Commit f4723b22 authored by Takashi Iwai's avatar Takashi Iwai

Merge branch 'topic/memdup_user' into for-linus

* topic/memdup_user:
  ALSA: sound/pci: use memdup_user()
  ALSA: sound/usb: use memdup_user()
  ALSA: sound/isa: use memdup_user()
  ALSA: sound/core: use memdup_user()
parents 00610a81 336500f0
...@@ -724,13 +724,10 @@ static int snd_ctl_elem_read_user(struct snd_card *card, ...@@ -724,13 +724,10 @@ static int snd_ctl_elem_read_user(struct snd_card *card,
struct snd_ctl_elem_value *control; struct snd_ctl_elem_value *control;
int result; int result;
control = kmalloc(sizeof(*control), GFP_KERNEL); control = memdup_user(_control, sizeof(*control));
if (control == NULL) if (IS_ERR(control))
return -ENOMEM; return PTR_ERR(control);
if (copy_from_user(control, _control, sizeof(*control))) {
kfree(control);
return -EFAULT;
}
snd_power_lock(card); snd_power_lock(card);
result = snd_power_wait(card, SNDRV_CTL_POWER_D0); result = snd_power_wait(card, SNDRV_CTL_POWER_D0);
if (result >= 0) if (result >= 0)
...@@ -784,13 +781,10 @@ static int snd_ctl_elem_write_user(struct snd_ctl_file *file, ...@@ -784,13 +781,10 @@ static int snd_ctl_elem_write_user(struct snd_ctl_file *file,
struct snd_card *card; struct snd_card *card;
int result; int result;
control = kmalloc(sizeof(*control), GFP_KERNEL); control = memdup_user(_control, sizeof(*control));
if (control == NULL) if (IS_ERR(control))
return -ENOMEM; return PTR_ERR(control);
if (copy_from_user(control, _control, sizeof(*control))) {
kfree(control);
return -EFAULT;
}
card = file->card; card = file->card;
snd_power_lock(card); snd_power_lock(card);
result = snd_power_wait(card, SNDRV_CTL_POWER_D0); result = snd_power_wait(card, SNDRV_CTL_POWER_D0);
...@@ -916,13 +910,10 @@ static int snd_ctl_elem_user_tlv(struct snd_kcontrol *kcontrol, ...@@ -916,13 +910,10 @@ static int snd_ctl_elem_user_tlv(struct snd_kcontrol *kcontrol,
if (op_flag > 0) { if (op_flag > 0) {
if (size > 1024 * 128) /* sane value */ if (size > 1024 * 128) /* sane value */
return -EINVAL; return -EINVAL;
new_data = kmalloc(size, GFP_KERNEL);
if (new_data == NULL) new_data = memdup_user(tlv, size);
return -ENOMEM; if (IS_ERR(new_data))
if (copy_from_user(new_data, tlv, size)) { return PTR_ERR(new_data);
kfree(new_data);
return -EFAULT;
}
change = ue->tlv_data_size != size; change = ue->tlv_data_size != size;
if (!change) if (!change)
change = memcmp(ue->tlv_data, new_data, size); change = memcmp(ue->tlv_data, new_data, size);
......
...@@ -232,14 +232,11 @@ static int snd_pcm_ioctl_hw_params_compat(struct snd_pcm_substream *substream, ...@@ -232,14 +232,11 @@ static int snd_pcm_ioctl_hw_params_compat(struct snd_pcm_substream *substream,
if (! (runtime = substream->runtime)) if (! (runtime = substream->runtime))
return -ENOTTY; return -ENOTTY;
data = kmalloc(sizeof(*data), GFP_KERNEL);
if (data == NULL)
return -ENOMEM;
/* only fifo_size is different, so just copy all */ /* only fifo_size is different, so just copy all */
if (copy_from_user(data, data32, sizeof(*data32))) { data = memdup_user(data32, sizeof(*data32));
err = -EFAULT; if (IS_ERR(data))
goto error; return PTR_ERR(data);
}
if (refine) if (refine)
err = snd_pcm_hw_refine(substream, data); err = snd_pcm_hw_refine(substream, data);
else else
......
