From fc1c428eb46af8183be771d2c78b3902acbeffe3 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Thu, 28 Dec 2017 14:43:06 -0500 Subject: usx2y: don't bother with access_ok() in ->dsp_load() memdup_user() checks it, so the only effect would be failing with -EINVAL instead of -EFAULT in case when access_ok() is false. However, the caller has already checked access_ok() itself (and would have buggered off with -EFAULT), so the check is completely pointless. Removing it both simplifies the only instance of ->dsp_load() and allows to get rid of the check in caller - its sole effect used to be in preventing a bogus error value from access_ok() in the instance. Let memdup_user() do the right thing instead... Signed-off-by: Al Viro --- sound/usb/usx2y/usX2Yhwdep.c | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) (limited to 'sound') diff --git a/sound/usb/usx2y/usX2Yhwdep.c b/sound/usb/usx2y/usX2Yhwdep.c index f4b3cda..2bbcf4a 100644 --- a/sound/usb/usx2y/usX2Yhwdep.c +++ b/sound/usb/usx2y/usX2Yhwdep.c @@ -198,24 +198,22 @@ static int snd_usX2Y_hwdep_dsp_load(struct snd_hwdep *hw, struct snd_hwdep_dsp_image *dsp) { struct usX2Ydev *priv = hw->private_data; - int lret, err = -EINVAL; - snd_printdd( "dsp_load %s\n", dsp->name); + struct usb_device* dev = priv->dev; + int lret, err; + char *buf; - if (access_ok(VERIFY_READ, dsp->image, dsp->length)) { - struct usb_device* dev = priv->dev; - char *buf; + snd_printdd( "dsp_load %s\n", dsp->name); - buf = memdup_user(dsp->image, dsp->length); - if (IS_ERR(buf)) - return PTR_ERR(buf); + buf = memdup_user(dsp->image, dsp->length); + if (IS_ERR(buf)) + return PTR_ERR(buf); - err = usb_set_interface(dev, 0, 1); - if (err) - snd_printk(KERN_ERR "usb_set_interface error \n"); - else - err = usb_bulk_msg(dev, usb_sndbulkpipe(dev, 2), buf, dsp->length, &lret, 6000); - kfree(buf); - } + err = usb_set_interface(dev, 0, 1); + if (err) + snd_printk(KERN_ERR "usb_set_interface error \n"); + else + err = usb_bulk_msg(dev, usb_sndbulkpipe(dev, 2), buf, dsp->length, &lret, 6000); + kfree(buf); if (err) return err; if (dsp->index == 1) { -- cgit v1.1 From 446bd647ceee73fbed50404daece9cbcec751f66 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Thu, 28 Dec 2017 16:30:22 -0500 Subject: snd_hwdep_dsp_load(): don't bother with access_ok() the only remaining instance of ->dsp_load() doesn't need it. Signed-off-by: Al Viro --- sound/core/hwdep.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'sound') diff --git a/sound/core/hwdep.c b/sound/core/hwdep.c index 8faae3d..25b8f22 100644 --- a/sound/core/hwdep.c +++ b/sound/core/hwdep.c @@ -233,8 +233,6 @@ static int snd_hwdep_dsp_load(struct snd_hwdep *hw, /* check whether the dsp was already loaded */ if (hw->dsp_loaded & (1 << info.index)) return -EBUSY; - if (!access_ok(VERIFY_READ, info.image, info.length)) - return -EFAULT; err = hw->ops.dsp_load(hw, &info); if (err < 0) return err; -- cgit v1.1 From 3d46d7108dd3ff8b1d477bc2b7b061b12690e83c Mon Sep 17 00:00:00 2001 From: Al Viro Date: Thu, 28 Dec 2017 17:22:51 -0500 Subject: usx2y: don't bother with memdup_user() for 16-byte structure ... when it can bloody well go into a local variable. Signed-off-by: Al Viro --- sound/usb/usx2y/us122l.c | 43 ++++++++++++++++++------------------------- 1 file changed, 18 insertions(+), 25 deletions(-) (limited to 'sound') diff --git a/sound/usb/usx2y/us122l.c b/sound/usb/usx2y/us122l.c index 159da1f..8c39417 100644 --- a/sound/usb/usx2y/us122l.c +++ b/sound/usb/usx2y/us122l.c @@ -378,7 +378,7 @@ out: static int usb_stream_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, unsigned cmd, unsigned long arg) { - struct usb_stream_config *cfg; + struct usb_stream_config cfg; struct us122l *us122l = hw->private_data; struct usb_stream *s; unsigned min_period_frames; @@ -388,24 +388,21 @@ static int usb_stream_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, if (cmd != SNDRV_USB_STREAM_IOCTL_SET_PARAMS) return -ENOTTY; - cfg = memdup_user((void *)arg, sizeof(*cfg)); - if (IS_ERR(cfg)) - return PTR_ERR(cfg); + if (copy_from_user(&cfg, (void __user *)arg, sizeof(cfg))) + return -EFAULT; + + if (cfg.version != USB_STREAM_INTERFACE_VERSION) + return -ENXIO; - if (cfg->version != USB_STREAM_INTERFACE_VERSION) { - err = -ENXIO; - goto free; - } high_speed = us122l->dev->speed == USB_SPEED_HIGH; - if ((cfg->sample_rate != 44100 && cfg->sample_rate != 48000 && + if ((cfg.sample_rate != 44100 && cfg.sample_rate != 48000 && (!high_speed || - (cfg->sample_rate != 88200 && cfg->sample_rate != 96000))) || - cfg->frame_size != 6 || - cfg->period_frames > 0x3000) { - err = -EINVAL; - goto free; - } - switch (cfg->sample_rate) { + (cfg.sample_rate != 88200 && cfg.sample_rate != 96000))) || + cfg.frame_size != 6 || + cfg.period_frames > 0x3000) + return -EINVAL; + + switch (cfg.sample_rate) { case 44100: min_period_frames = 48; break; @@ -418,10 +415,8 @@ static int usb_stream_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, } if (!high_speed) min_period_frames <<= 1; - if (cfg->period_frames < min_period_frames) { - err = -EINVAL; - goto free; - } + if (cfg.period_frames < min_period_frames) + return -EINVAL; snd_power_wait(hw->card, SNDRV_CTL_POWER_D0); @@ -430,24 +425,22 @@ static int usb_stream_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, if (!us122l->master) us122l->master = file; else if (us122l->master != file) { - if (!s || memcmp(cfg, &s->cfg, sizeof(*cfg))) { + if (!s || memcmp(&cfg, &s->cfg, sizeof(cfg))) { err = -EIO; goto unlock; } us122l->slave = file; } - if (!s || memcmp(cfg, &s->cfg, sizeof(*cfg)) || + if (!s || memcmp(&cfg, &s->cfg, sizeof(cfg)) || s->state == usb_stream_xrun) { us122l_stop(us122l); - if (!us122l_start(us122l, cfg->sample_rate, cfg->period_frames)) + if (!us122l_start(us122l, cfg.sample_rate, cfg.period_frames)) err = -EIO; else err = 1; } unlock: mutex_unlock(&us122l->mutex); -free: - kfree(cfg); wake_up_all(&us122l->sk.sleep); return err; } -- cgit v1.1 From 88a890375fa2fd9b54083979403243ab24a3ca35 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sun, 7 Jan 2018 13:09:15 -0500 Subject: replace_user_tlv(): switch to vmemdup_user() Signed-off-by: Al Viro --- sound/core/control.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'sound') diff --git a/sound/core/control.c b/sound/core/control.c index 56b3e2d..eaef67b 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -25,6 +25,7 @@ #include #include #include +#include #include #include #include @@ -1129,7 +1130,7 @@ static int replace_user_tlv(struct snd_kcontrol *kctl, unsigned int __user *buf, if (size > 1024 * 128) /* sane value */ return -EINVAL; - container = memdup_user(buf, size); + container = vmemdup_user(buf, size); if (IS_ERR(container)) return PTR_ERR(container); @@ -1137,7 +1138,7 @@ static int replace_user_tlv(struct snd_kcontrol *kctl, unsigned int __user *buf, if (!change) change = memcmp(ue->tlv_data, container, size) != 0; if (!change) { - kfree(container); + kvfree(container); return 0; } @@ -1148,7 +1149,7 @@ static int replace_user_tlv(struct snd_kcontrol *kctl, unsigned int __user *buf, mask = SNDRV_CTL_EVENT_MASK_INFO; } - kfree(ue->tlv_data); + kvfree(ue->tlv_data); ue->tlv_data = container; ue->tlv_data_size = size; @@ -1225,7 +1226,7 @@ static void snd_ctl_elem_user_free(struct snd_kcontrol *kcontrol) { struct user_element *ue = kcontrol->private_data; - kfree(ue->tlv_data); + kvfree(ue->tlv_data); kfree(ue->priv_data); kfree(ue); } -- cgit v1.1 From 59aeaf3fef9dcf59dc595390dd5b89dfedcb8926 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sun, 7 Jan 2018 13:11:03 -0500 Subject: snd_ctl_elem_init_enum_names(): switch to vmemdup_user() Signed-off-by: Al Viro --- sound/core/control.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'sound') diff --git a/sound/core/control.c b/sound/core/control.c index eaef67b..d16b53d 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -1198,7 +1198,7 @@ static int snd_ctl_elem_init_enum_names(struct user_element *ue) if (ue->info.value.enumerated.names_length > 64 * 1024) return -EINVAL; - names = memdup_user((const void __user *)user_ptrval, + names = vmemdup_user((const void __user *)user_ptrval, ue->info.value.enumerated.names_length); if (IS_ERR(names)) return PTR_ERR(names); @@ -1209,7 +1209,7 @@ static int snd_ctl_elem_init_enum_names(struct user_element *ue) for (i = 0; i < ue->info.value.enumerated.items; ++i) { name_len = strnlen(p, buf_len); if (name_len == 0 || name_len >= 64 || name_len == buf_len) { - kfree(names); + kvfree(names); return -EINVAL; } p += name_len + 1; @@ -1227,7 +1227,7 @@ static void snd_ctl_elem_user_free(struct snd_kcontrol *kcontrol) struct user_element *ue = kcontrol->private_data; kvfree(ue->tlv_data); - kfree(ue->priv_data); + kvfree(ue->priv_data); kfree(ue); } -- cgit v1.1