Commit Graph

5412 Commits

Author SHA1 Message Date
Dan Carpenter
3251627c94 Staging: intel_sst: fix memory leak
The original code set "str_info->decode_ibuf" to NULL so the kfree() is
no-op.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Harsha Priya <priya.harsha@intel.com>
Acked-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-16 12:25:53 -08:00
Dan Carpenter
832855354b Staging: rtl8712: signedness bug in init
PollingCnt is 20 and that means we loop 20 times and then run the
timeout code.  After the end of the loop PollingCnt should be -1 but
because it's an unsigned char, it's actually 255 and the timeout
code never runs.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-16 12:25:53 -08:00
Larry Finger
f36d83a8cb staging: rtl8187se: Change panic to warn when RF switch turned off
This driver issues a kernel panic over conditions that do not
justify such drastic action. Change these to log entries with
a stack dump.

This patch fixes the system crash reported in
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/674285.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-and-Tested-by: Robie Basik <rb-oss-3@justgohome.co.uk>
Cc: Stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-16 12:25:53 -08:00
Nicolas Kaiser
61838261ed staging: comedi: fix memory leak
Instead of freeing outBuffer, inBuffer gets freed twice.

Signed-off-by: Nicolas Kaiser <nikai@nikai.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-16 12:25:52 -08:00
Dan Carpenter
ebba26f4a8 Staging: quickstart: free after input_unregister_device()
input_unregister_device() releases "quickstart_input" so the
input_free_device() is a double free.  Also I noticed that there is a
memory leak if the call to input_register_device() fails.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-16 12:25:52 -08:00
Dan Carpenter
5fb5d38fc2 Staging: speakup: free after input_unregister_device()
input_unregister_device() frees the device so the call to
input_free_device() is a double free.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-16 12:25:52 -08:00
Greg Kroah-Hartman
2018845b6a Staging: line6: fix up some sysfs attribute permissions
They should not be writable by any user

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Markus Grabner <grabner@icg.tugraz.at>
Cc: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-16 11:23:33 -08:00
Greg Kroah-Hartman
0281b490dd Staging: zram: fix up some sysfs attribute permissions
They should not be writable by any user

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Nitin Gupta <ngupta@vflare.org>
Cc: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-16 11:22:43 -08:00
Greg Kroah-Hartman
cc9ca9dfdd Staging: udlfb: fix up some sysfs attribute permissions
They should not be writable by any user

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Bernie Thompson <bernie@plugable.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-16 11:21:36 -08:00
Greg Kroah-Hartman
90c05b97fd Staging: samsung-laptop: fix up some sysfs attribute permissions
They should not be writable by any user

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-16 11:21:03 -08:00
Greg Kroah-Hartman
1d904e8950 Staging: iio: adis16220: fix up some sysfs attribute permissions
They should not be writable by any user

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jonathan Cameron <jic23@cam.ac.uk>
Cc: Barry Song <Barry.Song@analog.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-16 11:19:53 -08:00
Greg Kroah-Hartman
3bad28ec00 Staging: frontier: fix up some sysfs attribute permissions
They should not be writable by any user

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Taht <d@teklibre.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-16 11:18:33 -08:00
Greg Kroah-Hartman
590b0b9754 Staging: asus_oled: fix up some sysfs attribute permissions
They should not be writable by any user

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jakub Schmidtke <sjakub@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-16 11:17:01 -08:00
Jean Delvare
f3dc65dafa i2c: Drivers shouldn't include <linux/i2c-id.h>
Drivers don't need to include <linux/i2c-id.h>, especially not when
they don't use anything that header file provides.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Michael Hunold <michael@mihu.de>
Acked-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2010-11-15 22:40:38 +01:00
Wolfram Sang
dc6641be0e i2c: Remove obsolete cleanup for clientdata
A few new i2c-drivers came into the kernel which clear the clientdata-pointer
on exit. This is obsolete meanwhile, so fix it and hope the word will spread.

Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
Acked-by: Alan Cox <alan@linux.intel.com>
Acked-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
2010-11-15 22:40:38 +01:00
Linus Torvalds
c22cff08db Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6
* 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6:
  [media] soc-camera: Compile fixes for mx2-camera
  [media] SoC Camera: ov6650: minor cleanups
  [media] SOC Camera: OMAP1: typo fix
  [media] SoC Camera: OMAP1: update for recent videobuf changes
  [media] SoC Camera: OMAP1: update for recent framework changes
  [media] ARM mx3_camera: check for DMA engine type
  [media] tm6000: bugfix set tv standards
  [media] cafe_ccic: fix subdev configuration
  [media] saa7134: Fix autodetect for Behold A7 and H7 TV cards
  [media] v4l: kill the BKL
  [media] BZ#22292: dibx000_common: Restore i2c algo pointer
2010-11-13 09:55:19 -08:00
Greg Kroah-Hartman
94fb7c9c5d Staging: Merge 'tidspbridge-2.6.37-rc1' into staging-linus
This is a big revert of a lot of -rc1 tidspbridge patches in order to
get the driver back into a working state.  It also includes a OMAP patch
that was approved by the OMAP maintainer.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-11 05:14:54 -08:00
Felipe Contreras
50ad26f4c9 Revert "staging: tidspbridge: replace iommu custom for opensource implementation"
This reverts commit d95ec7e2fd.

Signed-off-by: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez@ti.com>
2010-11-10 18:34:44 -06:00
Felipe Contreras
1cf3fb2d35 Revert "staging: tidspbridge - move shared memory iommu maps to tiomap3430.c"
This reverts commit 0c10e91b6c.

Signed-off-by: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez@ti.com>
2010-11-10 18:34:44 -06:00
Felipe Contreras
d0b345f3ee Revert "staging: tidspbridge - rename bridge_brd_mem_map/unmap to a proper name"
This reverts commit 4dd1944ab7.

Signed-off-by: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez@ti.com>
2010-11-10 18:34:44 -06:00
Felipe Contreras
ac8a139a14 Revert "staging: tidspbridge - remove custom mmu code from tiomap3430.c"
This reverts commit e7396e77d9.

Signed-off-by: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez@ti.com>
2010-11-10 18:34:43 -06:00
Felipe Contreras
6c4c899ee2 Revert "staging: tidspbridge - fix mmufault support"
This reverts commit f265846db1.

Signed-off-by: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez@ti.com>
2010-11-10 18:34:43 -06:00
Felipe Contreras
58c1ceb156 Revert "staging: tidspbridge - remove hw directory"
This reverts commit 053fdb85f5.

Signed-off-by: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez@ti.com>
2010-11-10 18:34:43 -06:00
Felipe Contreras
f5bd96bbe3 Revert "staging: tidspbridge - move all iommu related code to a new file"
This reverts commit f94378f9f9.

Signed-off-by: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez@ti.com>
2010-11-10 18:34:43 -06:00
Felipe Contreras
9d4f81a722 Revert "staging: tidspbridge: remove dw_dmmu_base from cfg_hostres struct"
This reverts commit b5a4493923.

Signed-off-by: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez@ti.com>
2010-11-10 18:34:43 -06:00
Felipe Contreras
a28903501c Revert "staging: tidspbridge - remove reserved memory clean up"
This reverts commit db348ca36e.

Signed-off-by: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez@ti.com>
2010-11-10 18:34:42 -06:00
Felipe Contreras
2fa28a5182 Revert "staging: tidspbridge - deprecate reserve/unreserve_memory funtions"
This reverts commit b1ced160af.

Signed-off-by: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez@ti.com>
2010-11-10 18:34:42 -06:00
Felipe Contreras
677f2ded81 Revert "staging: tidspbridge - remove dmm custom module"
This reverts commit 2ab573487a.

Signed-off-by: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez@ti.com>
2010-11-10 18:34:42 -06:00
Felipe Contreras
3fc59af631 Revert "staging: tidspbridge - update Kconfig to select IOMMU module"
This reverts commit ace5a3ce40.

Signed-off-by: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez@ti.com>
2010-11-10 18:34:42 -06:00
Felipe Contreras
a9db203674 staging: tidspbridge: hardcode SCM macros while fix is upstreamed
On 2.6.37-rc1, omap platform internals for SCM have changed,
so the build is broken again.

drivers/staging/tidspbridge/core/tiomap3430.c:26:
    fatal error: plat/control.h: No such file or directory

This is a totally ugly layer violation, but needed until
omap_ctrl_set_dsp_boot*() are provided.

Signed-off-by: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez@ti.com>
2010-11-10 18:34:18 -06:00
Konstantin Katuev
307ae1d3d0 Staging: keucr driver: fix uninitialized variable & proper memset length
There was commented out transfer_flags initialization.
And i think memset should fill entire structure, not only length of
pointer to it.

This makes the driver work properly now on my hardware.

Signed-off-by: Konstantin Katuev <kkatuev@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-10 16:33:57 -08:00
Maximiliano David Bustos
c3444e50b2 Staging: wlan-ng: Fix wrong #ifdef #endif sequence
This patch fixes bug #13820 from bugzilla.kernel.org.

Quote: "If ETHTOOL_GLINK is not defined, the end for switch case is not
to be found."

Signed-off-by: Maximiliano David Bustos <md.bustos90@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 16:51:42 -08:00
Ben Hutchings
34a488c1e0 Staging: Update parameters for cfg80211 key management operation
Commit e31b82136d ("cfg80211/mac80211:
allow per-station GTKs") changed the signatures of these operations
but did not update the staging drivers.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 16:49:33 -08:00
Ben Hutchings
5f2e877386 Staging: ath6kl: Fix pointer casts on 64-bit architectures
Remove unnecessary cast of firmware base address to integer before
adding an offset.

Fix direct use of sk_buff::network_header which is an offset rather
than a pointer on 64-bit architectures.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 16:49:02 -08:00
Marek Lindner
4d774a7fed Staging: batman-adv: suppress false warning when changing the mac address
Whenever the mac address of an batman interface is changed
check_known_mac_addr() is called to print a warning if the newly added
mac address exists an another batman interface. While looping through
the batman interface list check_known_mac_addr() only compares mac
addresses and does not make sure they belong to different interfaces,
thus always printing a warning.

Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
Signed-off-by: Sven Eckelmann <sven.eckelmann@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 16:21:27 -08:00
Chris Lang
f581cf21b4 Staging: batman-adv: fix interface alternating and bonding reggression
55d1666b521cbed95924c8d4775fe272c103f08c incidentally disabled bonding
of packets first entering the mesh along with also disabling interface
alternating regardless of where the packet came from. This re-enables
these options.

Signed-off-by: Chris Lang <clang@gateworks.com>
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
Signed-off-by: Sven Eckelmann <sven.eckelmann@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 16:21:27 -08:00
Joe Perches
31a9f47aa0 Staging: udlfb.c: Fix k.alloc switched arguments
Signed-off-by: Joe Perches <joe@perches.com>
Cc: Bernie Thompson <bernie@plugable.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 14:05:24 -08:00
Daniel Lichtenberger
43f88d530e Staging: rtl8192e: fix IOMMU memory leak
Unmap the rx buffer before mapping the new one in rtl8192_rx.

Failing to do so quickly exhausts the IOMMU memory during downloads:

[...] DMA: Out of SW-IOMMU space for 9100 bytes at device ...

Using "iommu=off mem=4g" also fixes the problem because
then pci_map_single does not allocate memory.

Tested on my personal laptop with a RTL8192E device. Without this
patch the kernel quickly runs out of IOMMU memory (downloading 5 MB
of data is sufficient to trigger it), with this patch applied
I haven't experienced any issues so far.

Signed-off-by: Daniel Lichtenberger <daniel.lichtenberger@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 14:05:23 -08:00
Vasiliy Kulikov
eacd121c3d staging: vt6656: implement missing brackets
Identation says that copy_to_user() should be called only iff
wrq->u.essid.pointer is not zero.  Also it is useless to call copy_to_user(0, ...).

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 14:05:23 -08:00
Larry Finger
705059a670 staging: rt2870: Add new USB ID for Belkin F6D4050 v1
Add new USB ID for FT2870 for Belkin F6D4050 v1

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported- and Tested-by: James Long <crogonint@yahoo.com>
Cc: Stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 14:05:23 -08:00
Brett Rudley
0d58fef68c staging: brcm80211: Maintainer change
Nohee => Dowan

Signed-off-by: Brett Rudley <brudley@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 14:05:23 -08:00
Julia Lawall
4fd68ae1a5 drivers/staging/brcm80211/brcmfmac/dhd_linux.c: delete double assignment
Delete successive assignments to the same location.  dhd_ops_virt contains
a subset of the definitions of dhd_ops_pri.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
expression i;
@@

*i = ...;
 i = ...;
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 14:05:22 -08:00
Julia Lawall
61241d97db drivers/staging: delete double assignment
Delete successive assignments to the same location.  In three of the cases,
the two assignments are identical.  In the case of the file
rt2860/common/cmm_aes.c, the assigned variable i is never used, so both
assignments are dropped.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
expression i;
@@

*i = ...;
 i = ...;
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 14:05:22 -08:00
Hauke Mehrtens
22b4dc5917 Staging: ath6kl: Adapt API changes in cfg80211
The cfg80211 API changed in commit e31b82136d

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 13:33:27 -08:00
Randy Dunlap
32a0fdf27c Staging: ath6kl: ATH6KL_CFG80211 depends on CFG80211
ATH6KL_CFG80211 should depend on CFG80211 to fix build errors:

