Updated get_param_payload buffer ptr to NULL
after free to avoid use after free issue.
Change-Id: I86da8c12a0bdccce690f67b037198b67640e339b
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
Add check for AVCS_CMD_RSP_LOAD_MODULE response payload
to avoid its access after free.
Change-Id: I3023e6676a27fe33d2cc0f44a49813f0ed0ebe3b
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
check for the proper param size before copying,
to avoid OOB memory access of buffer.
Change-Id: I8e9bd3b4be9a2797e76dce403578c038fc07dd58
Signed-off-by: Shalini Manjunatha <quic_c_shalma@quicinc.com>
Fix is to add check for this ADSP returned buf offset + size,
if it is within the available buf size range
Change-Id: I400cc4f5c07164f0a9b405ebea144ea0ae4b6cf2
Signed-off-by: Shalini Manjunatha <quic_c_shalma@quicinc.com>
Add support to remove unnecessary TDM route where TDM is not need.
Change-Id: I56aee33cbb9ecbc190fc24bfa14a071263661292
Signed-off-by: Boyuan Yan <quic_boyuyan@quicinc.com>
Bus reset is creating mismatch in interrupt generation sequence
and leading to audio playback mute.
Disabling bus reset for soundwire master version 1.5
Change-Id: I1d41a8d11d1f86c8a538f0b8d234bb6d001268ad
Signed-off-by: Vijay Kumar Maddula <quic_vmaddula@quicinc.com>
Avoid OOB access of sidetone iir config array when
iir_num_biquad_stages returned from cal block is > 10
Change-Id: I45b95e8bdd1a993a526590c94cf2f9a85c12af37
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
Add buf len check for the playback data before copy
to avoid OOB issues.
Change-Id: I737d09e275463292365cd183b9a43d09ff9ccbf2
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
There is no check for voip pkt pkt_len,if it contains the
min required data. This can lead to integer underflow.
Add check for the same.
Change-Id: I40242429542b6c32a0e6c3bbe03975c244c2f61a
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
check for the proper param size before copying,
to avoid buffer overflow.
Change-Id: I70c52e6ab76f528ea3714784ab9013b070839c40
Signed-off-by: Shalini Manjunatha <quic_c_shalma@quicinc.com>
Payload size is not checked before payload access for AVCS.
Check size to avoid out-of-boundary memory access.
Change-Id: I6de3342617bd4f3fb8849ad2230dd57c07469372
Signed-off-by: Shalini Manjunatha <quic_c_shalma@quicinc.com>
There is no check for voip pkt pkt_len,if it contains the
min required data. This can lead to integer underflow.
Add check for the same.
Change-Id: I4f57eb125967d52ad8da60d21a440af1f81d2579
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
There is no check for the copy data size of the
ADSP returned payload. Add check for the max
hpcm_buf_node size before copy to avoid
buffer out of bounds issue.
Change-Id: Id647888430ce302359a857ef54d321bee99889bf
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
"num_services", a signed integer when compared
with constant results in conversion of signed integer
to max possible unsigned int value when "num_services"
is a negative value. This can lead to OOB read.
Fix is to handle this case.
Change-Id: Id6a8f150d9019c972a87f789e4c626337a97bfff
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
Check for the max size of cvs command register
calibration data that can be copied else will
result in buffer overflow.
Change-Id: Id7a4c5a9795143798b68dfde779f17fb450e3848
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
There is no error check for case when hpcm_start
is called for the same RX or TX tap points multiple times.
This can result in OOB access of struct vss_ivpcm_tap_point.
Handle this scenario with appropriate no_of_tp check.
Change-Id: Ib384d21c9bf372f3e5d78f64b5c056e836728399
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
runtime_suspend may get from multi functions and reslock is
unlock and lock inbetween which may cause clk count mismatch
with multi rutime_suspend called. Add new lock to make sure
runtime_suspend is run in sequence.
Change-Id: Ie465ded6dc1db1244035e9f4d216466b630df82b
Signed-off-by: Meng Wang <mengw@codeaurora.org>
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
the APSS would suspend within ~120ms after audio off, if system suspend
swrm_suspend() is called before swrm_runtime_suspend. The clock stop
sequence require writing IPC and expect interrupt, which would stop
the APSS to be suspended. Reduce the auto suspend time specifically when
swr event is done can call the swrm_runtime_suspend
Change-Id: Iee0c9143d65e5a8e68a8e20ab73bea9def1920bd
Signed-off-by: Junkai Cai <junkai@codeaurora.org>
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
Conversion of negative "num_modules" var value
will result in max possible unsigned int value
and hence can cause mem corruption when accessed.
Resolve this by assigning the same data type
to "num_modules" var as used in the calling fn.
Change-Id: I4c9d7215b9c7345637e1eb3a1992a41fef71c5cb
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
Due to incorrect check for buffer size calculation during partial buffer size check,
which is part of code for gapless playback support in GKI mode,
partial buffers are missed from sending to DSP causing buffer handling issues.
Change-Id: Ic6f5a3ce6958ddc94dc7bb7e92ebb778aa13cb64
Signed-off-by: Shalini Manjunatha <quic_c_shalma@quicinc.com>
There is a possibility where an access
to /dev/msm_audio_cal from third party
could pass negative size which would
lead to crash.
Avoid this by negative value size check.
Change-Id: Id36c5f10dccbd7d0ee85aa3310badec6815237a2
Signed-off-by: Sujin Panicker <quic_spanic@quicinc.com>
Update proper description to explain
the usage of endpoint ID 2.
Change-Id: I45a52ef43c3fcd42f97de37e7bb80517dfe09db3
Signed-off-by: Manoj Kumar N D <quic_mnd@quicinc.com>
Mark the used cal block as stale so that it is not reused.
Change-Id: I142d21d6d32a1b5ad24c3a2708b1df023d70947e
Signed-off-by: Manoj Kumar N D <quic_mnd@quicinc.com>