...@@ -327,21 +327,16 @@ static int snd_pcm_hw_refine_user(struct snd_pcm_substream *substream, ...@@ -327,21 +327,16 @@ static int snd_pcm_hw_refine_user(struct snd_pcm_substream *substream,
struct snd_pcm_hw_params *params; struct snd_pcm_hw_params *params;
int err; int err;
params = kmalloc(sizeof(*params), GFP_KERNEL); params = memdup_user(_params, sizeof(*params));
if (!params) { if (IS_ERR(params))
err = -ENOMEM; return PTR_ERR(params);
goto out;
}
if (copy_from_user(params, _params, sizeof(*params))) {
err = -EFAULT;
goto out;
}
err = snd_pcm_hw_refine(substream, params); err = snd_pcm_hw_refine(substream, params);
if (copy_to_user(_params, params, sizeof(*params))) { if (copy_to_user(_params, params, sizeof(*params))) {
if (!err) if (!err)
err = -EFAULT; err = -EFAULT;
} }
out:
kfree(params); kfree(params);
return err; return err;
} }
...@@ -465,21 +460,16 @@ static int snd_pcm_hw_params_user(struct snd_pcm_substream *substream, ...@@ -465,21 +460,16 @@ static int snd_pcm_hw_params_user(struct snd_pcm_substream *substream,
struct snd_pcm_hw_params *params; struct snd_pcm_hw_params *params;
int err; int err;
params = kmalloc(sizeof(*params), GFP_KERNEL); params = memdup_user(_params, sizeof(*params));
if (!params) { if (IS_ERR(params))
err = -ENOMEM; return PTR_ERR(params);
goto out;
}
if (copy_from_user(params, _params, sizeof(*params))) {
err = -EFAULT;
goto out;
}
err = snd_pcm_hw_params(substream, params); err = snd_pcm_hw_params(substream, params);
if (copy_to_user(_params, params, sizeof(*params))) { if (copy_to_user(_params, params, sizeof(*params))) {
if (!err) if (!err)
err = -EFAULT; err = -EFAULT;
} }
out:
kfree(params); kfree(params);
return err; return err;
} }
...@@ -2593,13 +2583,11 @@ static int snd_pcm_playback_ioctl1(struct file *file, ...@@ -2593,13 +2583,11 @@ static int snd_pcm_playback_ioctl1(struct file *file,
return -EFAULT; return -EFAULT;
if (copy_from_user(&xfern, _xfern, sizeof(xfern))) if (copy_from_user(&xfern, _xfern, sizeof(xfern)))
return -EFAULT; return -EFAULT;
bufs = kmalloc(sizeof(void *) * runtime->channels, GFP_KERNEL);
if (bufs == NULL) bufs = memdup_user(xfern.bufs,
return -ENOMEM; sizeof(void *) * runtime->channels);
if (copy_from_user(bufs, xfern.bufs, sizeof(void *) * runtime->channels)) { if (IS_ERR(bufs))
kfree(bufs); return PTR_ERR(bufs);
return -EFAULT;
}
result = snd_pcm_lib_writev(substream, bufs, xfern.frames); result = snd_pcm_lib_writev(substream, bufs, xfern.frames);
kfree(bufs); kfree(bufs);
__put_user(result, &_xfern->result); __put_user(result, &_xfern->result);
...@@ -2675,13 +2663,11 @@ static int snd_pcm_capture_ioctl1(struct file *file, ...@@ -2675,13 +2663,11 @@ static int snd_pcm_capture_ioctl1(struct file *file,
return -EFAULT; return -EFAULT;
if (copy_from_user(&xfern, _xfern, sizeof(xfern))) if (copy_from_user(&xfern, _xfern, sizeof(xfern)))
return -EFAULT; return -EFAULT;
bufs = kmalloc(sizeof(void *) * runtime->channels, GFP_KERNEL);
if (bufs == NULL) bufs = memdup_user(xfern.bufs,
return -ENOMEM; sizeof(void *) * runtime->channels);
if (copy_from_user(bufs, xfern.bufs, sizeof(void *) * runtime->channels)) { if (IS_ERR(bufs))
kfree(bufs); return PTR_ERR(bufs);
return -EFAULT;
}
result = snd_pcm_lib_readv(substream, bufs, xfern.frames); result = snd_pcm_lib_readv(substream, bufs, xfern.frames);
kfree(bufs); kfree(bufs);
__put_user(result, &_xfern->result); __put_user(result, &_xfern->result);
...@@ -3312,18 +3298,12 @@ static int snd_pcm_hw_refine_old_user(struct snd_pcm_substream *substream, ...@@ -3312,18 +3298,12 @@ static int snd_pcm_hw_refine_old_user(struct snd_pcm_substream *substream,
