ASoC: wcd9xxx: Add check for NULL pointer and buffer overflow
Current code has possible scenarios where NULL pointer
could be dereferenced or an out-of-bound index of array
could be accessed. The change checks the pointer for NULL
before they are dereferenced and checks for buffer overflows
to ensure out of bound indexes of arrays are not
accessed.
CRs-Fixed: 628865 628869 628873 628874 628875
Change-Id: I3002d1831eb852445619dabeb0f26285ab420953
Signed-off-by: Aravind Kumar <akumark@codeaurora.org>
diff --git a/drivers/mfd/wcd9xxx-core.c b/drivers/mfd/wcd9xxx-core.c
index 5eb359e..156ce24 100644
--- a/drivers/mfd/wcd9xxx-core.c
+++ b/drivers/mfd/wcd9xxx-core.c
@@ -1719,7 +1719,6 @@
{
struct wcd9xxx *wcd9xxx = slim_get_devicedata(sldev);
- dev_info(wcd9xxx->dev, "%s: device down\n", __func__);
if (!wcd9xxx) {
pr_err("%s: wcd9xxx is NULL\n", __func__);
return -EINVAL;
diff --git a/drivers/mfd/wcd9xxx-irq.c b/drivers/mfd/wcd9xxx-irq.c
index 7644984..d9cf60a 100644
--- a/drivers/mfd/wcd9xxx-irq.c
+++ b/drivers/mfd/wcd9xxx-irq.c
@@ -615,6 +615,10 @@
static int virq_to_phyirq(struct wcd9xxx_core_resource *wcd9xxx_res, int virq)
{
struct irq_data *irq_data = irq_get_irq_data(virq);
+ if (unlikely(!irq_data)) {
+ pr_err("%s: irq_data is NULL", __func__);
+ return -EINVAL;
+ }
return irq_data->hwirq;
}
@@ -664,6 +668,10 @@
} else {
dev_dbg(&pdev->dev, "%s: virq = %d\n", __func__, irq);
domain = irq_find_host(pdev->dev.of_node);
+ if (unlikely(!domain)) {
+ pr_err("%s: domain is NULL", __func__);
+ return -EINVAL;
+ }
data = (struct wcd9xxx_irq_drv_data *)domain->host_data;
data->irq = irq;
wmb();
@@ -679,6 +687,10 @@
struct wcd9xxx_irq_drv_data *data;
domain = irq_find_host(pdev->dev.of_node);
+ if (unlikely(!domain)) {
+ pr_err("%s: domain is NULL", __func__);
+ return -EINVAL;
+ }
data = (struct wcd9xxx_irq_drv_data *)domain->host_data;
data->irq = 0;
wmb();
diff --git a/sound/soc/codecs/wcd9306.c b/sound/soc/codecs/wcd9306.c
index 95f2041..b471d57 100644
--- a/sound/soc/codecs/wcd9306.c
+++ b/sound/soc/codecs/wcd9306.c
@@ -1507,6 +1507,7 @@
u16 tx_mux_ctl_reg;
u8 adc_dmic_sel = 0x0;
int ret = 0;
+ char *srch = NULL;
if (ucontrol->value.enumerated.item[0] > e->max - 1)
return -EINVAL;
@@ -1525,8 +1526,12 @@
ret = -EINVAL;
goto out;
}
-
- ret = kstrtouint(strpbrk(dec_name, "1234"), 10, &decimator);
+ srch = strpbrk(dec_name, "1234");
+ if (srch == NULL) {
+ pr_err("%s: Invalid decimator name %s\n", __func__, dec_name);
+ return -EINVAL;
+ }
+ ret = kstrtouint(srch, 10, &decimator);
if (ret < 0) {
pr_err("%s: Invalid decimator = %s\n", __func__, dec_name);
ret = -EINVAL;
@@ -2017,8 +2022,15 @@
s32 *dmic_clk_cnt;
unsigned int dmic;
int ret;
+ char *srch = NULL;
- ret = kstrtouint(strpbrk(w->name, "1234"), 10, &dmic);
+ srch = strpbrk(w->name, "1234");
+ if (srch == NULL) {
+ pr_err("%s: Invalid widget name %s\n", __func__, w->name);
+ return -EINVAL;
+ }
+
+ ret = kstrtouint(srch, 10, &dmic);
if (ret < 0) {
pr_err("%s: Invalid DMIC line on the codec\n", __func__);
return -EINVAL;
@@ -2350,6 +2362,7 @@
u16 dec_reset_reg, tx_vol_ctl_reg, tx_mux_ctl_reg;
u8 dec_hpf_cut_of_freq;
int offset;
+ char *srch = NULL;
dev_dbg(codec->dev, "%s %d\n", __func__, event);
@@ -2365,8 +2378,12 @@
ret = -EINVAL;
goto out;
}
-
- ret = kstrtouint(strpbrk(dec_name, "123456789"), 10, &decimator);
+ srch = strpbrk(dec_name, "123456789");
+ if (srch == NULL) {
+ pr_err("%s: Invalid decimator name %s\n", __func__, dec_name);
+ return -EINVAL;
+ }
+ ret = kstrtouint(srch, 10, &decimator);
if (ret < 0) {
pr_err("%s: Invalid decimator = %s\n", __func__, dec_name);
ret = -EINVAL;
@@ -3310,7 +3327,7 @@
dev_dbg(dai->codec->dev, "%s(): substream = %s stream = %d\n",
__func__, substream->name, substream->stream);
- if (dai->id <= NUM_CODEC_DAIS) {
+ if (dai->id < NUM_CODEC_DAIS) {
if (tapan->dai[dai->id].ch_mask) {
active = 1;
dev_dbg(dai->codec->dev, "%s(): Codec DAI: chmask[%d] = 0x%lx\n",
@@ -3429,7 +3446,7 @@
{
struct tapan_priv *tapan = snd_soc_codec_get_drvdata(dai->codec);
struct wcd9xxx *core = dev_get_drvdata(dai->codec->dev->parent);
- if (!tx_slot && !rx_slot) {
+ if (!tx_slot || !rx_slot) {
pr_err("%s: Invalid\n", __func__);
return -EINVAL;
}
@@ -4826,9 +4843,9 @@
struct snd_soc_codec *codec = tapan->codec;
struct wcd9xxx_pdata *pdata = tapan->resmgr.pdata;
int k1, k2, k3, rc = 0;
- u8 txfe_bypass = pdata->amic_settings.txfe_enable;
- u8 txfe_buff = pdata->amic_settings.txfe_buff;
- u8 flag = pdata->amic_settings.use_pdata;
+ u8 txfe_bypass;
+ u8 txfe_buff;
+ u8 flag;
u8 i = 0, j = 0;
u8 val_txfe = 0, value = 0;
u8 dmic_sample_rate_value = 0;
@@ -4840,6 +4857,9 @@
rc = -ENODEV;
goto done;
}
+ txfe_bypass = pdata->amic_settings.txfe_enable;
+ txfe_buff = pdata->amic_settings.txfe_buff;
+ flag = pdata->amic_settings.use_pdata;
/* Make sure settings are correct */
if ((pdata->micbias.ldoh_v > WCD9XXX_LDOH_3P0_V) ||
diff --git a/sound/soc/codecs/wcd9xxx-common.c b/sound/soc/codecs/wcd9xxx-common.c
index b104a6b..852b14a 100644
--- a/sound/soc/codecs/wcd9xxx-common.c
+++ b/sound/soc/codecs/wcd9xxx-common.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2013, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -552,7 +552,13 @@
__func__);
goto ret;
}
- for (i = 0; i < ARRAY_SIZE(imped_index); i++) {
+ if (imped >= imped_index[ARRAY_SIZE(imped_index) - 1].imped_val) {
+ pr_debug("%s, detected impedance is greater than 32164 Ohm\n",
+ __func__);
+ i = ARRAY_SIZE(imped_index) - 1;
+ goto ret;
+ }
+ for (i = 0; i < ARRAY_SIZE(imped_index) - 1; i++) {
if (imped >= imped_index[i].imped_val &&
imped < imped_index[i + 1].imped_val)
break;
@@ -569,7 +575,7 @@
int i = 0;
int index = 0;
index = get_impedance_index(imped);
- if (index > ARRAY_SIZE(imped_index)) {
+ if (index >= ARRAY_SIZE(imped_index)) {
pr_err("%s, invalid imped = %d\n", __func__, imped);
return;
}
diff --git a/sound/soc/codecs/wcd9xxx-mbhc.c b/sound/soc/codecs/wcd9xxx-mbhc.c
index 4426e4a..0abd123 100644
--- a/sound/soc/codecs/wcd9xxx-mbhc.c
+++ b/sound/soc/codecs/wcd9xxx-mbhc.c
@@ -1608,7 +1608,7 @@
continue;
}
- if ((i > 0) && (d->_type != dprev->_type)) {
+ if ((i > 0) && (dprev != NULL) && (d->_type != dprev->_type)) {
pr_debug("%s: Invalid, inconsistent types\n", __func__);
type = PLUG_TYPE_INVALID;
goto exit;