diff options
author | Nick Desaulniers <ndesaulniers@google.com> | 2017-04-10 16:50:53 -0700 |
---|---|---|
committer | Nick Desaulniers <ndesaulniers@google.com> | 2017-04-10 16:50:53 -0700 |
commit | 932ac95a6be2fd44fd360cea9fdfb8f3d42f4769 (patch) | |
tree | 07a41dedb62df30a09dab59c82ddd10b166f8066 | |
parent | 368902fb3e3743b676f56772364fd05de069c6fd (diff) | |
parent | 6e0f6edff18a63d2558d1769151ce221bffa6229 (diff) |
Merge branch msm-lge/android-msm-bullhead-3.10-nyc-mr2-security-next into android-msm-bullhead-3.10-nyc-mr2android-7.1.2_r0.14
June 2017.1
Bug: 37156499
-rw-r--r-- | drivers/input/touchscreen/synaptics_i2c_rmi4.c | 23 | ||||
-rw-r--r-- | drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 2 | ||||
-rw-r--r-- | drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c | 7 | ||||
-rw-r--r-- | drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c | 38 | ||||
-rw-r--r-- | drivers/misc/qseecom.c | 4 | ||||
-rw-r--r-- | drivers/platform/msm/ipa/ipa_intf.c | 24 | ||||
-rw-r--r-- | drivers/soc/qcom/qdsp6v2/voice_svc.c | 57 | ||||
-rw-r--r-- | drivers/staging/qcacld-2.0/CORE/SME/src/oemData/oemDataApi.c | 4 | ||||
-rw-r--r-- | drivers/video/msm/mdss/mdss_fb.c | 6 | ||||
-rw-r--r-- | drivers/video/msm/mdss/mdss_mdp_overlay.c | 19 | ||||
-rw-r--r-- | include/media/msmb_pproc.h | 3 | ||||
-rw-r--r-- | sound/soc/msm/qdsp6v2/msm-lsm-client.c | 94 | ||||
-rw-r--r-- | sound/soc/soc-compress.c | 5 | ||||
-rw-r--r-- | sound/soc/soc-pcm.c | 4 |
14 files changed, 236 insertions, 54 deletions
diff --git a/drivers/input/touchscreen/synaptics_i2c_rmi4.c b/drivers/input/touchscreen/synaptics_i2c_rmi4.c index 8922fd362ee3..b1d924437708 100644 --- a/drivers/input/touchscreen/synaptics_i2c_rmi4.c +++ b/drivers/input/touchscreen/synaptics_i2c_rmi4.c @@ -2299,6 +2299,12 @@ static int synaptics_rmi4_f11_init(struct synaptics_rmi4_data *rmi4_data, rmi4_data->max_touch_width = MAX_F11_TOUCH_WIDTH; fhandler->intr_reg_num = (intr_count + 7) / 8; + if (fhandler->intr_reg_num >= MAX_INTR_REGISTERS) { + fhandler->intr_reg_num = 0; + fhandler->num_of_data_sources = 0; + fhandler->intr_mask = 0; + return -EINVAL; + } if (fhandler->intr_reg_num != 0) fhandler->intr_reg_num -= 1; @@ -2605,6 +2611,13 @@ static int synaptics_rmi4_f12_init(struct synaptics_rmi4_data *rmi4_data, rmi4_data->num_of_tx); fhandler->intr_reg_num = (intr_count + 7) / 8; + if (fhandler->intr_reg_num >= MAX_INTR_REGISTERS) { + fhandler->intr_reg_num = 0; + fhandler->num_of_data_sources = 0; + fhandler->intr_mask = 0; + retval = -EINVAL; + goto free_function_handler_mem; + } if (fhandler->intr_reg_num != 0) fhandler->intr_reg_num -= 1; @@ -2748,6 +2761,13 @@ static int synaptics_rmi4_f1a_init(struct synaptics_rmi4_data *rmi4_data, fhandler->num_of_data_sources = fd->intr_src_count; fhandler->intr_reg_num = (intr_count + 7) / 8; + if (fhandler->intr_reg_num >= MAX_INTR_REGISTERS) { + fhandler->intr_reg_num = 0; + fhandler->num_of_data_sources = 0; + fhandler->intr_mask = 0; + retval = -EINVAL; + goto error_exit; + } if (fhandler->intr_reg_num != 0) fhandler->intr_reg_num -= 1; @@ -3096,7 +3116,8 @@ flash_prog_mode: dev_dbg(&rmi4_data->i2c_client->dev, "%s: Number of interrupt registers = %d\n", __func__, rmi4_data->num_of_intr_regs); - + if (rmi4_data->num_of_intr_regs >= MAX_INTR_REGISTERS) + return -EINVAL; memset(rmi4_data->intr_mask, 0x00, sizeof(rmi4_data->intr_mask)); /* diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c index 6103e703974e..11755c3f015f 100644 --- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c +++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c @@ -1824,6 +1824,8 @@ static int msm_cpp_check_buf_type(struct msm_buf_mngr_info *buff_mgr_info, /* More or equal bufs as Input buffer */ num_output_bufs = new_frame->batch_info.batch_size; } + if (num_output_bufs > MSM_OUTPUT_BUF_CNT) + return 0; for (i = 0; i < num_output_bufs; i++) { new_frame->output_buffer_info[i].index = buff_mgr_info->user_buf.buf_idx[i]; diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c index 5c169f031b95..0d472ea9aea3 100644 --- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c +++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c @@ -54,8 +54,15 @@ static void msm_cci_set_clk_param(struct cci_device *cci_dev, enum cci_i2c_master_t master = c_ctrl->cci_info->cci_i2c_master; enum i2c_freq_mode_t i2c_freq_mode = c_ctrl->cci_info->i2c_freq_mode; + if ((i2c_freq_mode >= I2C_MAX_MODES) || (i2c_freq_mode < 0)) { + pr_err("%s:%d invalid i2c_freq_mode %d\n", + __func__, __LINE__, i2c_freq_mode); + return; + } + if (cci_dev->master_clk_init[master]) return; + clk_params = &cci_dev->cci_clk_params[i2c_freq_mode]; if (MASTER_0 == master) { diff --git a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c index aaae13dddbf0..4a13ef87898d 100644 --- a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c +++ b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c @@ -498,6 +498,42 @@ static int32_t msm_flash_init( return 0; } +#ifdef CONFIG_COMPAT +static int32_t msm_flash_init_prepare( + struct msm_flash_ctrl_t *flash_ctrl, + struct msm_flash_cfg_data_t *flash_data) +{ + return msm_flash_init(flash_ctrl, flash_data); +} +#else +static int32_t msm_flash_init_prepare( + struct msm_flash_ctrl_t *flash_ctrl, + struct msm_flash_cfg_data_t *flash_data) +{ + struct msm_flash_cfg_data_t flash_data_k; + struct msm_flash_init_info_t flash_init_info; + int32_t i = 0; + + flash_data_k.cfg_type = flash_data->cfg_type; + for (i = 0; i < MAX_LED_TRIGGERS; i++) { + flash_data_k.flash_current[i] = + flash_data->flash_current[i]; + flash_data_k.flash_duration[i] = + flash_data->flash_duration[i]; + } + + flash_data_k.cfg.flash_init_info = &flash_init_info; + if (copy_from_user(&flash_init_info, + (void *)(flash_data->cfg.flash_init_info), + sizeof(struct msm_flash_init_info_t))) { + pr_err("%s copy_from_user failed %d\n", + __func__, __LINE__); + return -EFAULT; + } + return msm_flash_init(flash_ctrl, &flash_data_k); +} +#endif + static int32_t msm_flash_low( struct msm_flash_ctrl_t *flash_ctrl, struct msm_flash_cfg_data_t *flash_data) @@ -604,7 +640,7 @@ static int32_t msm_flash_config(struct msm_flash_ctrl_t *flash_ctrl, switch (flash_data->cfg_type) { case CFG_FLASH_INIT: - rc = msm_flash_init(flash_ctrl, flash_data); + rc = msm_flash_init_prepare(flash_ctrl, flash_data); break; case