Merge tag 'LA.VENDOR.1.0.r1-23800-WAIPIO.QSSI14.0' into staging/lineage-20.0_merge-LA.VENDOR.1.0.r1-23800-WAIPIO.QSSI14.0
"LA.VENDOR.1.0.r1-23800-WAIPIO.QSSI14.0"
# By Rajat Yadav (1) and others
# Via Linux Build Service Account (2) and Vaibhav Raut (1)
* tag 'LA.VENDOR.1.0.r1-23800-WAIPIO.QSSI14.0':
agm: ipc: SWBinders: protect handle by clbk_data_list_lock
ipc: Hwbinders: Add checks to avoid OOB read.
ipc: HwBinders: Fix potential out of bound access
agm: test: config: Update BE config for blair
AGM: protect graph_read/graph_write with mutex
Change-Id: Ib24c5ec2c3d163d6355bcc6dbf8a787fff1b7053
diff --git a/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp b/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp
index 22f714d..125a062 100644
--- a/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp
+++ b/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp
@@ -844,6 +844,11 @@
void * payload_local = NULL;
int32_t ret = 0;
+ if (payload.size() < size) {
+ ALOGE("%s: Invalid payload.size[%d] less than size %d\n", __func__, payload.size(), size);
+ return -EINVAL;
+ }
+
payload_local = (void*) calloc(1, size);
if (payload_local == NULL) {
ALOGE("%s: Cannot allocate memory for payload_local\n", __func__);
@@ -862,6 +867,18 @@
ALOGV("%s : session_id = %d\n", __func__, session_id);
struct agm_event_reg_cfg *evt_reg_cfg_local;
int32_t ret = 0;
+
+ if (evt_reg_cfg.size() != 1) {
+ ALOGE("%s evt_reg_cfg needs to be of size 1\n", __func__);
+ return -EINVAL;
+ }
+
+ if (evt_reg_cfg.data()->event_config_payload.size() !=
+ evt_reg_cfg.data()->event_config_payload_size) {
+ ALOGE("%s: event_config_payload_size value mismatch\n", __func__);
+ return -EINVAL;
+ }
+
evt_reg_cfg_local = (struct agm_event_reg_cfg*)
calloc(1,(sizeof(struct agm_event_reg_cfg) +
(evt_reg_cfg.data()->event_config_payload_size)*sizeof(uint8_t)));
diff --git a/ipc/SwBinders/agm_server/src/ipc_proxy_server.cpp b/ipc/SwBinders/agm_server/src/ipc_proxy_server.cpp
index 2e62686..10fe1d6 100644
--- a/ipc/SwBinders/agm_server/src/ipc_proxy_server.cpp
+++ b/ipc/SwBinders/agm_server/src/ipc_proxy_server.cpp
@@ -1,6 +1,6 @@
/*
** Copyright (c) 2019, The Linux Foundation. All rights reserved.
-** Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
+** Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions are
@@ -753,21 +753,21 @@
if (handle != NULL && handle->session_id == session_id &&
handle->client_data == client_data) {
AGM_LOGV("%s: Found handle %p\n", __func__, handle);
- pthread_mutex_unlock(&clbk_data_list_lock);
break;
}
}
- pthread_mutex_unlock(&clbk_data_list_lock);
if (handle!= NULL) {
sp<ICallback> cb_binder = handle->cb_binder;
if (cb_binder == NULL) {
AGM_LOGE("%s Invalid binder handle\n", __func__);
+ pthread_mutex_unlock(&clbk_data_list_lock);
return;
}
cb_binder->event_cb(session_id, event_params,
handle->client_data, handle->cb_func);
}
+ pthread_mutex_unlock(&clbk_data_list_lock);
}
diff --git a/plugins/tinyalsa/test/backend_conf.xml b/plugins/tinyalsa/test/backend_conf.xml
index 230c94d..e620d82 100644
--- a/plugins/tinyalsa/test/backend_conf.xml
+++ b/plugins/tinyalsa/test/backend_conf.xml
@@ -36,6 +36,7 @@
<device name="CODEC_DMA-LPAIF_WSA-RX-0" rate="48000" ch="1" bits="16" />
<device name="CODEC_DMA-LPAIF_WSA-RX-1" rate="48000" ch="1" bits="16" />
<device name="CODEC_DMA-LPAIF_RXTX-RX-0" rate="48000" ch="1" bits="16" />
+ <device name="CODEC_DMA-LPAIF_RXTX-RX-1" rate="48000" ch="1" bits="16" />
<device name="TDM-LPAIF_AXI-RX-PRIMARY" rate="48000" ch="2" bits="16" />
<device name="SLIM-DEV1-RX-0" rate="48000" ch="2" bits="16" />
<device name="DISPLAY_PORT-RX" rate="48000" ch="2" bits="16" />
diff --git a/service/src/session_obj.c b/service/src/session_obj.c
index b0678a9..e1e17f3 100644
--- a/service/src/session_obj.c
+++ b/service/src/session_obj.c
@@ -2358,10 +2358,8 @@
AGM_LOGE("Cannot issue read in state:%d\n",
sess_obj->state);
ret = -EINVAL;
- pthread_mutex_unlock(&sess_obj->lock);
goto done;
}
- pthread_mutex_unlock(&sess_obj->lock);
buffer.timestamp = 0x0;
buffer.flags = 0;
@@ -2374,6 +2372,7 @@
}
done:
+ pthread_mutex_unlock(&sess_obj->lock);
return ret;
}
@@ -2387,10 +2386,8 @@
AGM_LOGE("Cannot issue write in state:%d\n",
sess_obj->state);
ret = -EINVAL;
- pthread_mutex_unlock(&sess_obj->lock);
goto done;
}
- pthread_mutex_unlock(&sess_obj->lock);
buffer.timestamp = 0x0;
buffer.flags = 0;
@@ -2403,6 +2400,7 @@
}
done:
+ pthread_mutex_unlock(&sess_obj->lock);
return ret;
}
@@ -2648,16 +2646,16 @@
AGM_LOGE("Cannot issue write in state:%d\n",
sess_obj->state);
ret = -EINVAL;
- pthread_mutex_unlock(&sess_obj->lock);
goto done;
}
- pthread_mutex_unlock(&sess_obj->lock);
+
ret = graph_write(sess_obj->graph, buffer, consumed_size);
if (ret) {
AGM_LOGE("Error:%d writing to graph\n", ret);
}
done:
+ pthread_mutex_unlock(&sess_obj->lock);
return ret;
}
@@ -2671,10 +2669,8 @@
AGM_LOGE("Cannot issue read in state:%d\n",
sess_obj->state);
ret = -EINVAL;
- pthread_mutex_unlock(&sess_obj->lock);
goto done;
}
- pthread_mutex_unlock(&sess_obj->lock);
size_t read_size;
ret = graph_read(sess_obj->graph, buffer, &read_size);
@@ -2685,6 +2681,7 @@
*captured_size = (uint32_t)read_size;
done:
+ pthread_mutex_unlock(&sess_obj->lock);
return ret;
}