int err; int err;
params = kmalloc(sizeof(*params), GFP_KERNEL); params = kmalloc(sizeof(*params), GFP_KERNEL);
if (!params) { if (!params)
err = -ENOMEM; return -ENOMEM;
goto out;
}
oparams = kmalloc(sizeof(*oparams), GFP_KERNEL);
if (!oparams) {
err = -ENOMEM;
goto out;
}
if (copy_from_user(oparams, _oparams, sizeof(*oparams))) { oparams = memdup_user(_oparams, sizeof(*oparams));
err = -EFAULT; if (IS_ERR(oparams)) {
err = PTR_ERR(oparams);
goto out; goto out;
} }
snd_pcm_hw_convert_from_old_params(params, oparams); snd_pcm_hw_convert_from_old_params(params, oparams);
...@@ -3333,9 +3313,10 @@ static int snd_pcm_hw_refine_old_user(struct snd_pcm_substream *substream, ...@@ -3333,9 +3313,10 @@ static int snd_pcm_hw_refine_old_user(struct snd_pcm_substream *substream,
if (!err) if (!err)
err = -EFAULT; err = -EFAULT;
} }
kfree(oparams);
out: out:
kfree(params); kfree(params);
kfree(oparams);
return err; return err;
} }
...@@ -3347,17 +3328,12 @@ static int snd_pcm_hw_params_old_user(struct snd_pcm_substream *substream, ...@@ -3347,17 +3328,12 @@ static int snd_pcm_hw_params_old_user(struct snd_pcm_substream *substream,
int err; int err;
params = kmalloc(sizeof(*params), GFP_KERNEL); params = kmalloc(sizeof(*params), GFP_KERNEL);
if (!params) { if (!params)
err = -ENOMEM; return -ENOMEM;
goto out;
} oparams = memdup_user(_oparams, sizeof(*oparams));
oparams = kmalloc(sizeof(*oparams), GFP_KERNEL); if (IS_ERR(oparams)) {
if (!oparams) { err = PTR_ERR(oparams);
err = -ENOMEM;
goto out;
}
if (copy_from_user(oparams, _oparams, sizeof(*oparams))) {
err = -EFAULT;
goto out; goto out;
} }
snd_pcm_hw_convert_from_old_params(params, oparams); snd_pcm_hw_convert_from_old_params(params, oparams);
...@@ -3367,9 +3343,10 @@ static int snd_pcm_hw_params_old_user(struct snd_pcm_substream *substream, ...@@ -3367,9 +3343,10 @@ static int snd_pcm_hw_params_old_user(struct snd_pcm_substream *substream,
if (!err) if (!err)
err = -EFAULT; err = -EFAULT;
} }
kfree(oparams);
out: out:
kfree(params); kfree(params);
kfree(oparams);
return err; return err;
} }
#endif /* CONFIG_SND_SUPPORT_OLD_API */ #endif /* CONFIG_SND_SUPPORT_OLD_API */
......
...@@ -48,12 +48,11 @@ static int snd_seq_call_port_info_ioctl(struct snd_seq_client *client, unsigned ...@@ -48,12 +48,11 @@ static int snd_seq_call_port_info_ioctl(struct snd_seq_client *client, unsigned
struct snd_seq_port_info *data; struct snd_seq_port_info *data;
mm_segment_t fs; mm_segment_t fs;
data = kmalloc(sizeof(*data), GFP_KERNEL); data = memdup_user(data32, sizeof(*data32));
if (! data) if (IS_ERR(data))
return -ENOMEM; return PTR_ERR(data);
if (copy_from_user(data, data32, sizeof(*data32)) || if (get_user(data->flags, &data32->flags) ||
get_user(data->flags, &data32->flags) ||
get_user(data->time_queue, &data32->time_queue)) get_user(data->time_queue, &data32->time_queue))
goto error; goto error;
data->kernel = NULL; data->kernel = NULL;
......
...@@ -1395,13 +1395,10 @@ static int snd_timer_user_ginfo(struct file *file, ...@@ -1395,13 +1395,10 @@ static int snd_timer_user_ginfo(struct file *file,
struct list_head *p; struct list_head *p;
int err = 0; int err = 0;
ginfo = kmalloc(sizeof(*ginfo), GFP_KERNEL); ginfo = memdup_user(_ginfo, sizeof(*ginfo));
if (! ginfo) if (IS_ERR(ginfo))
return -ENOMEM; return PTR_ERR(ginfo);
if (copy_from_user(ginfo, _ginfo, sizeof(*ginfo))) {
kfree(ginfo);
return -EFAULT;
}
tid = ginfo->tid; tid = ginfo->tid;
memset(ginfo, 0, sizeof(*ginfo)); memset(ginfo, 0, sizeof(*ginfo));
ginfo->tid = tid; ginfo->tid = tid;
......
