There can be a small memory hole that may not be cleared at expanding an event with the variable length type. Make sure to clear it.
Signed-off-by: Takashi Iwai tiwai@suse.de --- sound/core/seq/seq_memory.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c index 47ef6bc30c0e..c8d26bce69ff 100644 --- a/sound/core/seq/seq_memory.c +++ b/sound/core/seq/seq_memory.c @@ -152,12 +152,16 @@ int snd_seq_expand_var_event(const struct snd_seq_event *event, int count, char return -EINVAL; if (copy_from_user(buf, (void __force __user *)event->data.ext.ptr, len)) return -EFAULT; - return newlen; + } else { + err = snd_seq_dump_var_event(event, + in_kernel ? seq_copy_in_kernel : seq_copy_in_user, + &buf); + if (err < 0) + return err; } - err = snd_seq_dump_var_event(event, - in_kernel ? seq_copy_in_kernel : seq_copy_in_user, - &buf); - return err < 0 ? err : newlen; + if (len != newlen) + memset(buf + len, 0, newlen - len); + return newlen; } EXPORT_SYMBOL(snd_seq_expand_var_event);