From b89be81edaaacd4681f7daffe6c2d61900c92326 Mon Sep 17 00:00:00 2001 From: Zidan Wang Date: Fri, 27 Nov 2015 13:50:12 +0800 Subject: MLK-11915-12 ASoC: fsl_asrc_m2m: fix null check issue for variable m2m and pair After allocating memory for m2m, we should null check for m2m instead of pair. In fsl_asrc_close(), null-checking pair suggests that it may be null, but it has already been dereferenced before the null check. pair will be alloceted in fsl_asrc_open(), pair is null means that open dev file failed, and close should not be called in user space. So remove null check for pair. buf_len should not greater than ASRC_DMA_BUFFER_SIZE, otherwith dma buffer will be overrun. Reported by Coverity. Signed-off-by: Zidan Wang (cherry picked from commit b0dc15375b12b6c1bf46b9071b92267b827d8ce0) --- sound/soc/fsl/fsl_asrc_m2m.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'sound/soc/fsl/fsl_asrc_m2m.c') diff --git a/sound/soc/fsl/fsl_asrc_m2m.c b/sound/soc/fsl/fsl_asrc_m2m.c index a7defb59bfcf..8de37d46940d 100644 --- a/sound/soc/fsl/fsl_asrc_m2m.c +++ b/sound/soc/fsl/fsl_asrc_m2m.c @@ -273,8 +273,9 @@ static int fsl_asrc_prepare_io_buffer(struct fsl_asrc_pair *pair, else word_size = 2; - if (buf_len < word_size * pair->channels * wm) { - pair_err("%sput buffer size is too small: [%d]\n", + if (buf_len < word_size * pair->channels * wm || + buf_len > ASRC_DMA_BUFFER_SIZE) { + pair_err("%sput buffer size is error: [%d]\n", DIR_STR(dir), buf_len); return -EINVAL; } @@ -824,7 +825,7 @@ static int fsl_asrc_open(struct inode *inode, struct file *file) } m2m = kzalloc(sizeof(struct fsl_asrc_m2m), GFP_KERNEL); - if (!pair) { + if (!m2m) { dev_err(dev, "failed to allocate m2m resource\n"); return -ENOMEM; } @@ -853,9 +854,6 @@ static int fsl_asrc_close(struct inode *inode, struct file *file) unsigned long lock_flags; int i; - if (!pair) - goto out; - /* Make sure we have clear the pointer */ spin_lock_irqsave(&asrc_priv->lock, lock_flags); for (i = 0; i < ASRC_PAIR_MAX_NUM; i++) @@ -897,7 +895,6 @@ static int fsl_asrc_close(struct inode *inode, struct file *file) spin_unlock_irqrestore(&asrc_priv->lock, lock_flags); file->private_data = NULL; -out: pm_runtime_put_sync(dev); return 0; -- cgit v1.2.3