DivestOS/Patches/Linux_CVEs/CVE-2017-0454/3.10/0001.patch

120 lines
3.9 KiB
Diff
Raw Normal View History

2017-11-07 17:32:46 -05:00
From 01f3ad23574c85a060e6add7a20173621b5b2c77 Mon Sep 17 00:00:00 2001
From: kunleiz <kunleiz@codeaurora.org>
Date: Thu, 22 Dec 2016 18:03:37 +0800
Subject: ASoC: msm: qdspv2: add mutex lock when access output buffer length
Add mutex protection to avoid access output_len in parallel.
CRs-Fixed: 1104067
Change-Id: I4e17258e2abee9cd68152f4b79520b00003aa80d
Signed-off-by: kunleiz <kunleiz@codeaurora.org>
---
drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
2017-11-07 17:32:46 -05:00
index d4fddf3..7a8e6f8 100644
--- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
@@ -1,5 +1,5 @@
/*
2017-11-07 17:32:46 -05:00
- * Copyright (c) 2014, 2016, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014, 2016-2017, The Linux Foundation. All rights reserved.
*
* This software is licensed under the terms of the GNU General Public
* License version 2, as published by the Free Software Foundation, and
@@ -29,6 +29,8 @@ struct q6audio_effects {
struct audio_client *ac;
struct msm_hwacc_effects_config config;
+ struct mutex lock;
+
atomic_t in_count;
atomic_t out_count;
2017-11-07 17:32:46 -05:00
@@ -231,8 +233,11 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
uint32_t idx = 0;
uint32_t size = 0;
+ mutex_lock(&effects->lock);
+
if (!effects->started) {
rc = -EFAULT;
+ mutex_unlock(&effects->lock);
goto ioctl_fail;
}
2017-11-07 17:32:46 -05:00
@@ -242,11 +247,13 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
if (!rc) {
pr_err("%s: write wait_event_timeout\n", __func__);
rc = -EFAULT;
+ mutex_unlock(&effects->lock);
goto ioctl_fail;
}
if (!atomic_read(&effects->out_count)) {
pr_err("%s: pcm stopped out_count 0\n", __func__);
rc = -EFAULT;
+ mutex_unlock(&effects->lock);
goto ioctl_fail;
}
2017-11-07 17:32:46 -05:00
@@ -256,6 +263,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
copy_from_user(bufptr, (void *)arg,
effects->config.buf_cfg.output_len)) {
rc = -EFAULT;
+ mutex_unlock(&effects->lock);
goto ioctl_fail;
}
rc = q6asm_write(effects->ac,
2017-11-07 17:32:46 -05:00
@@ -263,6 +271,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
0, 0, NO_TIMESTAMP);
if (rc < 0) {
rc = -EFAULT;
+ mutex_unlock(&effects->lock);
goto ioctl_fail;
}
atomic_dec(&effects->out_count);
2017-11-07 17:32:46 -05:00
@@ -270,6 +279,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
pr_err("%s: AUDIO_EFFECTS_WRITE: Buffer dropped\n",
__func__);
}
+ mutex_unlock(&effects->lock);
break;
}
case AUDIO_EFFECTS_READ: {
2017-11-07 17:32:46 -05:00
@@ -458,6 +468,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
break;
}
case AUDIO_EFFECTS_SET_BUF_LEN: {
+ mutex_lock(&effects->lock);
if (copy_from_user(&effects->config.buf_cfg, (void *)arg,
sizeof(effects->config.buf_cfg))) {
pr_err("%s: copy from user for AUDIO_EFFECTS_SET_BUF_LEN failed\n",
2017-11-07 17:32:46 -05:00
@@ -467,6 +478,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
pr_debug("%s: write buf len: %d, read buf len: %d\n",
__func__, effects->config.buf_cfg.output_len,
effects->config.buf_cfg.input_len);
+ mutex_unlock(&effects->lock);
break;
}
case AUDIO_EFFECTS_GET_BUF_AVAIL: {
2017-11-07 17:32:46 -05:00
@@ -711,6 +723,7 @@ static int audio_effects_release(struct inode *inode, struct file *file)
}
q6asm_audio_client_free(effects->ac);
+ mutex_destroy(&effects->lock);
kfree(effects);
pr_debug("%s: close session success\n", __func__);
2017-11-07 17:32:46 -05:00
@@ -741,6 +754,7 @@ static int audio_effects_open(struct inode *inode, struct file *file)
init_waitqueue_head(&effects->read_wait);
init_waitqueue_head(&effects->write_wait);
+ mutex_init(&effects->lock);
effects->opened = 0;
effects->started = 0;
--
cgit v1.1