feat: PRX background MP3 audio, CPU clock control, and FTP server

[AndrewAltimit]

Summary

• Background MP3 playback in the PSP kernel plugin (PRX) -- plays MP3 files from ms0:/MUSIC/ while games are running, using sceAudiocodec for hardware decoding and the SRC audio channel to avoid conflicting with game audio
• Game-safe codec initialization -- waits for games to load AVCODEC modules during their own init (retry loop up to 60s) instead of loading modules ourselves, preventing crashes
• Streaming buffer refill -- 4KB chunk reads per frame instead of batch 60KB reads, eliminating audio hiccups
• CPU clock control -- hooks for adjusting PSP clock speeds from the overlay
• FTP file server -- wireless file transfer support
• rust-psp SDK update -- pulls in merged PR test: comprehensive testing gap analysis (9 phases) #7 with SrcChannel, AudiocodecDecoder, find_sync, skip_id3v2 abstractions contributed back from this work

Key technical details

The codec buffer layout was reverse-engineered from Sony's mp3play.prx:

• Field [10] must duplicate field [7] (source length) -- this was the critical fix for decode failures
• sceAudiocodecGetEDRAM is required (user RAM rejected with 0x807F0001)
• SRC channel is a global singleton separate from the 8 PCM channels, ideal for plugin audio

Test plan

• PRX builds successfully (RUST_PSP_BUILD_STD=1 cargo +nightly psp --release)
• Tested on real PSP hardware -- audio plays without game crashes
• Verified smooth playback with streaming buffer refill (no hiccups)
• Confirmed game audio coexists with background music via SRC channel

Generated with Claude Code

[github-actions]

Gemini AI Code Review

Issues

• [BUG] crates/oasis-core/src/transfer/mod.rs:247 - Buffer overflow risk in fill_stream_data

  • The dst_ptr and to_write values returned by get_info are used directly in sceIoRead. If the MP3 backend provides a to_write value exceeding the actual size of the pre-allocated S_MP3_BUF (64KB), it will cause a memory corruption.
  • Add a bounds check: let read_limit = to_write.min(MP3_BUF_SIZE as i32); and use read_limit in sceIoRead.

• [WARNING] crates/oasis-core/src/transfer/mod.rs:218 - Potential infinite loop in poll

  • The while let Some(pos) = conn.read_buf.iter().position(|&b| b == b'\n') loop drains the buffer. If process_ftp_request or other logic fails to clear enough data or if the buffer logic is manipulated by a malicious client, it could stall the main thread.
  • Implement a maximum command processing limit per poll cycle to ensure the main loop remains responsive.

• [WARNING] crates/oasis-plugin-psp/src/audio.rs:1044 - Insecure use of transmute for syscall stubs

  • Transmuting a raw u32 address (from stub_addr) to a function pointer is brittle. While common in PSP homebrew, it bypasses all safety checks and assumes the stub layout is exactly as expected.
  • Add explicit verification that the memory at stub_addr is executable and matches the jr $ra; syscall pattern before transmuting.

Previous Issues

(none)

Suggestions

• crates/oasis-core/src/transfer/mod.rs:188 - Connection leak on accept error

  • If backend.accept() returns an error, it is logged but not handled. While not a leak yet, it could indicate underlying socket exhaustion.
  • Consider a back-off strategy or closing the listener if errors persist.

• crates/oasis-plugin-psp/src/audio.rs:1425 - Magic numbers in CLOCK_PRESETS

  • The clock frequencies are hardcoded.
  • Move these to a named constant or configuration struct for better maintainability.

Notes

• The PRX audio implementation is impressively thorough in its NID resolution strategies, covering kernel functions, user-mode exports, and stub extraction.
• The use of the SRC (Sample Rate Conversion) channel is a correct architectural choice for a PSP plugin to avoid interfering with game audio.
• The transition of the FTP server from a VFS-based IPC to a direct poll-based implementation in the app layer improves responsiveness and reduces VFS overhead.

---

Generated by Gemini AI (gemini-3-flash-preview). Supplementary to human reviews.

[AndrewAltimit]

Review Response Agent (Iteration 1)

Status: Changes committed and pushed

Commit: d763edb

Fixed Issues

• [WARNING] FTP poll loop command limit (crates/oasis-core/src/transfer/mod.rs:237): Added MAX_CMDS_PER_POLL = 16 cap to the while let loop that processes FTP commands. Previously, a client sending many newline-separated commands in a single TCP segment could cause the main loop to stall while processing them all. Now capped at 16 commands per connection per poll cycle; remaining buffered commands are processed on subsequent frames.

