linux.git/drivers/staging/intel_sst, branch v2.6.37 Linux kernel source tree Merge branch 'master' into work 2010-11-29T18:44:22+00:00 Greg Kroah-Hartman gregkh@suse.de 2010-11-29T18:44:22+00:00 8d7ee9c498e29026aa2a99db40c0032bfe2d4fdf 






BKL: remove extraneous #include <smp_lock.h>
2010-11-17T16:59:32+00:00

Arnd Bergmann
arnd@arndb.de

2010-11-17T15:26:55+00:00

451a3c24b0135bce54542009b5fde43846c7cf67

The big kernel lock has been removed from all these files at some point,
leaving only the #include.

Remove this too as a cleanup.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>





The big kernel lock has been removed from all these files at some point,
leaving only the #include.

Remove this too as a cleanup.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>







Staging: intel_sst: fix memory leak
2010-11-16T20:25:53+00:00

Dan Carpenter
error27@gmail.com

2010-11-13T08:58:26+00:00

3251627c943f1cfc5bfad7c38d4e8d85cf44c6d8

The original code set "str_info->decode_ibuf" to NULL so the kfree() is
no-op.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Harsha Priya <priya.harsha@intel.com>
Acked-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>





The original code set "str_info->decode_ibuf" to NULL so the kfree() is
no-op.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Harsha Priya <priya.harsha@intel.com>
Acked-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>







Staging: sst: add some __user anotations
2010-11-09T21:31:49+00:00

Dan Carpenter
error27@gmail.com

2010-10-20T06:58:30+00:00

4fc718a4b0cdf3803f370e323ea5252a3d76f52d

This silences all the sparse warnings in intel_sst_app_interface.c.
It was just a matter of adding __user annotations, I didn't find any
real bugs here.  Quite a few of these were needed for stuff I added
earlier, sorry about that.

I removed a couple casts to (void *) that caused a warning like:
	drivers/staging/intel_sst/intel_sst_app_interface.c:606:27:
		warning: cast removes address space of expression
For example sst_drv_ctx->mailbox is already declared as
"void __iomem *mailbox" so casting it to void pointer isn't necessary
and it makes sparse complain because it removes the __user attribute.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Vinod Koul <vinod.koul@intel.com>
Cc: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>





This silences all the sparse warnings in intel_sst_app_interface.c.
It was just a matter of adding __user annotations, I didn't find any
real bugs here.  Quite a few of these were needed for stuff I added
earlier, sorry about that.

I removed a couple casts to (void *) that caused a warning like:
	drivers/staging/intel_sst/intel_sst_app_interface.c:606:27:
		warning: cast removes address space of expression
For example sst_drv_ctx->mailbox is already declared as
"void __iomem *mailbox" so casting it to void pointer isn't necessary
and it makes sparse complain because it removes the __user attribute.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Vinod Koul <vinod.koul@intel.com>
Cc: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>







Staging: sst: user pointers in intel_sst_mmap_play_capture()
2010-11-09T21:31:48+00:00

Dan Carpenter
error27@gmail.com

2010-10-20T06:57:34+00:00

08da782b1a58fd63199928176909e103477c933a

There were some places in intel_sst_mmap_play_capture() that
dereferenced user pointers instead of copying the data to the kernel.

I removed the BUG_ON(!mmap_buf) and BUG_ON(!buf_entry) since those are
never possible in the current code.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Vinod Koul <vinod.koul@intel.com>
Cc: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>





There were some places in intel_sst_mmap_play_capture() that
dereferenced user pointers instead of copying the data to the kernel.

I removed the BUG_ON(!mmap_buf) and BUG_ON(!buf_entry) since those are
never possible in the current code.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Vinod Koul <vinod.koul@intel.com>
Cc: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>







Staging: sst: fixups in SNDRV_SST_STREAM_DECODE
2010-11-09T21:30:49+00:00

Dan Carpenter
error27@gmail.com

2010-10-19T05:57:48+00:00

e9f25689a86570c30d3f101b1f9834a579bed2e5

This is another patch about copying data to the kernel before using it.

SNDRV_SST_STREAM_DECODE is sort of tricky because we need to do a
copy_from_user() that gives us another two pointers and we have copy
those.  Those again give us some more pointers that we have to copy.

Besides those problems, the code had a stack overflow:
-	struct snd_sst_buff_entry ibuf_temp[param->ibufs->entries],
-		obuf_temp[param->obufs->entries];
param->ibufs->entries comes from the user.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>





This is another patch about copying data to the kernel before using it.

SNDRV_SST_STREAM_DECODE is sort of tricky because we need to do a
copy_from_user() that gives us another two pointers and we have copy
those.  Those again give us some more pointers that we have to copy.

Besides those problems, the code had a stack overflow:
-	struct snd_sst_buff_entry ibuf_temp[param->ibufs->entries],
-		obuf_temp[param->obufs->entries];
param->ibufs->entries comes from the user.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>







Staging: sst: more dereferencing user pointers
2010-11-09T21:30:48+00:00

Dan Carpenter
error27@gmail.com

2010-10-19T05:57:04+00:00

bc704e31edc723a84c2469f26aa0279e1ddb948e

This is another patch about making a copy of the data into kernel space
before using it.  It is easy to trigger a kernel oops in the original
code.  If you passed a NULL to SNDRV_SST_SET_TARGET_DEVICE then it
called BUG_ON().  And SNDRV_SST_DRIVER_INFO would let you write the
information to arbitrary memory locations which is a security violation.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>





This is another patch about making a copy of the data into kernel space
before using it.  It is easy to trigger a kernel oops in the original
code.  If you passed a NULL to SNDRV_SST_SET_TARGET_DEVICE then it
called BUG_ON().  And SNDRV_SST_DRIVER_INFO would let you write the
information to arbitrary memory locations which is a security violation.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>







Staging: sst: dereferencing user pointers
2010-11-09T21:30:48+00:00

Dan Carpenter
error27@gmail.com

2010-10-19T05:56:24+00:00

3b97eed201376db6c4487fc846022eb4ffa7e1f9

This code dereferences user supplied pointers directly instead of doing
a copy_from_user().  Some kernel configs put user and kernel memory in
different address spaces so this code isn't portable.  Also the user
memory could be swapped out or in this case the pointer could just be
NULL leading to an oops.

Another thing is that it makes permission tests like this sort of
meaningless.
	if (minor == STREAM_MODULE && rec_mute->stream_id == 0) {
		retval = -EPERM;
		break;
	}
The user could set stream_id to 1 for the test and then change it later.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>





This code dereferences user supplied pointers directly instead of doing
a copy_from_user().  Some kernel configs put user and kernel memory in
different address spaces so this code isn't portable.  Also the user
memory could be swapped out or in this case the pointer could just be
NULL leading to an oops.

Another thing is that it makes permission tests like this sort of
meaningless.
	if (minor == STREAM_MODULE && rec_mute->stream_id == 0) {
		retval = -EPERM;
		break;
	}
The user could set stream_id to 1 for the test and then change it later.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>







Staging: sst: more copy_to_user() changes
2010-10-15T22:42:26+00:00

Dan Carpenter
error27@gmail.com

2010-10-15T19:10:44+00:00

388b2b97ba03242145227821c77791e713d6057b

Vinod wanted the copy_to_user() calls in this format:
	if (copy_to_user())
		retval = -EFAULT;
instead of this:
	retval = copy_to_user();
	if (retval)
		retval = -EFAULt;

I've done that for the whole intel_sst_app_interface.c file.  In the
process I noticed a couple more places that returned -EBUSY or -EAGAIN
instead of -EFAULT.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>





Vinod wanted the copy_to_user() calls in this format:
	if (copy_to_user())
		retval = -EFAULT;
instead of this:
	retval = copy_to_user();
	if (retval)
		retval = -EFAULt;

I've done that for the whole intel_sst_app_interface.c file.  In the
process I noticed a couple more places that returned -EBUSY or -EAGAIN
instead of -EFAULT.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>







Staging: intel_sst: off by one bug
2010-10-15T22:42:26+00:00

Dan Carpenter
error27@gmail.com

2010-10-15T20:36:48+00:00

9f407840bb888e683fa844b1b80eec54ced84653

This should be >= instead of > or we go passed the end of the array.

Also the arrays are declared with size MAX_NUM_STREAMS.  This is the
only place that uses MAX_NUM_STREAMS_MFLD.  It seems like asking for
trouble to use two variables for the same information.  I've changed
everything to use MAX_NUM_STREAMS.

This bug isn't really harmful.  In the worst case, if you enabled
debugging then you would see a message.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>





This should be >= instead of > or we go passed the end of the array.

Also the arrays are declared with size MAX_NUM_STREAMS.  This is the
only place that uses MAX_NUM_STREAMS_MFLD.  It seems like asking for
trouble to use two variables for the same information.  I've changed
everything to use MAX_NUM_STREAMS.

This bug isn't really harmful.  In the worst case, if you enabled
debugging then you would see a message.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>