Staging: sst: user pointers in intel_sst_mmap_play_capture()
authorDan Carpenter <error27@gmail.com>
Wed, 20 Oct 2010 06:57:34 +0000 (08:57 +0200)
committerGreg Kroah-Hartman <gregkh@suse.de>
Tue, 9 Nov 2010 21:31:48 +0000 (13:31 -0800)
There were some places in intel_sst_mmap_play_capture() that
dereferenced user pointers instead of copying the data to the kernel.

I removed the BUG_ON(!mmap_buf) and BUG_ON(!buf_entry) since those are
never possible in the current code.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Vinod Koul <vinod.koul@intel.com>
Cc: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/staging/intel_sst/intel_sst_app_interface.c

index d20724d3b68d8db9f325c6bb10b58b036712f697..834bb617524b8f081967fd8eedb470969da43758 100644 (file)
@@ -244,12 +244,12 @@ static int intel_sst_mmap_play_capture(u32 str_id,
        int retval, i;
        struct stream_info *stream;
        struct snd_sst_mmap_buff_entry *buf_entry;
+       struct snd_sst_mmap_buff_entry *tmp_buf;
 
        pr_debug("sst:called for str_id %d\n", str_id);
        retval = sst_validate_strid(str_id);
        if (retval)
                return -EINVAL;
-       BUG_ON(!mmap_buf);
 
        stream = &sst_drv_ctx->streams[str_id];
        if (stream->mmapped != true)
@@ -262,14 +262,24 @@ static int intel_sst_mmap_play_capture(u32 str_id,
        stream->curr_bytes = 0;
        stream->cumm_bytes = 0;
 
+       tmp_buf = kcalloc(mmap_buf->entries, sizeof(*tmp_buf), GFP_KERNEL);
+       if (!tmp_buf)
+               return -ENOMEM;
+       if (copy_from_user(tmp_buf, (void __user *)mmap_buf->buff,
+                       mmap_buf->entries * sizeof(*tmp_buf))) {
+               retval = -EFAULT;
+               goto out_free;
+       }
+
        pr_debug("sst:new buffers count %d status %d\n",
                        mmap_buf->entries, stream->status);
-       buf_entry = mmap_buf->buff;
+       buf_entry = tmp_buf;
        for (i = 0; i < mmap_buf->entries; i++) {
-               BUG_ON(!buf_entry);
                bufs = kzalloc(sizeof(*bufs), GFP_KERNEL);
-               if (!bufs)
-                       return -ENOMEM;
+               if (!bufs) {
+                       retval = -ENOMEM;
+                       goto out_free;
+               }
                bufs->size = buf_entry->size;
                bufs->offset = buf_entry->offset;
                bufs->addr = sst_drv_ctx->mmap_mem;
@@ -293,13 +303,15 @@ static int intel_sst_mmap_play_capture(u32 str_id,
                        if (sst_play_frame(str_id) < 0) {
                                pr_warn("sst: play frames fail\n");
                                mutex_unlock(&stream->lock);
-                               return -EIO;
+                               retval = -EIO;
+                               goto out_free;
                        }
                } else if (stream->ops == STREAM_OPS_CAPTURE) {
                        if (sst_capture_frame(str_id) < 0) {
                                pr_warn("sst: capture frame fail\n");
                                mutex_unlock(&stream->lock);
-                               return -EIO;
+                               retval = -EIO;
+                               goto out_free;
                        }
                }
        }
@@ -314,6 +326,9 @@ static int intel_sst_mmap_play_capture(u32 str_id,
        if (retval >= 0)
                retval = stream->cumm_bytes;
        pr_debug("sst:end of play/rec ioctl bytes = %d!!\n", retval);
+
+out_free:
+       kfree(tmp_buf);
        return retval;
 }