diff options
author | Zidan Wang <zidan.wang@freescale.com> | 2015-11-27 13:50:12 +0800 |
---|---|---|
committer | Dong Aisheng <aisheng.dong@nxp.com> | 2019-11-25 15:48:22 +0800 |
commit | b89be81edaaacd4681f7daffe6c2d61900c92326 (patch) | |
tree | 284dbb9025c3cb7a26e8b306f94c11b2ba8320f9 /sound/soc/fsl/fsl_asrc_m2m.c | |
parent | 5008702eea24dd434a270524c9751d3d6fcd5494 (diff) |
MLK-11915-12 ASoC: fsl_asrc_m2m: fix null check issue for variable m2m and pair
After allocating memory for m2m, we should null check for m2m instead of pair.
In fsl_asrc_close(), null-checking pair suggests that it may be null, but it
has already been dereferenced before the null check. pair will be alloceted
in fsl_asrc_open(), pair is null means that open dev file failed, and
close should not be called in user space. So remove null check for pair.
buf_len should not greater than ASRC_DMA_BUFFER_SIZE, otherwith dma buffer will
be overrun.
Reported by Coverity.
Signed-off-by: Zidan Wang <zidan.wang@freescale.com>
(cherry picked from commit b0dc15375b12b6c1bf46b9071b92267b827d8ce0)
Diffstat (limited to 'sound/soc/fsl/fsl_asrc_m2m.c')
-rw-r--r-- | sound/soc/fsl/fsl_asrc_m2m.c | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/sound/soc/fsl/fsl_asrc_m2m.c b/sound/soc/fsl/fsl_asrc_m2m.c index a7defb59bfcf..8de37d46940d 100644 --- a/sound/soc/fsl/fsl_asrc_m2m.c +++ b/sound/soc/fsl/fsl_asrc_m2m.c @@ -273,8 +273,9 @@ static int fsl_asrc_prepare_io_buffer(struct fsl_asrc_pair *pair, else word_size = 2; - if (buf_len < word_size * pair->channels * wm) { - pair_err("%sput buffer size is too small: [%d]\n", + if (buf_len < word_size * pair->channels * wm || + buf_len > ASRC_DMA_BUFFER_SIZE) { + pair_err("%sput buffer size is error: [%d]\n", DIR_STR(dir), buf_len); return -EINVAL; } @@ -824,7 +825,7 @@ static int fsl_asrc_open(struct inode *inode, struct file *file) } m2m = kzalloc(sizeof(struct fsl_asrc_m2m), GFP_KERNEL); - if (!pair) { + if (!m2m) { dev_err(dev, "failed to allocate m2m resource\n"); return -ENOMEM; } @@ -853,9 +854,6 @@ static int fsl_asrc_close(struct inode *inode, struct file *file) unsigned long lock_flags; int i; - if (!pair) - goto out; - /* Make sure we have clear the pointer */ spin_lock_irqsave(&asrc_priv->lock, lock_flags); for (i = 0; i < ASRC_PAIR_MAX_NUM; i++) @@ -897,7 +895,6 @@ static int fsl_asrc_close(struct inode *inode, struct file *file) spin_unlock_irqrestore(&asrc_priv->lock, lock_flags); file->private_data = NULL; -out: pm_runtime_put_sync(dev); return 0; |