CFG_FLASH_RELEASE: if (flash_ctrl->flash_state == MSM_CAMERA_FLASH_INIT) diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c index 6e7ca4773afa..d7223213f6dd 100644 --- a/drivers/misc/qseecom.c +++ b/drivers/misc/qseecom.c @@ -5131,7 +5131,11 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg) break; } pr_debug("SET_MEM_PARAM: qseecom addr = 0x%pK\n", data); + mutex_lock(&app_access_lock); + atomic_inc(&data->ioctl_count); ret = qseecom_set_client_mem_param(data, argp); + atomic_dec(&data->ioctl_count); + mutex_unlock(&app_access_lock); if (ret) pr_err("failed Qqseecom_set_mem_param request: %d\n", ret); diff --git a/drivers/platform/msm/ipa/ipa_intf.c b/drivers/platform/msm/ipa/ipa_intf.c index 535ea8429747..d76bf64bfb6d 100644 --- a/drivers/platform/msm/ipa/ipa_intf.c +++ b/drivers/platform/msm/ipa/ipa_intf.c @@ -265,6 +265,14 @@ int ipa_query_intf_tx_props(struct ipa_ioc_query_intf_tx_props *tx) mutex_lock(&ipa_ctx->lock); list_for_each_entry(entry, &ipa_ctx->intf_list, link) { if (!strncmp(entry->name, tx->name, IPA_RESOURCE_NAME_MAX)) { + /* add the entry check */ + if (entry->num_tx_props != tx->num_tx_props) { + IPAERR("invalid entry number(%u %u)\n", + entry->num_tx_props, + tx->num_tx_props); + mutex_unlock(&ipa_ctx->lock); + return result; + } memcpy(tx->tx, entry->tx, entry->num_tx_props * sizeof(struct ipa_ioc_tx_intf_prop)); result = 0; @@ -298,6 +306,14 @@ int ipa_query_intf_rx_props(struct ipa_ioc_query_intf_rx_props *rx) mutex_lock(&ipa_ctx->lock); list_for_each_entry(entry, &ipa_ctx->intf_list, link) { if (!strncmp(entry->name, rx->name, IPA_RESOURCE_NAME_MAX)) { + /* add the entry check */ + if (entry->num_rx_props != rx->num_rx_props) { + IPAERR("invalid entry number(%u %u)\n", + entry->num_rx_props, + rx->num_rx_props); + mutex_unlock(&ipa_ctx->lock); + return result; + } memcpy(rx->rx, entry->rx, entry->num_rx_props * sizeof(struct ipa_ioc_rx_intf_prop)); result = 0; @@ -331,6 +347,14 @@ int ipa_query_intf_ext_props(struct ipa_ioc_query_intf_ext_props *ext) mutex_lock(&ipa_ctx->lock); list_for_each_entry(entry, &ipa_ctx->intf_list, link) { if (!strcmp(entry->name, ext->name)) { + /* add the entry check */ + if (entry->num_ext_props != ext->num_ext_props) { + IPAERR("invalid entry number(%u %u)\n", + entry->num_ext_props, + ext->num_ext_props); + mutex_unlock(&ipa_ctx->lock); + return result; + } memcpy(ext->ext, entry->ext, entry->num_ext_props * sizeof(struct ipa_ioc_ext_intf_prop)); result = 0; diff --git a/drivers/soc/qcom/qdsp6v2/voice_svc.c b/drivers/soc/qcom/qdsp6v2/voice_svc.c index 10f71b85a15b..fe5458974406 100644 --- a/drivers/soc/qcom/qdsp6v2/voice_svc.c +++ b/drivers/soc/qcom/qdsp6v2/voice_svc.c @@ -368,6 +368,9 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf, struct voice_svc_prvt *prtd; struct voice_svc_write_msg *data = NULL; uint32_t cmd; + struct voice_svc_register *register_data = NULL; + struct voice_svc_cmd_request *request_data = NULL; + uint32_t request_payload_size; pr_debug("%s\n", __func__); @@ -416,12 +419,19 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf, */ if (count == (sizeof(struct voice_svc_write_msg) + sizeof(struct