ERROR: "wiphy_free" [drivers/staging/ath6kl/ath6kl.ko] undefined!
ERROR: "cfg80211_inform_bss_frame" [drivers/staging/ath6kl/ath6kl.ko] undefined!
ERROR: "__ieee80211_get_channel" [drivers/staging/ath6kl/ath6kl.ko] undefined!
ERROR: "cfg80211_get_bss" [drivers/staging/ath6kl/ath6kl.ko] undefined!
ERROR: "wiphy_unregister" [drivers/staging/ath6kl/ath6kl.ko] undefined!
ERROR: "cfg80211_connect_result" [drivers/staging/ath6kl/ath6kl.ko] undefined!
ERROR: "cfg80211_michael_mic_failure" [drivers/staging/ath6kl/ath6kl.ko] undefined!
ERROR: "cfg80211_ibss_joined" [drivers/staging/ath6kl/ath6kl.ko] undefined!
ERROR: "cfg80211_roamed" [drivers/staging/ath6kl/ath6kl.ko] undefined!
ERROR: "cfg80211_put_bss" [drivers/staging/ath6kl/ath6kl.ko] undefined!
ERROR: "wiphy_new" [drivers/staging/ath6kl/ath6kl.ko] undefined!
ERROR: "wiphy_register" [drivers/staging/ath6kl/ath6kl.ko] undefined!
ERROR: "cfg80211_disconnected" [drivers/staging/ath6kl/ath6kl.ko] undefined!
ERROR: "cfg80211_scan_done" [drivers/staging/ath6kl/ath6kl.ko] undefined!

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Cc: Vipin Mehta <vmehta@atheros.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 13:33:04 -08:00
Dan Carpenter
eccbf04a90 Staging: bcm: use get_user() to access user pointers
This fixes some places that dereference user pointers directly instead
of using get_user().

Please especially check my changes to IOCTL_BCM_GET_CURRENT_STATUS.  The
original code modified the struct which "arg" was pointing to.  I think
this was a bug in the original code and that we only wanted to write to
the OutputBuffer. Also with the original code you could read as much
memory as you wanted so I had to put a cap on OutputLength.  The only
value of OutputLength that makes sense is sizeof(LINK_STATE) so now if
OutputLength is not sizeof(LINK_STATE) it returns -EINVAL.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 13:32:36 -08:00
Dan Carpenter
4fc718a4b0 Staging: sst: add some __user anotations
This silences all the sparse warnings in intel_sst_app_interface.c.
It was just a matter of adding __user annotations, I didn't find any
real bugs here.  Quite a few of these were needed for stuff I added
earlier, sorry about that.

I removed a couple casts to (void *) that caused a warning like:
	drivers/staging/intel_sst/intel_sst_app_interface.c:606:27:
		warning: cast removes address space of expression
For example sst_drv_ctx->mailbox is already declared as
"void __iomem *mailbox" so casting it to void pointer isn't necessary
and it makes sparse complain because it removes the __user attribute.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Vinod Koul <vinod.koul@intel.com>
Cc: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 13:31:49 -08:00
Dan Carpenter
08da782b1a Staging: sst: user pointers in intel_sst_mmap_play_capture()
There were some places in intel_sst_mmap_play_capture() that
dereferenced user pointers instead of copying the data to the kernel.

I removed the BUG_ON(!mmap_buf) and BUG_ON(!buf_entry) since those are
never possible in the current code.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Vinod Koul <vinod.koul@intel.com>
Cc: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 13:31:48 -08:00
Dan Carpenter
e9f25689a8 Staging: sst: fixups in SNDRV_SST_STREAM_DECODE
This is another patch about copying data to the kernel before using it.

SNDRV_SST_STREAM_DECODE is sort of tricky because we need to do a
copy_from_user() that gives us another two pointers and we have copy
those.  Those again give us some more pointers that we have to copy.

Besides those problems, the code had a stack overflow:
-	struct snd_sst_buff_entry ibuf_temp[param->ibufs->entries],
-		obuf_temp[param->obufs->entries];
param->ibufs->entries comes from the user.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 13:30:49 -08:00
Dan Carpenter
bc704e31ed Staging: sst: more dereferencing user pointers
This is another patch about making a copy of the data into kernel space
before using it.  It is easy to trigger a kernel oops in the original
code.  If you passed a NULL to SNDRV_SST_SET_TARGET_DEVICE then it
called BUG_ON().  And SNDRV_SST_DRIVER_INFO would let you write the
information to arbitrary memory locations which is a security violation.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-11-09 13:30:48 -08:00