtd->mixer_conf.sess_indx < VOICE_INDEX ||
+		prtd->mixer_conf.sess_indx >= MAX_SESSION) {
+		pr_err("%s:: Invalid session idx %d\n",
+			__func__, prtd->mixer_conf.sess_indx);
+		return;
+	}
+
 	if (notify_evt->tap_point == VSS_IVPCM_TAP_POINT_TX_DEFAULT) {
 		tp = &prtd->session[prtd->mixer_conf.sess_indx].tx_tap_point;
 		tmd = &prtd->mixer_conf.tx;

diff --git a/sound/soc/msm/qdsp6v2/q6lsm.c b/sound/soc/msm/qdsp6v2/q6lsm.c
@@ -339,6 +339,10 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle,
 	struct apr_hdr *msg_hdr = (struct apr_hdr *) data;
 
 	pr_debug("%s: enter wait %d\n", __func__, wait);
+	if (mmap_handle_p) {
+		pr_err("%s: Invalid mmap_handle\n", __func__);
+		return -EINVAL;
+	}
 	if (wait)
 		mutex_lock(&lsm_common.apr_lock);
 	if (mmap_p) {
@@ -382,6 +386,7 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle,
 	if (wait)
 		mutex_unlock(&lsm_common.apr_lock);
 
+	mmap_handle_p = NULL;
 	pr_debug("%s: leave ret %d\n", __func__, ret);
 	return ret;
 }
@@ -1396,7 +1401,8 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv)
 	case LSM_SESSION_CMDRSP_SHARED_MEM_MAP_REGIONS:
 		if (atomic_read(&client->cmd_state) == CMD_STATE_WAIT_RESP) {
 			spin_lock_irqsave(&mmap_lock, flags);
-			*mmap_handle_p = command;
+			if (mmap_handle_p)
+				*mmap_handle_p = command;
 			/* spin_unlock_irqrestore implies barrier */
 			spin_unlock_irqrestore(&mmap_lock, flags);
 			atomic_set(&client->cmd_state, CMD_STATE_CLEARED);