voice_svc_register))) { - ret = process_reg_cmd( - (struct voice_svc_register *)data->payload, prtd); + register_data = + (struct voice_svc_register *)data->payload; + if (register_data == NULL) { + pr_err("%s: register data is NULL", __func__); + ret = -EINVAL; + goto done; + } + ret = process_reg_cmd(register_data, prtd); if (!ret) ret = count; } else { - pr_err("%s: invalid payload size\n", __func__); + pr_err("%s: invalid data payload size for register command\n", + __func__); ret = -EINVAL; goto done; } @@ -430,19 +440,40 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf, /* * Check that count reflects the expected size to ensure * sufficient memory was allocated. Since voice_svc_cmd_request - * has a variable size, check the minimum value count must be. + * has a variable size, check the minimum value count must be to + * parse the message request then check the minimum size to hold + * the payload of the message request. */ if (count >= (sizeof(struct voice_svc_write_msg) + sizeof(struct voice_svc_cmd_request))) { - ret = voice_svc_send_req( - (struct voice_svc_cmd_request *)data->payload, prtd); - if (!ret) - ret = count; - } else { - pr_err("%s: invalid payload size\n", __func__); - ret = -EINVAL; - goto done; - } + request_data = + (struct voice_svc_cmd_request *)data->payload; + if (request_data == NULL) { + pr_err("%s: request data is NULL", __func__); + ret = -EINVAL; + goto done; + } + + request_payload_size = request_data->payload_size; + + if (count >= (sizeof(struct voice_svc_write_msg) + + sizeof(struct voice_svc_cmd_request) + + request_payload_size)) { + ret = voice_svc_send_req(request_data, prtd); + if (!ret) + ret = count; + } else { + pr_err("%s: invalid request payload size\n", + __func__); + ret = -EINVAL; + goto done; + } + } else { + pr_err("%s: invalid data payload size for request command\n", + __func__); + ret = -EINVAL; + goto done; + } break; default: pr_debug("%s: Invalid command: %u\n", __func__, cmd); diff --git a/drivers/staging/qcacld-2.0/CORE/SME/src/oemData/oemDataApi.c b/drivers/staging/qcacld-2.0/CORE/SME/src/oemData/oemDataApi.c index 9b5e56cc3787..1f796a2615dd 100644 --- a/drivers/staging/qcacld-2.0/CORE/SME/src/oemData/oemDataApi.c +++ b/drivers/staging/qcacld-2.0/CORE/SME/src/oemData/oemDataApi.c @@ -208,7 +208,6 @@ eHalStatus oemData_SendMBOemDataReq(tpAniSirGlobal pMac, tOemDataReq *pOemDataRe { eHalStatus status = eHAL_STATUS_SUCCESS; tSirOemDataReq* pMsg; - tANI_U16 msgLen; tCsrRoamSession *pSession; smsLog(pMac, LOGW, "OEM_DATA: entering Function %s", __func__); @@ -225,9 +224,8 @@ eHalStatus oemData_SendMBOemDataReq(tpAniSirGlobal pMac, tOemDataReq *pOemDataRe return eHAL_STATUS_FAILURE; } - msgLen = (uint16_t) (sizeof(*pMsg) + pOemDataReq->data_len); pMsg->messageType = pal_cpu_to_be16((tANI_U16)eWNI_SME_OEM_DATA_REQ); - pMsg->messageLen = pal_cpu_to_be16(msgLen); + pMsg->messageLen = pal_cpu_to_be16((uint16_t) sizeof(*pMsg)); vos_mem_copy(pMsg->selfMacAddr, pSession->selfMacAddr, sizeof(tSirMacAddr) ); pMsg->data_len = pOemDataReq->data_len; /* Incoming buffer ptr saved, set to null to avoid free by caller */ diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c