...@@ -684,15 +684,16 @@ static int snd_sb_csp_load(struct snd_sb_csp * p, const unsigned char *buf, int ...@@ -684,15 +684,16 @@ static int snd_sb_csp_load(struct snd_sb_csp * p, const unsigned char *buf, int
static int snd_sb_csp_load_user(struct snd_sb_csp * p, const unsigned char __user *buf, int size, int load_flags) static int snd_sb_csp_load_user(struct snd_sb_csp * p, const unsigned char __user *buf, int size, int load_flags)
{ {
int err = -ENOMEM; int err;
unsigned char *kbuf = kmalloc(size, GFP_KERNEL); unsigned char *kbuf;
if (kbuf) {
if (copy_from_user(kbuf, buf, size)) kbuf = memdup_user(buf, size);
err = -EFAULT; if (IS_ERR(kbuf))
else return PTR_ERR(kbuf);
err = snd_sb_csp_load(p, kbuf, size, load_flags); err = snd_sb_csp_load(p, kbuf, size, load_flags);
kfree(kbuf); kfree(kbuf);
}
return err; return err;
} }
......
...@@ -202,15 +202,11 @@ snd_wavefront_fx_ioctl (struct snd_hwdep *sdev, struct file *file, ...@@ -202,15 +202,11 @@ snd_wavefront_fx_ioctl (struct snd_hwdep *sdev, struct file *file,
"> 512 bytes to FX\n"); "> 512 bytes to FX\n");
return -EIO; return -EIO;
} }
page_data = kmalloc(r.data[2] * sizeof(short), GFP_KERNEL); page_data = memdup_user((unsigned char __user *)
if (!page_data) r.data[3],
return -ENOMEM; r.data[2] * sizeof(short));
if (copy_from_user (page_data, if (IS_ERR(page_data))
(unsigned char __user *) r.data[3], return PTR_ERR(page_data);
r.data[2] * sizeof(short))) {
kfree(page_data);
return -EFAULT;
}
pd = page_data; pd = page_data;
} }
......
...@@ -1664,12 +1664,11 @@ snd_wavefront_synth_ioctl (struct snd_hwdep *hw, struct file *file, ...@@ -1664,12 +1664,11 @@ snd_wavefront_synth_ioctl (struct snd_hwdep *hw, struct file *file,
break; break;
case WFCTL_WFCMD: case WFCTL_WFCMD:
wc = kmalloc(sizeof(*wc), GFP_KERNEL); wc = memdup_user(argp, sizeof(*wc));
if (! wc) if (IS_ERR(wc))
return -ENOMEM; return PTR_ERR(wc);
if (copy_from_user (wc, argp, sizeof (*wc)))
err = -EFAULT; if (wavefront_synth_control (acard, wc) < 0)
else if (wavefront_synth_control (acard, wc) < 0)
err = -EIO; err = -EIO;
else if (copy_to_user (argp, wc, sizeof (*wc))) else if (copy_to_user (argp, wc, sizeof (*wc)))
err = -EFAULT; err = -EFAULT;
......
...@@ -2493,24 +2493,17 @@ static int snd_emu10k1_fx8010_ioctl(struct snd_hwdep * hw, struct file *file, un ...@@ -2493,24 +2493,17 @@ static int snd_emu10k1_fx8010_ioctl(struct snd_hwdep * hw, struct file *file, un
case SNDRV_EMU10K1_IOCTL_CODE_POKE: case SNDRV_EMU10K1_IOCTL_CODE_POKE:
if (!capable(CAP_SYS_ADMIN)) if (!capable(CAP_SYS_ADMIN))
return -EPERM; return -EPERM;
icode = kmalloc(sizeof(*icode), GFP_KERNEL);
if (icode == NULL) icode = memdup_user(argp, sizeof(*icode));
return -ENOMEM; if (IS_ERR(icode))
if (copy_from_user(icode, argp, sizeof(*icode))) { return PTR_ERR(icode);
kfree(icode);
return -EFAULT;
}
res = snd_emu10k1_icode_poke(emu, icode); res = snd_emu10k1_icode_poke(emu, icode);
kfree(icode); kfree(icode);
return res; return res;
case SNDRV_EMU10K1_IOCTL_CODE_PEEK: case SNDRV_EMU10K1_IOCTL_CODE_PEEK:
icode = kmalloc(sizeof(*icode), GFP_KERNEL); icode = memdup_user(argp, sizeof(*icode));
if (icode == NULL) if (IS_ERR(icode))
