When a call is received, if the ringtone is played through the speaker,
the audio HAL will freeze and restart when the call is answered,
leading to a few seconds of silence at the beginning of the call. This
happens because of a NULL pointer dereference, which is in turn caused
by a UAF in the check_usecases_codec_backend() function, in the audio
HAL.
The UAF occurs because the amplifier HAL appends its usecase at the
wrong end of the usecases list - tail instead of head. When the second
list_for_each() loop in the aforementioned function iterates through
the list, it first finds the regular low-latency-playback usecase,
and calls disable_snd_device() for the speaker output device. This
causes the amplifier HAL to execute aw882xx_stop_feedback(), which
frees its usecase in the list, but the internal pointer of the
list_for_each() macro already points to it, thus the following
iteration effectively operates on a free'd object.
To fix this issue, have the amplifier HAL append its usecase to the
head of the list: this way, it will be iterated on before the
low-latency-playback usecase, i.e. before it gets free'd.
Change-Id: Ia8dcb11b3ed320836a6602798ff5c390e7afa9d2
c00c013f19