Re: Misc 2.5 Fixes: cp-user-cmpci

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Dipankar Sarma <dipankar@in.ibm.com>
To: Andrew Morton <akpm@digeo.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Misc 2.5 Fixes: cp-user-cmpci
Date: Tue, 10 Jun 2003 15:39:50 +0530	[thread overview]
Message-ID: <20030610100950.GE2194@in.ibm.com> (raw)
In-Reply-To: <20030610100905.GD2194@in.ibm.com>



Fix copy/user problems. Not sure why cm_write() needs to do
acces_ok() on buffer twice. Also __get_user() return value isn't checked
in trans_ac3().


 sound/oss/cmpci.c |   19 +++++++++++++------
 1 files changed, 13 insertions(+), 6 deletions(-)

diff -puN sound/oss/cmpci.c~cp-user-cmpci sound/oss/cmpci.c
--- linux-2.5.70-ds/sound/oss/cmpci.c~cp-user-cmpci	2003-06-08 15:36:16.000000000 +0530
+++ linux-2.5.70-ds-dipankar/sound/oss/cmpci.c	2003-06-08 20:39:03.000000000 +0530
@@ -588,7 +588,8 @@ static void trans_ac3(struct cm_state *s
 	unsigned short *src = (unsigned short *)source;
 
 	do {
-		data = (unsigned long) *src++;
+		__get_user(data, src);
+		src++;
 		data <<= 12;			// ok for 16-bit data
 		if (s->spdif_counter == 2 || s->spdif_counter == 3)
 			data |= 0x40000000;	// indicate AC-3 raw data
@@ -1600,9 +1601,9 @@ static ssize_t cm_write(struct file *fil
 			return -ENXIO;
 		if (!s->dma_adc.ready && (ret = prog_dmabuf(s, 1)))
 			return ret;
-		if (!access_ok(VERIFY_READ, buffer, count))
-			return -EFAULT;
 	}
+	if (!access_ok(VERIFY_READ, buffer, count))
+		return -EFAULT;
 	ret = 0;
 
 	while (count > 0) {
@@ -1662,15 +1663,21 @@ static ssize_t cm_write(struct file *fil
 			swptr = (swptr + 2 * cnt) % s->dma_dac.dmasize;
 		} else if (s->status & DO_DUAL_DAC) {
 			int	i;
-			unsigned long *src, *dst0, *dst1;
+			unsigned long *src, *dst0, *dst1, data;
 
 			src = (unsigned long *) buffer;
 			dst0 = (unsigned long *) (s->dma_dac.rawbuf + swptr);
 			dst1 = (unsigned long *) (s->dma_adc.rawbuf + swptr);
 			// copy left/right sample at one time
 			for (i = 0; i <= cnt / 4; i++) {
-				*dst0++ = *src++;
-				*dst1++ = *src++;
+				if (__get_user(data, src))
+					return ret ? ret : -EFAULT;
+				*dst0++ = data;
+				src++;
+				if (__get_user(data, src))
+					return ret ? ret : -EFAULT;
+				*dst1++ = data;
+				src++;
 			}
 			swptr = (swptr + cnt) % s->dma_dac.dmasize;
 		} else {

_

next prev parent reply	other threads:[~2003-06-10  9:53 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-06-10 10:05 Misc 2.5 Fixes: Summary Dipankar Sarma
2003-06-10 10:05 ` Joshua Kwan
2003-06-10 10:11   ` Joshua Kwan
2003-06-10 10:06 ` Misc 2.5 Fixes: arcnet-oops-fix Dipankar Sarma
2003-06-10 10:07   ` Misc 2.5 Fixes: x25-facilities-parse Dipankar Sarma
2003-06-10 10:09     ` Misc 2.5 Fixes: cp-user-awe Dipankar Sarma
2003-06-10 10:09       ` Dipankar Sarma [this message]
2003-06-10 10:10         ` Misc 2.5 Fixes: cp-user-eicon Dipankar Sarma
2003-06-10 10:11           ` Misc 2.5 Fixes: cp-user-intermezzo Dipankar Sarma
2003-06-10 10:13             ` Misc 2.5 Fixes: cp-user-mdc800 Dipankar Sarma
2003-06-10 10:15               ` Misc 2.5 Fixes: cp-user-mpu401 Dipankar Sarma
2003-06-10 10:18                 ` Misc 2.5 Fixes: cp-user-sisfb Dipankar Sarma
2003-06-10 10:20                   ` Misc 2.5 Fixes: cp-user-vicam Dipankar Sarma
2003-06-10 10:22                     ` Misc 2.5 Fixes: cp-user-zoran Dipankar Sarma
2003-06-10 10:23                       ` Misc 2.5 Fixes: mem-leak-emu10k1 Dipankar Sarma
2003-06-10 10:24                         ` Misc 2.5 Fixes: mem-leak-rio Dipankar Sarma
2003-06-10 10:25                           ` Misc 2.5 Fixes: resrc-leak-i810 Dipankar Sarma
2003-06-10 14:53                       ` Misc 2.5 Fixes: cp-user-zoran Hollis Blanchard
2003-06-11 10:48                     ` Misc 2.5 Fixes: cp-user-vicam Dipankar Sarma
2003-06-11 12:18                       ` Alan Cox
2003-06-11 12:38                         ` Dipankar Sarma
2003-06-10 16:31                   ` Misc 2.5 Fixes: cp-user-sisfb Thomas Winischhofer
2003-06-10 17:34                     ` Dipankar Sarma
2003-06-10 18:29                       ` James Simmons
2003-06-10 14:38         ` Misc 2.5 Fixes: cp-user-cmpci Hollis Blanchard

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030610100950.GE2194@in.ibm.com \
    --to=dipankar@in.ibm.com \
    --cc=akpm@digeo.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox