Re: [PATCH] ASoC: qcom: q6apm-dai: Allocate an extra page for PCM buffers

From: Dmitry Baryshkov

Date: Thu May 14 2026 - 05:22:48 EST

On Thu, May 14, 2026 at 09:06:07AM +0000, Srinivas Kandagatla wrote:
> Some Old DSP firmware versions use 32-bit address arithmetic and size for
> validating the PCM buffer address range. If a buffer is allocated near
> the top of the 32-bit address space, arithmetic calculations involving
> the end address can overflow and fail checks.

Should we limit the workaround to those platforms only?

>
> Work around this by increasing the preallocated PCM buffer size by one
> page. The DSP is still passed the usable buffer size, excluding the extra
> page, which prevents the firmware from seeing an end address that crosses
> the 32-bit boundary.
>
> This was not hit before because PCM buffer allocation and DSP-side
> mapping happened at different points, and the size mapped on the DSP was
> usually nperiods * period_size. Therefore the mapped size was unlikely to
> match the full preallocated buffer size exactly, although the issue was
> still possible. With early buffer mapping on the DSP, the full
> preallocated buffer is mapped during PCM creation, making the failure
> reproducible at boot.
>
> Fixes: 8ea6e25c8536 ("ASoC: qcom: q6apm: Add support for early buffer mapping on DSP")
> Cc: Stable@xxxxxxxxxxxxxxx
> Reported-by: Jens Glathe <jens.glathe@xxxxxxxxxxxxxxxxxxxxxx>
> Closes: https://lore.kernel.org/all/7f10abbd-fb78-4c3a-ab90-7ca78239891a@xxxxxxxxxxxxxxxxxxxxxx/
> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@xxxxxxxxxxxxxxxx>
> ---
> sound/soc/qcom/qdsp6/q6apm-dai.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/sound/soc/qcom/qdsp6/q6apm-dai.c b/sound/soc/qcom/qdsp6/q6apm-dai.c
> index ede19fdea6e9..3a1be41df096 100644
> --- a/sound/soc/qcom/qdsp6/q6apm-dai.c
> +++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
> @@ -497,7 +497,12 @@ static int q6apm_dai_pcm_new(struct snd_soc_component *component, struct snd_soc
> {
> struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0);
> struct snd_pcm *pcm = rtd->pcm;
> - int size = BUFFER_BYTES_MAX;
> + /*
> + * Allocate one extra page as a workaround for a DSP bug where 32-bit
> + * address arithmetic can overflow when the buffer is placed near the
> + * end of the addressable range.
> + */
> + int size = BUFFER_BYTES_MAX + PAGE_SIZE;
> int graph_id, ret;
> struct snd_pcm_substream *substream;
>
> --
> 2.47.3
>

--
With best wishes
Dmitry