On Sun, 2016-08-28 at 19:39 +0200, Nicolas Iooss wrote:
In sst_prepare_and_post_msg(), when a response is received in "block", the following code gets executed:
*data = kzalloc(block->size, GFP_KERNEL); memcpy(data, (void *) block->data, block->size);
The memcpy() call overwrites the content of the *data pointer instead of filling the newly-allocated memory (which pointer is hold by *data). Fix this by using *data in the memcpy() call.
Fixes: 60dc8dbacb00 ("ASoC: Intel: sst: Add some helper functions") Cc: stable@vger.kernel.org # 3.19.x Signed-off-by: Nicolas Iooss nicolas.iooss_linux@m4x.org
sound/soc/intel/atom/sst/sst_pvt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/intel/atom/sst/sst_pvt.c b/sound/soc/intel/atom/sst/sst_pvt.c index adb32fefd693..7c398b7c9d4b 100644 --- a/sound/soc/intel/atom/sst/sst_pvt.c +++ b/sound/soc/intel/atom/sst/sst_pvt.c @@ -289,7 +289,7 @@ int sst_prepare_and_post_msg(struct intel_sst_drv *sst, ret = -ENOMEM; goto out; } else
memcpy(data, (void *) block->data, block->size);
memcpy(*data, (void *) block->data, block->size);
} } out:
Perhaps this would be nicer using kmemdup too --- sound/soc/intel/atom/sst/sst_pvt.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/sound/soc/intel/atom/sst/sst_pvt.c b/sound/soc/intel/atom/sst/sst_pvt.c index adb32fe..b1e6b8f 100644 --- a/sound/soc/intel/atom/sst/sst_pvt.c +++ b/sound/soc/intel/atom/sst/sst_pvt.c @@ -279,17 +279,15 @@ int sst_prepare_and_post_msg(struct intel_sst_drv *sst, if (response) { ret = sst_wait_timeout(sst, block); - if (ret < 0) { + if (ret < 0) goto out; - } else if(block->data) { - if (!data) - goto out; - *data = kzalloc(block->size, GFP_KERNEL); - if (!(*data)) { + + if (data && block->data) { + *data = kmemdup(block->data, block->size, GFP_KERNEL); + if (!*data) { ret = -ENOMEM; goto out; - } else - memcpy(data, (void *) block->data, block->size); + } } } out: