Some Old DSP firmware versions use 32-bit address arithmetic and size for
validating the PCM buffer address range. If a buffer is allocated near
the top of the 32-bit address space, arithmetic calculations involving
the end address can overflow and fail checks.

Work around this by increasing the preallocated PCM buffer size by one
page. The DSP is still passed the usable buffer size, excluding the extra
page, which prevents the firmware from seeing an end address that crosses
the 32-bit boundary.

This was not hit before because PCM buffer allocation and DSP-side
mapping happened at different points, and the size mapped on the DSP was
usually nperiods * period_size. Therefore the mapped size was unlikely to
match the full preallocated buffer size exactly, although the issue was
still possible. With early buffer mapping on the DSP, the full
preallocated buffer is mapped during PCM creation, making the failure
reproducible at boot.

Fixes: 8ea6e25c8536 ("ASoC: qcom: q6apm: Add support for early buffer mapping on DSP")
Cc: Stable@vger.kernel.org
Reported-by: Jens Glathe <jens.glathe@oldschoolsolutions.biz>
Closes: https://lore.kernel.org/all/7f10abbd-fb78-4c3a-ab90-7ca78239891a@oldschoolsolutions.biz/
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
---
 sound/soc/qcom/qdsp6/q6apm-dai.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/sound/soc/qcom/qdsp6/q6apm-dai.c b/sound/soc/qcom/qdsp6/q6apm-dai.c
index ede19fdea6e9..3a1be41df096 100644
--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
@@ -497,7 +497,12 @@ static int q6apm_dai_pcm_new(struct snd_soc_component *component, struct snd_soc
 {
 	struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0);
 	struct snd_pcm *pcm = rtd->pcm;
-	int size = BUFFER_BYTES_MAX;
+	/*
+	 * Allocate one extra page as a workaround for a DSP bug where 32-bit
+	 * address arithmetic can overflow when the buffer is placed near the
+	 * end of the addressable range.
+	 */
+	int size = BUFFER_BYTES_MAX + PAGE_SIZE;
 	int graph_id, ret;
 	struct snd_pcm_substream *substream;
 
-- 
2.47.3

On Thu, 14 May 2026 09:06:07 +0000, Srinivas Kandagatla wrote:
> ASoC: qcom: q6apm-dai: Allocate an extra page for PCM buffers

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-7.1

Thanks!

[1/1] ASoC: qcom: q6apm-dai: Allocate an extra page for PCM buffers
      https://git.kernel.org/broonie/sound/c/7e68ba282165

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

n 5/14/26 11:06, Srinivas Kandagatla wrote:
> Fixes: 8ea6e25c8536 ("ASoC: qcom: q6apm: Add support for early buffer mapping on DSP")

Hi Srini, thank you for the patch. I booted with this patch on one of 
the sc8280xp boxes, and on x1. Working well.

Tested-by: Jens Glathe <jens.glathe@oldschoolsolutions.biz>

with best regards

Jens Glathe

On Thu, May 14, 2026 at 09:06:07AM +0000, Srinivas Kandagatla wrote:
> Some Old DSP firmware versions use 32-bit address arithmetic and size for
> validating the PCM buffer address range. If a buffer is allocated near
> the top of the 32-bit address space, arithmetic calculations involving
> the end address can overflow and fail checks.

Should we limit the workaround to those platforms only?

> 
> Work around this by increasing the preallocated PCM buffer size by one
> page. The DSP is still passed the usable buffer size, excluding the extra
> page, which prevents the firmware from seeing an end address that crosses
> the 32-bit boundary.
> 
> This was not hit before because PCM buffer allocation and DSP-side
> mapping happened at different points, and the size mapped on the DSP was
> usually nperiods * period_size. Therefore the mapped size was unlikely to
> match the full preallocated buffer size exactly, although the issue was
> still possible. With early buffer mapping on the DSP, the full
> preallocated buffer is mapped during PCM creation, making the failure
> reproducible at boot.
> 
> Fixes: 8ea6e25c8536 ("ASoC: qcom: q6apm: Add support for early buffer mapping on DSP")
> Cc: Stable@vger.kernel.org
> Reported-by: Jens Glathe <jens.glathe@oldschoolsolutions.biz>
> Closes: https://lore.kernel.org/all/7f10abbd-fb78-4c3a-ab90-7ca78239891a@oldschoolsolutions.biz/
> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
> ---
>  sound/soc/qcom/qdsp6/q6apm-dai.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/sound/soc/qcom/qdsp6/q6apm-dai.c b/sound/soc/qcom/qdsp6/q6apm-dai.c
> index ede19fdea6e9..3a1be41df096 100644
> --- a/sound/soc/qcom/qdsp6/q6apm-dai.c
> +++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
> @@ -497,7 +497,12 @@ static int q6apm_dai_pcm_new(struct snd_soc_component *component, struct snd_soc
>  {
>  	struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0);
>  	struct snd_pcm *pcm = rtd->pcm;
> -	int size = BUFFER_BYTES_MAX;
> +	/*
> +	 * Allocate one extra page as a workaround for a DSP bug where 32-bit
> +	 * address arithmetic can overflow when the buffer is placed near the
> +	 * end of the addressable range.
> +	 */
> +	int size = BUFFER_BYTES_MAX + PAGE_SIZE;
>  	int graph_id, ret;
>  	struct snd_pcm_substream *substream;
>  
> -- 
> 2.47.3
> 

-- 
With best wishes
Dmitry

On 5/14/26 9:22 AM, Dmitry Baryshkov wrote:
> On Thu, May 14, 2026 at 09:06:07AM +0000, Srinivas Kandagatla wrote:
>> Some Old DSP firmware versions use 32-bit address arithmetic and size for
>> validating the PCM buffer address range. If a buffer is allocated near
>> the top of the 32-bit address space, arithmetic calculations involving
>> the end address can overflow and fail checks.
> 
> Should we limit the workaround to those platforms only?
I would love to do that, but I have no idea which platforms or firmware
versions have this bug.


--srini
> 
>>
>> Work around this by increasing the preallocated PCM buffer size by one
>> page. The DSP is still passed the usable buffer size, excluding the extra
>> page, which prevents the firmware from seeing an end address that crosses
>> the 32-bit boundary.
>>
>> This was not hit before because PCM buffer allocation and DSP-side
>> mapping happened at different points, and the size mapped on the DSP was
>> usually nperiods * period_size. Therefore the mapped size was unlikely to
>> match the full preallocated buffer size exactly, although the issue was
>> still possible. With early buffer mapping on the DSP, the full
>> preallocated buffer is mapped during PCM creation, making the failure
>> reproducible at boot.
>>
>> Fixes: 8ea6e25c8536 ("ASoC: qcom: q6apm: Add support for early buffer mapping on DSP")
>> Cc: Stable@vger.kernel.org
>> Reported-by: Jens Glathe <jens.glathe@oldschoolsolutions.biz>
>> Closes: https://lore.kernel.org/all/7f10abbd-fb78-4c3a-ab90-7ca78239891a@oldschoolsolutions.biz/
>> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
>> ---
>>  sound/soc/qcom/qdsp6/q6apm-dai.c | 7 ++++++-
>>  1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/sound/soc/qcom/qdsp6/q6apm-dai.c b/sound/soc/qcom/qdsp6/q6apm-dai.c
>> index ede19fdea6e9..3a1be41df096 100644
>> --- a/sound/soc/qcom/qdsp6/q6apm-dai.c
>> +++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
>> @@ -497,7 +497,12 @@ static int q6apm_dai_pcm_new(struct snd_soc_component *component, struct snd_soc
>>  {
>>  	struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0);
>>  	struct snd_pcm *pcm = rtd->pcm;
>> -	int size = BUFFER_BYTES_MAX;
>> +	/*
>> +	 * Allocate one extra page as a workaround for a DSP bug where 32-bit
>> +	 * address arithmetic can overflow when the buffer is placed near the
>> +	 * end of the addressable range.
>> +	 */
>> +	int size = BUFFER_BYTES_MAX + PAGE_SIZE;
>>  	int graph_id, ret;
>>  	struct snd_pcm_substream *substream;
>>  
>> -- 
>> 2.47.3
>>
>