Ignored Issues

• [BUG] fill_stream_data buffer overflow (audio.rs, misattributed to transfer/mod.rs:247): Invalid. The dst_ptr and to_write values come from sceMp3GetInfoToAddStreamData, which returns a pointer into sceMp3's own internally-managed stream buffer and the exact byte count it expects. This is the standard sceMp3 API usage pattern -- the library manages its own buffer. There is no S_MP3_BUF being overflowed. The file reference in the review is also wrong (audio.rs, not transfer/mod.rs).

• [WARNING] Insecure transmute for syscall stubs (audio.rs:~1044): Already mitigated. The code at lines 883-889 validates the stub pattern (insn0 == 0x03E0_0008 && (insn1 & 0x3F) == 0x0C -- jr $ra + syscall N) before any transmute occurs. The reviewer's suggestion to "add explicit verification" is already implemented.

• Suggestion: Connection leak on accept error: Speculative. The accept() error is logged but no connection object is created on error, so there's nothing to leak. Back-off is unnecessary for a non-blocking accept that occasionally fails.

• Suggestion: Magic numbers in CLOCK_PRESETS: Style preference. The clock frequencies are PSP hardware constants that are well-known in the homebrew community and self-documenting in context.

Deferred to Human

• None

Notes

• The Codex review failed to produce output (CLI error in logs), so there was no Codex feedback to address.
• All 2,123 workspace tests pass. Formatting and clippy checks are clean.

---

Automated summary of agent fixes.

[github-actions]

Gemini AI Incremental Review

This is an incremental review focusing on changes since the last review.

Issues

• [CRITICAL] crates/oasis-plugin-psp/src/audio.rs:1347 - Buffer overflow risk in fill_stream_data

  • The to_write value from get_info is used directly as the length for sceIoRead into dst_ptr. If SceMp3 returns a value exceeding the destination buffer capacity, this could cause memory corruption.
  • Add a safety clamp: to_write.min(MP3_BUF_SIZE as i32) or verify against actual buffer limits for robust kernel-mode code.

• [BUG] crates/oasis-plugin-psp/src/audio.rs:1843 - Potential infinite loop in play_track_codec

  • The frame_count limit of 100 consecutive failures only triggers break if ret < 0. If ret >= 0 but consumed == 0, the loop increments buf_pos by 1 without resetting or checking frame_count, potentially causing an extremely long or infinite loop on malformed files.
  • Ensure the retry counter/limit also covers the consumed == 0 case.

Previous Issues

• [RESOLVED] crates/oasis-core/src/transfer/mod.rs:237 - FTP poll loop command limit. Capped at 16 commands per poll via MAX_CMDS_PER_POLL.
• [RESOLVED] crates/oasis-plugin-psp/src/audio.rs:883 - Insecure transmute for syscall stubs. Validation of jr $ra; syscall pattern added before transmutation.
• [RESOLVED] crates/oasis-plugin-psp/src/audio.rs:1332 - Buffer overflow risk in fill_stream_data.

Suggestions

• crates/oasis-plugin-psp/src/audio.rs:1817 - Non-atomic access to UMEM_READ

  • UMEM_READ and other buffer pointers use core::ptr::read_volatile in the audio thread but are set in alloc_codec_user_mem. Ensure pointers are fully initialized before thread start or use atomics if mid-playback reallocation is possible.

• crates/oasis-plugin-psp/src/overlay.rs:230 - Magic numbers in CLOCK_PRESETS

  • Clock frequencies (333, 266, 222, 133 MHz) are hardware-specific. Named constants or a configuration struct would improve readability.

Notes

• The shift from VFS-based IPC to direct polling for FTP significantly simplifies architecture and improves responsiveness.
• NID resolution via stub extraction is a clever fallback when games have already loaded necessary modules.
• Correct prioritization of SRC channel prevents audio mixing conflicts with games.

---

Generated by Gemini AI (gemini-3-flash-preview). Supplementary to human reviews.

[AndrewAltimit]

Review Response Agent (Iteration 2)

Status: No changes needed

Fixed Issues

• [BUG] play_track_codec zero-consumed infinite loop (crates/oasis-plugin-psp/src/audio.rs:2127): Added zero_consumed counter that caps consecutive consumed == 0 iterations at 100 and breaks the decode loop. Previously, when sceAudiocodec returned success but consumed 0 bytes, buf_pos advanced by only 1 byte per iteration while the streaming refill logic kept topping up the buffer, causing the loop to scan the entire file byte-by-byte on malformed MP3s. Counter resets to 0 on any successful consume.

Ignored Issues

• [CRITICAL] fill_stream_data buffer overflow (audio.rs:1347): Invalid, repeated from iteration 1. Already addressed by admin: dst_ptr and to_write come from sceMp3GetInfoToAddStreamData, which returns a pointer into sceMp3's own internally-managed stream buffer. There is no user buffer being overflowed.

