From patchwork Thu Feb  4 12:16:18 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mark Brown <broonie@kernel.org>
X-Patchwork-Id: 8220621
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Original-To: patchwork-alsa-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id AA01A9F1C1
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Thu,  4 Feb 2016 12:21:01 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id C8A0C2038F
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Thu,  4 Feb 2016 12:21:00 +0000 (UTC)
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.kernel.org (Postfix) with ESMTP id 8F18A20375
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Thu,  4 Feb 2016 12:20:59 +0000 (UTC)
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 8D16B2666F8; Thu,  4 Feb 2016 13:20:58 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
Received: from alsa0.perex.cz (localhost [127.0.0.1])
	by alsa0.perex.cz (Postfix) with ESMTP id A226D265E22;
	Thu,  4 Feb 2016 13:16:37 +0100 (CET)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 80A6F265E19; Thu,  4 Feb 2016 13:16:35 +0100 (CET)
Received: from mezzanine.sirena.org.uk (mezzanine.sirena.org.uk
	[106.187.55.193])
	by alsa0.perex.cz (Postfix) with ESMTP id 52FFE261583
	for <alsa-devel@alsa-project.org>;
	Thu,  4 Feb 2016 13:16:24 +0100 (CET)
Received: from debutante.sirena.org.uk ([2a01:348:6:8808:fab::3]
	helo=debutante) by mezzanine.sirena.org.uk with esmtpsa
	(TLS1.2:RSA_AES_128_CBC_SHA1:128)
	(Exim 4.80) (envelope-from <broonie@sirena.org.uk>)
	id 1aRIph-0000mj-FP; Thu, 04 Feb 2016 12:16:22 +0000
Received: from broonie by debutante with local (Exim 4.86)
	(envelope-from <broonie@sirena.org.uk>)
	id 1aRIpe-0001Gz-39; Thu, 04 Feb 2016 12:16:18 +0000
From: Mark Brown <broonie@kernel.org>
To: Vinod Koul <vinod.koul@intel.com>, Mark Brown <broonie@kernel.org>
In-Reply-To: <1454502594-21700-2-git-send-email-vinod.koul@intel.com>
Message-Id: <E1aRIpe-0001Gz-39@debutante>
Date: Thu, 04 Feb 2016 12:16:18 +0000
X-SA-Exim-Connect-IP: 2a01:348:6:8808:fab::3
X-SA-Exim-Mail-From: broonie@sirena.org.uk
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on mezzanine.sirena.org.uk)
Cc: alsa-devel@alsa-project.org
Subject: [alsa-devel] Applied "ASoC: Intel: Skylake: Fix the memory
	overwrite of tlv buffer" to the asoc tree
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
	http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

The patch

   ASoC: Intel: Skylake: Fix the memory overwrite of tlv buffer

has been applied to the asoc tree at

   git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git 

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.  

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

From 41556f68d1dd0b6bbf311a220523b034d2a040e7 Mon Sep 17 00:00:00 2001
From: Vinod Koul <vinod.koul@intel.com>
Date: Wed, 3 Feb 2016 17:59:44 +0530
Subject: [PATCH] ASoC: Intel: Skylake: Fix the memory overwrite of tlv buffer

TLV buffer can be smaller than the module data, so update the
size of data to be copied before doing the copy.

Also TLV header consists of two unsigned ints, this is also taken
into account here and size modified to reflect this

Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
---
 sound/soc/intel/skylake/skl-topology.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sound/soc/intel/skylake/skl-topology.c b/sound/soc/intel/skylake/skl-topology.c
index c7816d52ad08..c67e3acb8102 100644
--- a/sound/soc/intel/skylake/skl-topology.c
+++ b/sound/soc/intel/skylake/skl-topology.c
@@ -916,6 +916,13 @@ static int skl_tplg_tlv_control_get(struct snd_kcontrol *kcontrol,
 		skl_get_module_params(skl->skl_sst, (u32 *)bc->params,
 				      bc->max, bc->param_id, mconfig);
 
+	/* decrement size for TLV header */
+	size -= 2 * sizeof(u32);
+
+	/* check size as we don't want to send kernel data */
+	if (size > bc->max)
+		size = bc->max;
+
 	if (bc->params) {
 		if (copy_to_user(data, &bc->param_id, sizeof(u32)))
 			return -EFAULT;