index 4147e32309ae..0160ac5f0123 100644 --- a/drivers/video/msm/mdss/mdss_fb.c +++ b/drivers/video/msm/mdss/mdss_fb.c @@ -1722,7 +1722,7 @@ int mdss_fb_alloc_fb_ion_memory(struct msm_fb_data_type *mfd, size_t fb_size) ion_unmap_iommu(mfd->fb_ion_client, mfd->fb_ion_handle, mfd->mdp.fb_mem_get_iommu_domain(), 0); } - goto fb_mmap_failed; + goto err_put; } pr_debug("alloc 0x%zuB vaddr = %pK (%pa iova) for fb%d\n", fb_size, @@ -1734,8 +1734,12 @@ int mdss_fb_alloc_fb_ion_memory(struct msm_fb_data_type *mfd, size_t fb_size) return rc; +err_put: + dma_buf_put(mfd->fbmem_buf); fb_mmap_failed: ion_free(mfd->fb_ion_client, mfd->fb_ion_handle); + mfd->fb_ion_handle = NULL; + mfd->fbmem_buf = NULL; return rc; } diff --git a/drivers/video/msm/mdss/mdss_mdp_overlay.c b/drivers/video/msm/mdss/mdss_mdp_overlay.c index c91f55e81299..bd67a1cb44ce 100644 --- a/drivers/video/msm/mdss/mdss_mdp_overlay.c +++ b/drivers/video/msm/mdss/mdss_mdp_overlay.c @@ -3327,12 +3327,21 @@ static int mdss_mdp_hw_cursor_pipe_update(struct msm_fb_data_type *mfd, start_y = 0; } + if ((img->width > mdata->max_cursor_size) || + (img->height > mdata->max_cursor_size) || + (img->depth != 32) || (start_x >= xres) || + (start_y >= yres)) { + pr_err("Invalid cursor image coordinates\n"); + ret = -EINVAL; + goto done; + } + roi.w = min(xres - start_x, img->width - roi.x); roi.h = min(yres - start_y, img->height - roi.y); if ((roi.w > mdata->max_cursor_size) || - (roi.h > mdata->max_cursor_size) || - (img->depth != 32) || (start_x >= xres) || (start_y >= yres)) { + (roi.h > mdata->max_cursor_size)) { + pr_err("Invalid cursor ROI size\n"); ret = -EINVAL; goto done; } @@ -3363,12 +3372,6 @@ static int mdss_mdp_hw_cursor_pipe_update(struct msm_fb_data_type *mfd, req->transp_mask = img->bg_color & ~(0xff << var->transp.offset); if (mfd->cursor_buf && (cursor->set & FB_CUR_SETIMAGE)) { - if (img->width * img->height * 4 > cursor_frame_size) { - pr_err("cursor image size is too large\n"); - ret = -EINVAL; - goto done; - } - ret = copy_from_user(mfd->cursor_buf, img->data, img->width * img->height * 4); if (ret) { diff --git a/include/media/msmb_pproc.h b/include/media/msmb_pproc.h index 0e3cb8705688..7c66862d343c 100644 --- a/include/media/msmb_pproc.h +++ b/include/media/msmb_pproc.h @@ -22,6 +22,7 @@ #define MSM_CPP_MAX_FRAME_LENGTH 4096 #define MSM_CPP_MAX_FW_NAME_LEN 32 #define MAX_FREQ_TBL 10 +#define MSM_OUTPUT_BUF_CNT 8 enum msm_cpp_frame_type { MSM_CPP_OFFLINE_FRAME, @@ -211,7 +212,7 @@ struct msm_cpp_frame_info_t { uint32_t feature_mask; uint8_t we_disable; struct msm_cpp_buffer_info_t input_buffer_info; - struct msm_cpp_buffer_info_t output_buffer_info[8]; + struct msm_cpp_buffer_info_t output_buffer_info[MSM_OUTPUT_BUF_CNT]; struct msm_cpp_buffer_info_t duplicate_buffer_info; struct msm_cpp_buffer_info_t tnr_scratch_buffer_info[2]; uint32_t reserved; diff --git a/sound/soc/msm/qdsp6v2/msm-lsm-client.c b/sound/soc/msm/qdsp6v2/msm-lsm-client.c index 3193a8616ae2..6f25512b86ef 100644 --- a/sound/soc/msm/qdsp6v2/msm-lsm-client.c +++ b/sound/soc/msm/qdsp6v2/msm-lsm-client.c @@ -84,6 +84,7 @@ struct lsm_priv { atomic_t buf_count; atomic_t read_abort; wait_queue_head_t