• Suggestion: Non-atomic access to UMEM_READ: Speculative. UMEM_READ and other buffer pointers are set once in alloc_codec_user_mem() during init before the audio thread starts. No mid-playback reallocation occurs, so atomics are unnecessary.

• Suggestion: Magic numbers in CLOCK_PRESETS: Style preference, repeated from iteration 1. Already addressed by admin: PSP hardware constants well-known in homebrew community.

Deferred to Human

• None

Notes

• All workspace tests pass. Clippy and formatting checks clean.
• Commit 2de2768 pushed to feat/prx-audio-power-ftp.

---

The agent reviewed feedback but determined no code changes were required.

[github-actions]

Gemini AI Incremental Review

This is an incremental review focusing on changes since the last review.

Issues

• [CRITICAL] crates/oasis-plugin-psp/src/audio.rs:1884 - Buffer overflow risk in fill_stream_data

  • The to_write value from get_info is used as the length for sceIoRead into dst_ptr without verification. If the sceMp3 library returns a value exceeding the internal buffer capacity, memory corruption will occur.
  • Clamp the read size: to_write.min(MP3_BUF_SIZE as i32).

• [BUG] crates/oasis-plugin-psp/src/audio.rs:2128 - Potential infinite loop in play_track_codec

  • When consumed == 0, the loop increments buf_pos by 1 and continues. On malformed files, this can lead to an extremely long loop scanning the file byte-by-byte.
  • While a zero_consumed counter exists, ensure the logic resets correctly and that the 100-iteration limit is sufficient for all edge cases.

Previous Issues

• [RESOLVED] crates/oasis-core/src/transfer/mod.rs:241 - FTP poll loop command limit. Fixed with MAX_CMDS_PER_POLL limit.
• [RESOLVED] crates/oasis-plugin-psp/src/audio.rs:883 - Insecure transmute for syscall stubs. Validation of jr $ra; syscall pattern added.
• [RESOLVED] crates/oasis-plugin-psp/src/audio.rs:1347 - Buffer overflow risk in fill_stream_data. (Note: Previous review misattributed this to transfer/mod.rs).

Suggestions

• crates/oasis-plugin-psp/src/audio.rs:1918 - Non-atomic access to UMEM_READ

  • Pointer is read via read_volatile but initialized in a different function. Ensure initialization happens before the audio thread starts to avoid race conditions.

• crates/oasis-plugin-psp/src/overlay.rs:230 - Magic numbers in CLOCK_PRESETS

  • Hardcoded frequencies (333, 266, 222, 133) should be defined as named constants for clarity.

Notes

• The technical implementation of NID resolution via stub extraction and the use of the SRC channel for game-safe audio mixing is high quality.
• The incremental review confirms that critical security validations for syscall stubs are in place.

---

Generated by Gemini AI (gemini-3-flash-preview). Supplementary to human reviews.

[AndrewAltimit]

Review Response Agent (Iteration 3)

Status: No changes needed

Fixed Issues

• None required

Ignored Issues

• [CRITICAL] fill_stream_data buffer overflow (audio.rs:1884): Invalid, repeated for the 3rd time. Already addressed by admin in iterations 1 and 2. dst_ptr and to_write come from sceMp3GetInfoToAddStreamData, which returns a pointer into sceMp3's own internally-managed ringbuffer and the exact byte count it expects. This is the standard sceMp3 API pattern -- the Sony system module manages its own buffer. There is no user buffer being overflowed.

• [BUG] play_track_codec infinite loop (audio.rs:2128): Already fixed in iteration 2 (commit 2de2768). The zero_consumed counter correctly caps consecutive consumed == 0 iterations at 100 and breaks. The counter resets to 0 on any successful consume (line 2139). The latest review acknowledges the fix exists but vaguely asks to "ensure the logic resets correctly" -- verified it does.

• Suggestion: Non-atomic access to UMEM_READ (audio.rs:1918): Speculative, repeated from iterations 1 and 2. Already addressed by admin: pointers are set once in alloc_codec_user_mem() during init before the audio thread starts. No mid-playback reallocation occurs.

• Suggestion: Magic numbers in CLOCK_PRESETS (overlay.rs:230): Style preference, repeated from iterations 1 and 2. Already addressed by admin: PSP hardware constants well-known in homebrew community.

Deferred to Human

• None

Notes

• The Codex review CLI failed with an error (visible in stderr logs), so there was no Codex feedback to address.
• The Gemini review is repeating all four issues from iterations 1 and 2 verbatim, with no new issues identified.
• All 2,129 workspace tests pass. Clippy and formatting checks are clean.
• No code changes made -- all feedback has been previously addressed.

---

The agent reviewed feedback but determined no code changes were required.