diff options
author | Dan Carpenter <error27@gmail.com> | 2010-10-20 08:57:34 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-11-09 13:31:48 -0800 |
commit | 08da782b1a58fd63199928176909e103477c933a (patch) | |
tree | e427553b3bf83fbf9a462cb79ff9933f5b3a369a /drivers/staging | |
parent | e9f25689a86570c30d3f101b1f9834a579bed2e5 (diff) |
Staging: sst: user pointers in intel_sst_mmap_play_capture()
There were some places in intel_sst_mmap_play_capture() that
dereferenced user pointers instead of copying the data to the kernel.
I removed the BUG_ON(!mmap_buf) and BUG_ON(!buf_entry) since those are
never possible in the current code.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Vinod Koul <vinod.koul@intel.com>
Cc: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/staging')
-rw-r--r-- | drivers/staging/intel_sst/intel_sst_app_interface.c | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/drivers/staging/intel_sst/intel_sst_app_interface.c b/drivers/staging/intel_sst/intel_sst_app_interface.c index d20724d3b68..834bb617524 100644 --- a/drivers/staging/intel_sst/intel_sst_app_interface.c +++ b/drivers/staging/intel_sst/intel_sst_app_interface.c @@ -244,12 +244,12 @@ static int intel_sst_mmap_play_capture(u32 str_id, int retval, i; struct stream_info *stream; struct snd_sst_mmap_buff_entry *buf_entry; + struct snd_sst_mmap_buff_entry *tmp_buf; pr_debug("sst:called for str_id %d\n", str_id); retval = sst_validate_strid(str_id); if (retval) return -EINVAL; - BUG_ON(!mmap_buf); stream = &sst_drv_ctx->streams[str_id]; if (stream->mmapped != true) @@ -262,14 +262,24 @@ static int intel_sst_mmap_play_capture(u32 str_id, stream->curr_bytes = 0; stream->cumm_bytes = 0; + tmp_buf = kcalloc(mmap_buf->entries, sizeof(*tmp_buf), GFP_KERNEL); + if (!tmp_buf) + return -ENOMEM; + if (copy_from_user(tmp_buf, (void __user *)mmap_buf->buff, + mmap_buf->entries * sizeof(*tmp_buf))) { + retval = -EFAULT; + goto out_free; + } + pr_debug("sst:new buffers count %d status %d\n", mmap_buf->entries, stream->status); - buf_entry = mmap_buf->buff; + buf_entry = tmp_buf; for (i = 0; i < mmap_buf->entries; i++) { - BUG_ON(!buf_entry); bufs = kzalloc(sizeof(*bufs), GFP_KERNEL); - if (!bufs) - return -ENOMEM; + if (!bufs) { + retval = -ENOMEM; + goto out_free; + } bufs->size = buf_entry->size; bufs->offset = buf_entry->offset; bufs->addr = sst_drv_ctx->mmap_mem; @@ -293,13 +303,15 @@ static int intel_sst_mmap_play_capture(u32 str_id, if (sst_play_frame(str_id) < 0) { pr_warn("sst: play frames fail\n"); mutex_unlock(&stream->lock); - return -EIO; + retval = -EIO; + goto out_free; } } else if (stream->ops == STREAM_OPS_CAPTURE) { if (sst_capture_frame(str_id) < 0) { pr_warn("sst: capture frame fail\n"); mutex_unlock(&stream->lock); - return -EIO; + retval = -EIO; + goto out_free; } } } @@ -314,6 +326,9 @@ static int intel_sst_mmap_play_capture(u32 str_id, if (retval >= 0) retval = stream->cumm_bytes; pr_debug("sst:end of play/rec ioctl bytes = %d!!\n", retval); + +out_free: + kfree(tmp_buf); return retval; } |