return -ENOMEM; return PTR_ERR(icode);
if (copy_from_user(icode, argp, sizeof(*icode))) {
kfree(icode);
return -EFAULT;
}
res = snd_emu10k1_icode_peek(emu, icode); res = snd_emu10k1_icode_peek(emu, icode);
if (res == 0 && copy_to_user(argp, icode, sizeof(*icode))) { if (res == 0 && copy_to_user(argp, icode, sizeof(*icode))) {
kfree(icode); kfree(icode);
...@@ -2519,24 +2512,16 @@ static int snd_emu10k1_fx8010_ioctl(struct snd_hwdep * hw, struct file *file, un ...@@ -2519,24 +2512,16 @@ static int snd_emu10k1_fx8010_ioctl(struct snd_hwdep * hw, struct file *file, un
kfree(icode); kfree(icode);
return res; return res;
case SNDRV_EMU10K1_IOCTL_PCM_POKE: case SNDRV_EMU10K1_IOCTL_PCM_POKE:
ipcm = kmalloc(sizeof(*ipcm), GFP_KERNEL); ipcm = memdup_user(argp, sizeof(*ipcm));
if (ipcm == NULL) if (IS_ERR(ipcm))
return -ENOMEM; return PTR_ERR(ipcm);
if (copy_from_user(ipcm, argp, sizeof(*ipcm))) {
kfree(ipcm);
return -EFAULT;
}
res = snd_emu10k1_ipcm_poke(emu, ipcm); res = snd_emu10k1_ipcm_poke(emu, ipcm);
kfree(ipcm); kfree(ipcm);
return res; return res;
case SNDRV_EMU10K1_IOCTL_PCM_PEEK: case SNDRV_EMU10K1_IOCTL_PCM_PEEK:
ipcm = kzalloc(sizeof(*ipcm), GFP_KERNEL); ipcm = memdup_user(argp, sizeof(*ipcm));
if (ipcm == NULL) if (IS_ERR(ipcm))
return -ENOMEM; return PTR_ERR(ipcm);
if (copy_from_user(ipcm, argp, sizeof(*ipcm))) {
kfree(ipcm);
return -EFAULT;
}
res = snd_emu10k1_ipcm_peek(emu, ipcm); res = snd_emu10k1_ipcm_peek(emu, ipcm);
if (res == 0 && copy_to_user(argp, ipcm, sizeof(*ipcm))) { if (res == 0 && copy_to_user(argp, ipcm, sizeof(*ipcm))) {
kfree(ipcm); kfree(ipcm);
......
...@@ -349,14 +349,10 @@ static int usb_stream_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, ...@@ -349,14 +349,10 @@ static int usb_stream_hwdep_ioctl(struct snd_hwdep *hw, struct file *file,
if (cmd != SNDRV_USB_STREAM_IOCTL_SET_PARAMS) if (cmd != SNDRV_USB_STREAM_IOCTL_SET_PARAMS)
return -ENOTTY; return -ENOTTY;
cfg = kmalloc(sizeof(*cfg), GFP_KERNEL); cfg = memdup_user((void *)arg, sizeof(*cfg));
if (!cfg) if (IS_ERR(cfg))
return -ENOMEM; return PTR_ERR(cfg);
if (copy_from_user(cfg, (void *)arg, sizeof(*cfg))) {
err = -EFAULT;
goto free;
}
if (cfg->version != USB_STREAM_INTERFACE_VERSION) { if (cfg->version != USB_STREAM_INTERFACE_VERSION) {
err = -ENXIO; err = -ENXIO;
goto free; goto free;
......
...@@ -203,13 +203,12 @@ static int snd_usX2Y_hwdep_dsp_load(struct snd_hwdep *hw, ...@@ -203,13 +203,12 @@ static int snd_usX2Y_hwdep_dsp_load(struct snd_hwdep *hw,
if (access_ok(VERIFY_READ, dsp->image, dsp->length)) { if (access_ok(VERIFY_READ, dsp->image, dsp->length)) {
struct usb_device* dev = priv->chip.dev; struct usb_device* dev = priv->chip.dev;
char *buf = kmalloc(dsp->length, GFP_KERNEL); char *buf;
if (!buf)
return -ENOMEM; buf = memdup_user(dsp->image, dsp->length);
if (copy_from_user(buf, dsp->image, dsp->length)) { if (IS_ERR(buf))
kfree(buf); return PTR_ERR(buf);
return -EFAULT;
}
err = usb_set_interface(dev, 0, 1); err = usb_set_interface(dev, 0, 1);
if (err) if (err)
snd_printk(KERN_ERR "usb_set_interface error \n"); snd_printk(KERN_ERR "usb_set_interface error \n");
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment