sound/core/pcm_compat.c:507 snd_pcm_ioctl_sync_ptr_buggy() error: copy_from_user() 'sync_cp' too small (16 vs 20)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: kernel test robot <lkp@intel.com>
To: kbuild@lists.01.org
Subject: sound/core/pcm_compat.c:507 snd_pcm_ioctl_sync_ptr_buggy() error: copy_from_user() 'sync_cp' too small (16 vs 20)
Date: Sun, 23 Jan 2022 10:47:01 +0800	[thread overview]
Message-ID: <202201231006.a09w1SNC-lkp@intel.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 5032 bytes --]

CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Takashi Iwai <tiwai@suse.de>
CC: Arnd Bergmann <arnd@arndb.de>

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   1c52283265a462a100ae63ddf58b4e5884acde86
commit: 228af5a4fa3a8293bd8b7ac5cf59548ee29627bf ALSA: pcm: Workaround for a wrong offset in SYNC_PTR compat ioctl
date:   3 months ago
:::::: branch date: 17 hours ago
:::::: commit date: 3 months ago
config: powerpc64-randconfig-m031-20220120 (https://download.01.org/0day-ci/archive/20220123/202201231006.a09w1SNC-lkp(a)intel.com/config)
compiler: powerpc64-linux-gcc (GCC) 11.2.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

smatch warnings:
sound/core/pcm_compat.c:507 snd_pcm_ioctl_sync_ptr_buggy() error: copy_from_user() 'sync_cp' too small (16 vs 20)

vim +/sync_cp +507 sound/core/pcm_compat.c

228af5a4fa3a82 Takashi Iwai 2021-10-10  492  
228af5a4fa3a82 Takashi Iwai 2021-10-10  493  static int snd_pcm_ioctl_sync_ptr_buggy(struct snd_pcm_substream *substream,
228af5a4fa3a82 Takashi Iwai 2021-10-10  494  					struct snd_pcm_sync_ptr __user *_sync_ptr)
228af5a4fa3a82 Takashi Iwai 2021-10-10  495  {
228af5a4fa3a82 Takashi Iwai 2021-10-10  496  	struct snd_pcm_runtime *runtime = substream->runtime;
228af5a4fa3a82 Takashi Iwai 2021-10-10  497  	struct snd_pcm_sync_ptr sync_ptr;
228af5a4fa3a82 Takashi Iwai 2021-10-10  498  	struct __snd_pcm_mmap_control64_buggy *sync_cp;
228af5a4fa3a82 Takashi Iwai 2021-10-10  499  	volatile struct snd_pcm_mmap_status *status;
228af5a4fa3a82 Takashi Iwai 2021-10-10  500  	volatile struct snd_pcm_mmap_control *control;
228af5a4fa3a82 Takashi Iwai 2021-10-10  501  	int err;
228af5a4fa3a82 Takashi Iwai 2021-10-10  502  
228af5a4fa3a82 Takashi Iwai 2021-10-10  503  	memset(&sync_ptr, 0, sizeof(sync_ptr));
228af5a4fa3a82 Takashi Iwai 2021-10-10  504  	sync_cp = (struct __snd_pcm_mmap_control64_buggy *)&sync_ptr.c.control;
228af5a4fa3a82 Takashi Iwai 2021-10-10  505  	if (get_user(sync_ptr.flags, (unsigned __user *)&(_sync_ptr->flags)))
228af5a4fa3a82 Takashi Iwai 2021-10-10  506  		return -EFAULT;
228af5a4fa3a82 Takashi Iwai 2021-10-10 @507  	if (copy_from_user(sync_cp, &(_sync_ptr->c.control), sizeof(*sync_cp)))
228af5a4fa3a82 Takashi Iwai 2021-10-10  508  		return -EFAULT;
228af5a4fa3a82 Takashi Iwai 2021-10-10  509  	status = runtime->status;
228af5a4fa3a82 Takashi Iwai 2021-10-10  510  	control = runtime->control;
228af5a4fa3a82 Takashi Iwai 2021-10-10  511  	if (sync_ptr.flags & SNDRV_PCM_SYNC_PTR_HWSYNC) {
228af5a4fa3a82 Takashi Iwai 2021-10-10  512  		err = snd_pcm_hwsync(substream);
228af5a4fa3a82 Takashi Iwai 2021-10-10  513  		if (err < 0)
228af5a4fa3a82 Takashi Iwai 2021-10-10  514  			return err;
228af5a4fa3a82 Takashi Iwai 2021-10-10  515  	}
228af5a4fa3a82 Takashi Iwai 2021-10-10  516  	snd_pcm_stream_lock_irq(substream);
228af5a4fa3a82 Takashi Iwai 2021-10-10  517  	if (!(sync_ptr.flags & SNDRV_PCM_SYNC_PTR_APPL)) {
228af5a4fa3a82 Takashi Iwai 2021-10-10  518  		err = pcm_lib_apply_appl_ptr(substream, sync_cp->appl_ptr);
228af5a4fa3a82 Takashi Iwai 2021-10-10  519  		if (err < 0) {
228af5a4fa3a82 Takashi Iwai 2021-10-10  520  			snd_pcm_stream_unlock_irq(substream);
228af5a4fa3a82 Takashi Iwai 2021-10-10  521  			return err;
228af5a4fa3a82 Takashi Iwai 2021-10-10  522  		}
228af5a4fa3a82 Takashi Iwai 2021-10-10  523  	} else {
228af5a4fa3a82 Takashi Iwai 2021-10-10  524  		sync_cp->appl_ptr = control->appl_ptr;
228af5a4fa3a82 Takashi Iwai 2021-10-10  525  	}
228af5a4fa3a82 Takashi Iwai 2021-10-10  526  	if (!(sync_ptr.flags & SNDRV_PCM_SYNC_PTR_AVAIL_MIN))
228af5a4fa3a82 Takashi Iwai 2021-10-10  527  		control->avail_min = sync_cp->avail_min;
228af5a4fa3a82 Takashi Iwai 2021-10-10  528  	else
228af5a4fa3a82 Takashi Iwai 2021-10-10  529  		sync_cp->avail_min = control->avail_min;
228af5a4fa3a82 Takashi Iwai 2021-10-10  530  	sync_ptr.s.status.state = status->state;
228af5a4fa3a82 Takashi Iwai 2021-10-10  531  	sync_ptr.s.status.hw_ptr = status->hw_ptr;
228af5a4fa3a82 Takashi Iwai 2021-10-10  532  	sync_ptr.s.status.tstamp = status->tstamp;
228af5a4fa3a82 Takashi Iwai 2021-10-10  533  	sync_ptr.s.status.suspended_state = status->suspended_state;
228af5a4fa3a82 Takashi Iwai 2021-10-10  534  	sync_ptr.s.status.audio_tstamp = status->audio_tstamp;
228af5a4fa3a82 Takashi Iwai 2021-10-10  535  	snd_pcm_stream_unlock_irq(substream);
228af5a4fa3a82 Takashi Iwai 2021-10-10  536  	if (copy_to_user(_sync_ptr, &sync_ptr, sizeof(sync_ptr)))
228af5a4fa3a82 Takashi Iwai 2021-10-10  537  		return -EFAULT;
228af5a4fa3a82 Takashi Iwai 2021-10-10  538  	return 0;
228af5a4fa3a82 Takashi Iwai 2021-10-10  539  }
228af5a4fa3a82 Takashi Iwai 2021-10-10  540  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org

next             reply	other threads:[~2022-01-23  2:47 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-23  2:47 kernel test robot [this message]
  -- strict thread matches above, loose matches on Subject: below --
2022-01-23 20:37 sound/core/pcm_compat.c:507 snd_pcm_ioctl_sync_ptr_buggy() error: copy_from_user() 'sync_cp' too small (16 vs 20) kernel test robot
2022-02-24 11:15 kernel test robot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202201231006.a09w1SNC-lkp@intel.com \
    --to=lkp@intel.com \
    --cc=kbuild@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.