forked from Minki/linux
Staging: sst: user pointers in intel_sst_mmap_play_capture()
There were some places in intel_sst_mmap_play_capture() that dereferenced user pointers instead of copying the data to the kernel. I removed the BUG_ON(!mmap_buf) and BUG_ON(!buf_entry) since those are never possible in the current code. Signed-off-by: Dan Carpenter <error27@gmail.com> Cc: Vinod Koul <vinod.koul@intel.com> Cc: Alan Cox <alan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
parent
e9f25689a8
commit
08da782b1a
@ -244,12 +244,12 @@ static int intel_sst_mmap_play_capture(u32 str_id,
|
||||
int retval, i;
|
||||
struct stream_info *stream;
|
||||
struct snd_sst_mmap_buff_entry *buf_entry;
|
||||
struct snd_sst_mmap_buff_entry *tmp_buf;
|
||||
|
||||
pr_debug("sst:called for str_id %d\n", str_id);
|
||||
retval = sst_validate_strid(str_id);
|
||||
if (retval)
|
||||
return -EINVAL;
|
||||
BUG_ON(!mmap_buf);
|
||||
|
||||
stream = &sst_drv_ctx->streams[str_id];
|
||||
if (stream->mmapped != true)
|
||||
@ -262,14 +262,24 @@ static int intel_sst_mmap_play_capture(u32 str_id,
|
||||
stream->curr_bytes = 0;
|
||||
stream->cumm_bytes = 0;
|
||||
|
||||
tmp_buf = kcalloc(mmap_buf->entries, sizeof(*tmp_buf), GFP_KERNEL);
|
||||
if (!tmp_buf)
|
||||
return -ENOMEM;
|
||||
if (copy_from_user(tmp_buf, (void __user *)mmap_buf->buff,
|
||||
mmap_buf->entries * sizeof(*tmp_buf))) {
|
||||
retval = -EFAULT;
|
||||
goto out_free;
|
||||
}
|
||||
|
||||
pr_debug("sst:new buffers count %d status %d\n",
|
||||
mmap_buf->entries, stream->status);
|
||||
buf_entry = mmap_buf->buff;
|
||||
buf_entry = tmp_buf;
|
||||
for (i = 0; i < mmap_buf->entries; i++) {
|
||||
BUG_ON(!buf_entry);
|
||||
bufs = kzalloc(sizeof(*bufs), GFP_KERNEL);
|
||||
if (!bufs)
|
||||
return -ENOMEM;
|
||||
if (!bufs) {
|
||||
retval = -ENOMEM;
|
||||
goto out_free;
|
||||
}
|
||||
bufs->size = buf_entry->size;
|
||||
bufs->offset = buf_entry->offset;
|
||||
bufs->addr = sst_drv_ctx->mmap_mem;
|
||||
@ -293,13 +303,15 @@ static int intel_sst_mmap_play_capture(u32 str_id,
|
||||
if (sst_play_frame(str_id) < 0) {
|
||||
pr_warn("sst: play frames fail\n");
|
||||
mutex_unlock(&stream->lock);
|
||||
return -EIO;
|
||||
retval = -EIO;
|
||||
goto out_free;
|
||||
}
|
||||
} else if (stream->ops == STREAM_OPS_CAPTURE) {
|
||||
if (sst_capture_frame(str_id) < 0) {
|
||||
pr_warn("sst: capture frame fail\n");
|
||||
mutex_unlock(&stream->lock);
|
||||
return -EIO;
|
||||
retval = -EIO;
|
||||
goto out_free;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -314,6 +326,9 @@ static int intel_sst_mmap_play_capture(u32 str_id,
|
||||
if (retval >= 0)
|
||||
retval = stream->cumm_bytes;
|
||||
pr_debug("sst:end of play/rec ioctl bytes = %d!!\n", retval);
|
||||
|
||||
out_free:
|
||||
kfree(tmp_buf);
|
||||
return retval;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user