dsp: add change to handle use-after-free in cal_utils_is_cal_stale

Add change to address the race condition between pointer dereference and memory deallocation. Change-Id: Ia1ed47986ec81d3dc2feb3bc874847fadddac292 Signed-off-by: Saurav Kumar <sauravk@codeaurora.org>
author: Saurav Kumar <sauravk@codeaurora.org> 2020-09-10 16:06:16 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2020-11-28 09:02:21 -0800
commit: 9beffd7d5b93b86c5d666b21e5496aec8305439a (patch)
tree: 88a9632542d9b48fca9ffebe3fa839f40066d3ec
parent: d97f85c2421fb18cef5eaf0741c29032474e8809 (diff)
download: msm-extra-9beffd7d5b93b86c5d666b21e5496aec8305439a.tar.gz
7 files changed, 58 insertions, 24 deletions
diff --git a/asoc/msm-pcm-routing-v2.c b/asoc/msm-pcm-routing-v2.c
index 03603a2c..7d05543d 100644
--- a/asoc/msm-pcm-routing-v2.c
+++ b/asoc/msm-pcm-routing-v2.c
@@ -1177,7 +1177,7 @@ static struct cal_block_data *msm_routing_find_topology_by_path(int path,
 		cal_block = list_entry(ptr,
 			struct cal_block_data, list);
 
-		if (cal_utils_is_cal_stale(cal_block))
+		if (cal_utils_is_cal_stale(cal_block, cal_data[cal_index]))
 			continue;
 
 		if (((struct audio_cal_info_adm_top *)cal_block
@@ -1207,7 +1207,7 @@ static struct cal_block_data *msm_routing_find_topology(int path,
 		cal_block = list_entry(ptr,
 			struct cal_block_data, list);
 
-		if (cal_utils_is_cal_stale(cal_block))
+		if (cal_utils_is_cal_stale(cal_block, cal_data[cal_index]))
 			continue;
 
 		cal_info = (struct audio_cal_info_adm_top *)
diff --git a/dsp/audio_cal_utils.c b/dsp/audio_cal_utils.c
index 8e0d7e03..cc66c2d4 100644
--- a/dsp/audio_cal_utils.c
+++ b/dsp/audio_cal_utils.c
@@ -10,6 +10,8 @@
 #include <linux/mutex.h>
 #include <dsp/audio_cal_utils.h>
 
+spinlock_t cal_lock;
+
 static int unmap_memory(struct cal_type_data *cal_type,
 			struct cal_block_data *cal_block);
 
@@ -899,6 +901,7 @@ int cal_utils_dealloc_cal(size_t data_size, void *data,
 	int ret = 0;
 	struct cal_block_data *cal_block;
 	struct audio_cal_type_dealloc *dealloc_data = data;
+	unsigned long flags = 0;
 
 	pr_debug("%s\n", __func__);
 
@@ -946,7 +949,9 @@ int cal_utils_dealloc_cal(size_t data_size, void *data,
 	if (ret < 0)
 		goto err;
 
+	spin_lock_irqsave(&cal_lock, flags);
 	delete_cal_block(cal_block);
+	spin_unlock_irqrestore(&cal_lock, flags);
 err:
 	mutex_unlock(&cal_type->lock);
 done:
@@ -1061,18 +1066,43 @@ void cal_utils_mark_cal_used(struct cal_block_data *cal_block)
 }
 EXPORT_SYMBOL(cal_utils_mark_cal_used);
 
+int __init cal_utils_init(void)
+{
+	spin_lock_init(&cal_lock);
+	return 0;
+}
 /**
  * cal_utils_is_cal_stale
  *
  * @cal_block: pointer to cal block
  *
+ * @cal_type: pointer to the cal type
+ *
  * Returns true if cal block is stale, false otherwise
  */
-bool cal_utils_is_cal_stale(struct cal_block_data *cal_block)
+bool cal_utils_is_cal_stale(struct cal_block_data *cal_block, struct cal_type_data *cal_type)
 {
-	if ((cal_block) && (cal_block->cal_stale))
-		return true;
+	bool ret = false;
+	unsigned long flags = 0;
+
+	if (!cal_type) {
+		pr_err("%s: cal_type is Null", __func__);
+		goto done;
+	}
+
+	spin_lock_irqsave(&cal_lock, flags);
+	cal_block = cal_utils_get_only_cal_block(cal_type);
+	if (!cal_block) {
+		pr_err("%s: cal_block is Null", __func__);
+		goto unlock;
+	}
 
-	return false;
+	if (cal_block->cal_stale)
+	    ret = true;
+
+unlock:
+	spin_unlock_irqrestore(&cal_lock, flags);
+done:
+	return ret;
 }
 EXPORT_SYMBOL(cal_utils_is_cal_stale);
diff --git a/dsp/audio_calibration.c b/dsp/audio_calibration.c
index a5167be3..854d8821 100644
--- a/dsp/audio_calibration.c
+++ b/dsp/audio_calibration.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
- * Copyright (c) 2014, 2016-2017, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014, 2016-2017, 2020, The Linux Foundation. All rights reserved.
  */
 #include <linux/slab.h>
 #include <linux/fs.h>
@@ -591,6 +591,7 @@ int __init audio_cal_init(void)
 
 	pr_debug("%s\n", __func__);
 
+	cal_utils_init();
 	memset(&audio_cal, 0, sizeof(audio_cal));
 	mutex_init(&audio_cal.common_lock);
 	for (; i < MAX_CAL_TYPES; i++) {
diff --git a/dsp/q6adm.c b/dsp/q6adm.c
index 51ca185b..ed1a50a1 100644
--- a/dsp/q6adm.c
+++ b/dsp/q6adm.c
@@ -2004,7 +2004,7 @@ static void send_adm_custom_topology(void)
 	this_adm.set_custom_topology = 0;
 
 	cal_block = cal_utils_get_only_cal_block(this_adm.cal_data[cal_index]);
-	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block))
+	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block, this_adm.cal_data[cal_index]))
 		goto unlock;
 
 	pr_debug("%s: Sending cal_index %d\n", __func__, cal_index);
@@ -2144,7 +2144,7 @@ static struct cal_block_data *adm_find_cal_by_path(int cal_index, int path)
 		cal_block = list_entry(ptr,
 			struct cal_block_data, list);
 
-		if (cal_utils_is_cal_stale(cal_block))
+		if (cal_utils_is_cal_stale(cal_block, this_adm.cal_data[cal_index]))
 			continue;
 
 		if (cal_index == ADM_AUDPROC_CAL ||
@@ -2183,7 +2183,7 @@ static struct cal_block_data *adm_find_cal_by_app_type(int cal_index, int path,
 		cal_block = list_entry(ptr,
 			struct cal_block_data, list);
 
-		if (cal_utils_is_cal_stale(cal_block))
+		if (cal_utils_is_cal_stale(cal_block, this_adm.cal_data[cal_index]))
 			continue;
 
 		if (cal_index == ADM_AUDPROC_CAL ||
@@ -2225,7 +2225,7 @@ static struct cal_block_data *adm_find_cal(int cal_index, int path,
 
 		cal_block = list_entry(ptr,
 			struct cal_block_data, list);
-		if (cal_utils_is_cal_stale(cal_block))
+		if (cal_utils_is_cal_stale(cal_block, this_adm.cal_data[cal_index]))
 			continue;
 
 		if (cal_index == ADM_AUDPROC_CAL ||
@@ -3963,7 +3963,8 @@ int send_rtac_audvol_cal(void)
 
 	cal_block = cal_utils_get_only_cal_block(
 		this_adm.cal_data[ADM_RTAC_AUDVOL_CAL]);
-	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block)) {
+	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block,
+		this_adm.cal_data[ADM_RTAC_AUDVOL_CAL])) {
 		pr_err("%s: can't find cal block!\n", __func__);
 		goto unlock;
 	}
diff --git a/dsp/q6afe.c b/dsp/q6afe.c
index c9a5c95e..8cb25197 100644
--- a/dsp/q6afe.c
+++ b/dsp/q6afe.c
@@ -2108,7 +2108,7 @@ static void afe_send_custom_topology(void)
 		goto unlock;
 	this_afe.set_custom_topology = 0;
 	cal_block = cal_utils_get_only_cal_block(this_afe.cal_data[cal_index]);
-	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block)) {
+	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block, this_afe.cal_data[cal_index])) {
 		pr_err("%s cal_block not found!!\n", __func__);
 		goto unlock;
 	}
@@ -2852,7 +2852,7 @@ static struct cal_block_data *afe_find_cal_topo_id_by_port(
 		cal_block = list_entry(ptr,
 			struct cal_block_data, list);
 		/* Skip cal_block if it is already marked stale */
-		if (cal_utils_is_cal_stale(cal_block))
+		if (cal_utils_is_cal_stale(cal_block, cal_type))
 			continue;
 		pr_info("%s: port id: 0x%x, dev_acdb_id: %d\n", __func__,
 			 port_id, this_afe.dev_acdb_id[afe_port_index]);
@@ -3290,8 +3290,8 @@ static int send_afe_cal_type(int cal_index, int port_id)
 		cal_block = cal_utils_get_only_cal_block(
 				this_afe.cal_data[cal_index]);
 
-	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block)) {
-		pr_err("%s cal_block not found!!\n", __func__);
+	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block, this_afe.cal_data[cal_index])) {
+		pr_err_ratelimited("%s cal_block not found!!\n", __func__);
 		ret = -EINVAL;
 		goto unlock;
 	}
@@ -7727,7 +7727,7 @@ static int afe_sidetone_iir(u16 tx_port_id)
 	}
 	mutex_lock(&this_afe.cal_data[cal_index]->lock);
 	cal_block = cal_utils_get_only_cal_block(this_afe.cal_data[cal_index]);
-	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block)) {
+	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block, this_afe.cal_data[cal_index])) {
 		pr_err("%s: cal_block not found\n ", __func__);
 		mutex_unlock(&this_afe.cal_data[cal_index]->lock);
 		ret = -EINVAL;
@@ -7854,7 +7854,7 @@ static int afe_sidetone(u16 tx_port_id, u16 rx_port_id, bool enable)
 
 	mutex_lock(&this_afe.cal_data[cal_index]->lock);
 	cal_block = cal_utils_get_only_cal_block(this_afe.cal_data[cal_index]);
-	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block)) {
+	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block, this_afe.cal_data[cal_index])) {
 		pr_err("%s: cal_block not found\n", __func__);
 		mutex_unlock(&this_afe.cal_data[cal_index]->lock);
 		ret = -EINVAL;
@@ -9758,7 +9758,7 @@ static struct cal_block_data *afe_find_hw_delay_by_path(
 		cal_block = list_entry(ptr,
 			struct cal_block_data, list);
 
-		if (cal_utils_is_cal_stale(cal_block))
+		if (cal_utils_is_cal_stale(cal_block, cal_type))
 			continue;
 
 		if (((struct audio_cal_info_hw_delay *)cal_block->cal_info)
diff --git a/dsp/q6asm.c b/dsp/q6asm.c
index 235cdbd4..2a078ead 100644
--- a/dsp/q6asm.c
+++ b/dsp/q6asm.c
@@ -808,7 +808,7 @@ int send_asm_custom_topology(struct audio_client *ac)
 	set_custom_topology = 0;
 
 	cal_block = cal_utils_get_only_cal_block(cal_data[ASM_CUSTOM_TOP_CAL]);
-	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block))
+	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block, cal_data[ASM_CUSTOM_TOP_CAL]))
 		goto unlock;
 
 	if (cal_block->cal_data.size == 0) {
@@ -11092,7 +11092,7 @@ static int q6asm_get_asm_topology_apptype(struct q6asm_cal_info *cal_info)
 
 	mutex_lock(&cal_data[ASM_TOPOLOGY_CAL]->lock);
 	cal_block = cal_utils_get_only_cal_block(cal_data[ASM_TOPOLOGY_CAL]);
-	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block))
+	if (cal_block == NULL || cal_utils_is_cal_stale(cal_block, cal_data[ASM_CUSTOM_TOP_CAL]))
 		goto unlock;
 	cal_info->topology_id = ((struct audio_cal_info_asm_top *)
 		cal_block->cal_info)->topology;
@@ -11152,7 +11152,7 @@ int q6asm_send_cal(struct audio_client *ac)
 		goto unlock;
 	}
 
-	if (cal_utils_is_cal_stale(cal_block)) {
+	if (cal_utils_is_cal_stale(cal_block, cal_data[ASM_AUDSTRM_CAL])) {
 		rc = 0; /* not error case */
 		pr_debug("%s: cal_block is stale\n",
 			__func__);
diff --git a/include/dsp/audio_cal_utils.h b/include/dsp/audio_cal_utils.h
index 06078150..0507486c 100644
--- a/include/dsp/audio_cal_utils.h
+++ b/include/dsp/audio_cal_utils.h
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Copyright (c) 2014, 2018, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014, 2018, 2020, The Linux Foundation. All rights reserved.
  */
 #ifndef _AUDIO_CAL_UTILS_H
 #define _AUDIO_CAL_UTILS_H
@@ -94,5 +94,7 @@ int32_t cal_utils_get_cal_type_version(void *cal_type_data);
 
 void cal_utils_mark_cal_used(struct cal_block_data *cal_block);
 
-bool cal_utils_is_cal_stale(struct cal_block_data *cal_block);
+bool cal_utils_is_cal_stale(struct cal_block_data *cal_block, struct cal_type_data *cal_type);
+
+int cal_utils_init(void);
 #endif
author	Saurav Kumar <sauravk@codeaurora.org>	2020-09-10 16:06:16 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2020-11-28 09:02:21 -0800
commit	9beffd7d5b93b86c5d666b21e5496aec8305439a (patch)
tree	88a9632542d9b48fca9ffebe3fa839f40066d3ec
parent	d97f85c2421fb18cef5eaf0741c29032474e8809 (diff)
download	msm-extra-9beffd7d5b93b86c5d666b21e5496aec8305439a.tar.gz