(cherry picked from commit 75ed04dc1f7e7da565e41b7190fb44f078c5b4d6)
(cherry picked from commit a23fc1d9e2a6166dde561c6e5cf8f1e09e0a5c0c)
(cherry picked from commit efed5ad0c48e83e66b4be7f33147aa192e47e498)
When the dummy clock ops are used, the pointer passed to the clock ops is
expected to be to a struct clk_hw member within an encapsulating
struct clk_dummy. As such, when a pointer to only a plain struct clk_hw is
passed, the dummy clock ops cast the pointer to (struct clk_dummy *) and
erroneously manipulate memory outside the original clk_hw struct.
Fix it by using a struct clk_dummy as the dummy clock ops expect.
This fixes the following KASAN warning:
==================================================================
BUG: KASAN: global-out-of-bounds in dummy_clk_recalc_rate+0x18/0x28
Read of size 8 at addr ffffff900ab5f5d0 by task swapper/0/1
CPU: 4 PID: 1 Comm: swapper/0 Not tainted 4.9.96-g929b37a34c44-dirty #2
Hardware name: Google Inc. MSM sdm845 C1 DVT1.1 (DT)
Call trace:
[<ffffff900808c508>] dump_backtrace+0x0/0x340
[<ffffff900808c85c>] show_stack+0x14/0x20
[<ffffff90084fc7b4>] dump_stack+0xb0/0xdc
[<ffffff90082494c0>] print_address_description+0x60/0x264
[<ffffff9008233988>] kasan_report+0x168/0x350
[<ffffff900823331c>] __asan_load8+0x7c/0x90
[<ffffff90085da360>] dummy_clk_recalc_rate+0x18/0x28
[<ffffff90085c6684>] clk_register+0x7ec/0xbd8
[<ffffff90085c6d5c>] devm_clk_register+0x4c/0xa0
[<ffffff9008fd4eec>] audio_ref_clk_probe+0x2ac/0x3c0
[<ffffff90088b97b8>] platform_drv_probe+0x70/0xe0
[<ffffff90088b7380>] driver_probe_device+0x230/0x3a0
[<ffffff90088b7628>] __driver_attach+0x138/0x158
[<ffffff90088b42e4>] bus_for_each_dev+0xf4/0x158
[<ffffff90088b7800>] driver_attach+0x30/0x40
[<ffffff90088b5470>] bus_add_driver+0x298/0x2c8
[<ffffff90088b838c>] driver_register+0xb4/0x198
[<ffffff90088ba8ac>] __platform_driver_register+0x7c/0x88
[<ffffff9008fd5184>] audio_ref_clk_platform_init+0x1c/0x28
[<ffffff900a239318>] wcd9xxx_soc_init+0x18/0x64
[<ffffff900a2011b0>] do_one_initcall+0xf4/0x1d4
[<ffffff900a2014b8>] kernel_init_freeable+0x228/0x2c4
[<ffffff90093c3080>] kernel_init+0x10/0x108
[<ffffff90080836f0>] ret_from_fork+0x10/0x20
The buggy address belongs to the variable:
0xffffff900ab5f5d0
Memory state around the buggy address:
ffffff900ab5f480: 00 00 00 00 00 fa fa fa fa fa fa fa 00 00 04 fa
ffffff900ab5f500: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 00 00
>ffffff900ab5f580: 00 fa fa fa fa fa fa fa 00 00 04 fa fa fa fa fa
^
ffffff900ab5f600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffff900ab5f680: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 00
==================================================================
Signed-off-by: Sultan Alsawaf <sultan@kerneltoast.com>
(cherry picked from commit eea338d8e79b5c9e3bbcf4bb1c5400ef8027b60c)
(cherry picked from commit a24f742e9c83d553e40c753a46f04045112a0005)
Signed-off-by: Sultan Alsawaf <sultan@kerneltoast.com>
(cherry picked from commit 597ba888c44f41b8e0ee98c4eab4a857653ed60d)
(cherry picked from commit d8e082343709a3f97b61771188d2406312ec9150)
memset requires the number of bytes to write, not the number of elements
in an array to write.
Signed-off-by: Sultan Alsawaf <sultan@kerneltoast.com>
(cherry picked from commit b4bcef7accb2ec01653bb958ce71e13b2fd66b44)
(cherry picked from commit ee168116ff7fa089eb20ef43d495a55f8e2830cf)
An unused variable will be exposed by a backport of mainline commit
0a5f41767444 ("kbuild: clang: disable unused variable warnings only
when constant").
../techpack/audio/asoc/codecs/wcd934x/wcd934x.c:10178:13: error: unused variable 'val' [-Werror,-Wunused-variable]
int input, val;
^
1 error generated.
(cherry picked from commit 8c146bfa485c3b5f5485cb07f01ebf37d07ceb30)
(cherry picked from commit 3adfea3c81d1e77dd2528a7eb529e0815e4d1b58)
(cherry picked from commit db9e50f5df6655d95e6c1bb439c6ab8a5c34b6ad)
For now, it's just mic gain
(cherry picked from commit 04481901f4c2c41bb0e731e600073266b8eb262a)
(cherry picked from commit 61665e7def922aebabe9ad4f8427d4003bf6ad5e)
The global declared mmap_handle can be left dangling
for case when the handle is freed by the calling function.
Fix is to address this. Also add a check to make sure
the mmap_handle is accessed legally.
Change-Id: I367f8a41339aa0025b545b125ee820220efedeee
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
There is no check for voip pkt pkt_len,if it contains the
minimum required data. This can lead to integer underflow.
Add check for the same.
Change-Id: I91d4f2ad8dfb060cdb2ab9e36dc9f886ea40908a
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
Add check for the max hpcm_buf_node size before copy to avoid
buffer out of bounds issue.
Change-Id: Id647888430ce302359a857ef54d321bee99889bf
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
ASoC CTLs with negative minimum values were changed to use S8_TLV
controls on the upstream audio-kernel.
This is a backport of the upstream change [1] as it didn't land
into any sdm845 tag.
[1] 30fad2dc20
Change-Id: Id4b3038eb5d79a027f063869136ecebc83ee873d
Current logic copies user buf size of data
from the avail dsp buf at a given offset.
If this offset returned from DSP in READ_DONE event
goes out of bounds or is corrupted, then it can lead to
out of bounds DSP buffer access, resulting in memory fault.
Fix is to add check for this buf offset, if it is within
the buf size range.
Change-Id: I7753cc6db394704dbb959477150141d42b836bef
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