period_wait; + struct mutex lsm_api_lock; int appl_cnt; int dma_write; }; @@ -861,10 +862,18 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream, case SNDRV_LSM_EVENT_STATUS: dev_dbg(rtd->dev, "%s: Get event status\n", __func__); atomic_set(&prtd->event_wait_stop, 0); + + /* + * Release the api lock before wait to allow + * other IOCTLs to be invoked while waiting + * for event + */ + mutex_unlock(&prtd->lsm_api_lock); rc = wait_event_freezable(prtd->event_wait, (cmpxchg(&prtd->event_avail, 1, 0) || (xchg = atomic_cmpxchg(&prtd->event_wait_stop, 1, 0)))); + mutex_lock(&prtd->lsm_api_lock); dev_dbg(rtd->dev, "%s: wait_event_freezable %d event_wait_stop %d\n", __func__, rc, xchg); if (!rc && !xchg) { @@ -1116,6 +1125,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, rtd = substream->private_data; prtd = runtime->private_data; + mutex_lock(&prtd->lsm_api_lock); + switch (cmd) { case SNDRV_LSM_EVENT_STATUS: { struct snd_lsm_event_status *user = NULL, userarg32; @@ -1123,7 +1134,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, if (copy_from_user(&userarg32, arg, sizeof(userarg32))) { dev_err(rtd->dev, "%s: err copyuser ioctl %s\n", __func__, "SNDRV_LSM_EVENT_STATUS"); - return -EFAULT; + err = -EFAULT; + goto done; } if (userarg32.payload_size > @@ -1131,7 +1143,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, pr_err("%s: payload_size %d is invalid, max allowed = %d\n", __func__, userarg32.payload_size, LISTEN_MAX_STATUS_PAYLOAD_SIZE); - return -EINVAL; + err = -EINVAL; + goto done; } size = sizeof(*user) + userarg32.payload_size; @@ -1140,7 +1153,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, dev_err(rtd->dev, "%s: Allocation failed event status size %d\n", __func__, size); - return -EFAULT; + err = -EFAULT; + goto done; } else { cmd = SNDRV_LSM_EVENT_STATUS; user->payload_size = userarg32.payload_size; @@ -1189,7 +1203,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, dev_err(rtd->dev, "%s: %s: not supported if using topology\n", __func__, "REG_SND_MODEL_V2"); - return -EINVAL; + err = -EINVAL; + goto done; } if (copy_from_user(&snd_modelv232, arg, @@ -1230,7 +1245,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, dev_err(rtd->dev, "%s: %s: not supported if using topology\n", __func__, "SET_PARAMS_32"); - return -EINVAL; + err = -EINVAL; + goto done; } if (copy_from_user(&det_params32, arg, @@ -1273,7 +1289,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, dev_err(rtd->dev, "%s: %s: not supported if not using topology\n", __func__, "SET_MODULE_PARAMS_32"); - return -EINVAL; + err = -EINVAL; + goto done; } if (copy_from_user(&p_data_32, arg, @@ -1282,7 +1299,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, "%s: %s: copy_from_user failed, size = %zd\n", __func__, "SET_MODULE_PARAMS_32", sizeof(p_data_32)); - return -EFAULT; + err = -EFAULT; + goto done; } p_data.params = compat_ptr(p_data_32.params); @@ -1294,7 +1312,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, "%s: %s: Invalid num_params %d\n", __func__, "SET_MODULE_PARAMS_32", p_data.num_params); - return -EINVAL; + err = -EINVAL; + goto done; } if (p_data.data_size != @@ -1303,7 +1322,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, "%s: %s: Invalid size %d\n", __func__, "SET_MODULE_PARAMS_32", p_data.data_size); - return -EINVAL; + err = -EINVAL; + goto done; } p_size = sizeof(struct lsm_params_info_32) * @@ -1314,7 +1334,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, dev_err(rtd->dev, "%s: no memory for params32, size = %zd\n", __func__, p_size); - return -ENOMEM; + err = -ENOMEM; + goto done; } p_size = sizeof(struct lsm_params_info) * p_data.num_params; @@ -1324,7 +1345,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, "%s: no memory for params, size = %zd\n", __func__, p_size); kfree(params32); - return -ENOMEM; + err = -ENOMEM; + goto done; } if (copy_from_user(params32, p_data.params, @@ -1334,7 +1356,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, __func__, "params32", p_data.data_size); kfree(params32); kfree(params); - return -EFAULT; + err = -EFAULT; + goto done; } p_info_32 = (struct lsm_params_info_32 *) params32; @@ -1377,6 +1400,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, err = msm_lsm_ioctl_shared(substream, cmd, arg); break; } +done: + mutex_unlock(&prtd->lsm_api_lock); return err; } #else @@ -1401,6 +1426,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, prtd = runtime->private_data; rtd = substream->private_data; + mutex_lock(&prtd->lsm_api_lock); switch (cmd) { case SNDRV_LSM_REG_SND_MODEL_V2: { struct snd_lsm_sound_model_v2 snd_model_v2; @@ -1409,7 +1435,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, dev_err(rtd->dev, "%s: %s: not supported if using topology\n", __func__, "REG_SND_MODEL_V2"); - return -EINVAL; + err = -EINVAL; + goto done; } if (copy_from_user(&snd_model_v2, arg, sizeof(snd_model_v2))) { @@ -1426,7 +1453,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, dev_err(rtd->dev, "%s REG_SND_MODEL failed err %d\n", __func__, err); - return err; + goto done; } break; case SNDRV_LSM_SET_PARAMS: { @@ -1436,7 +1463,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, dev_err(rtd->dev, "%s: %s: not supported if using topology\n", __func__, "SET_PARAMS"); - return -EINVAL; + err = -EINVAL; + goto done; } pr_debug("%s: SNDRV_LSM_SET_PARAMS\n", __func__); @@ -1457,7 +1485,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, dev_err(rtd->dev, "%s: LSM_SET_PARAMS failed, err %d\n", __func__, err); - return err; + + goto done; } case SNDRV_LSM_SET_MODULE_PARAMS: { @@ -1469,7 +1498,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, dev_err(rtd->dev, "%s: %s: not supported if not using topology\n", __func__, "SET_MODULE_PARAMS"); - return -EINVAL; + err = -EINVAL; + goto done; } if (copy_from_user(&p_data, arg, @@ -1477,7 +1507,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, dev_err(rtd->dev, "%s: %s: copy_from_user failed, size = %zd\n", __func__, "p_data", sizeof(p_data)); - return -EFAULT; + err = -EFAULT; + goto done; } if (p_data.num_params > LSM_PARAMS_MAX) { @@ -1485,7 +1516,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, "%s: %s: Invalid num_params %d\n", __func__, "SET_MODULE_PARAMS", p_data.num_params); - return -EINVAL; + err = -EINVAL; + goto done; } p_size = p_data.num_params * @@ -1496,7 +1528,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, "%s: %s: Invalid size %zd\n", __func__, "SET_MODULE_PARAMS", p_size); - return -EFAULT; + err = -EFAULT; + goto done; } params = kzalloc(p_size, GFP_KERNEL); @@ -1504,7 +1537,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, dev_err(rtd->dev, "%s: no memory for params\n", __func__); - return -ENOMEM; + err = -ENOMEM; + goto done; } if (copy_from_user(params, p_data.params, @@ -1513,7 +1547,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, "%s: %s: copy_from_user failed, size = %d\n", __func__, "params", p_data.data_size); kfree(params); - return -EFAULT; + err = -EFAULT; + goto done; } err = msm_lsm_process_params(substream, &p_data, params); @@ -1533,7 +1568,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, dev_err(rtd->dev, "%s: err copyuser event_status\n", __func__); - return -EFAULT; + err = -EFAULT; + goto done; } if (userarg.payload_size > @@ -1541,7 +1577,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, pr_err("%s: payload_size %d is invalid, max allowed = %d\n", __func__, userarg.payload_size, LISTEN_MAX_STATUS_PAYLOAD_SIZE); - return -EINVAL; + err = -EINVAL; + goto done; } size = sizeof(struct snd_lsm_event_status) + @@ -1551,7 +1588,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, dev_err(rtd->dev, "%s: Allocation failed event status size %d\n", __func__, size); - return -EFAULT; + err = -EFAULT; + goto done; } else { user->payload_size = userarg.payload_size; err = msm_lsm_ioctl_shared(substream, cmd, user); @@ -1574,12 +1612,14 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, if (err) dev_err(rtd->dev, "%s: lsmevent failed %d", __func__, err); - return err; + goto done; } default: err = msm_lsm_ioctl_shared(substream, cmd, arg); break; } +done: + mutex_unlock(&prtd->lsm_api_lock); return err; } @@ -1596,6 +1636,7 @@ static int msm_lsm_open(struct snd_pcm_substream *substream) __func__); return -ENOMEM; } + mutex_init(&prtd->lsm_api_lock); spin_lock_init(&prtd->event_lock); init_waitqueue_head(&prtd->event_wait); init_waitqueue_head(&prtd->period_wait); @@ -1721,6 +1762,7 @@ static int msm_lsm_close(struct snd_pcm_substream *substream) kfree(prtd->event_status); prtd->event_status = NULL; spin_unlock_irqrestore(&prtd->event_lock, flags); + mutex_destroy(&prtd->lsm_api_lock); kfree(prtd); runtime->private_data = NULL; diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c index cb57d3e688b1..1d112cc059b1 100644 --- a/sound/soc/soc-compress.c +++ b/sound/soc/soc-compress.c @@ -569,6 +569,11 @@ static int soc_compr_set_params_fe(struct snd_compr_stream *cstream, cstream, &async_domain); } else { be_list[j++] = be; + if (j == DPCM_MAX_BE_USERS) { + dev_dbg(fe->dev, + "ASoC: MAX backend users!\n"); + break; + } } } for (i = 0; i < j; i++) { diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c index 0e928a7fcec4..8206c3f0b9b7 100644 --- a/sound/soc/soc-pcm.c +++ b/sound/soc/soc-pcm.c @@ -1845,6 +1845,10 @@ void dpcm_be_dai_prepare_async(struct snd_soc_pcm_runtime *fe, int stream, dpcm, domain); } else { dpcm_async[i++] = dpcm; + if (i == DPCM_MAX_BE_USERS) { + dev_dbg(fe->dev, "ASoC: MAX backend users!\n"); + break; + } } } |