From: "huang.zijiang" <[email protected]>
kmemdup has implemented the function that kmalloc() and memcpy().
Signed-off-by: huang.zijiang <[email protected]>
---
sound/pci/emu10k1/emufx.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/sound/pci/emu10k1/emufx.c b/sound/pci/emu10k1/emufx.c
index 6ebe817..b4fe4c5 100644
--- a/sound/pci/emu10k1/emufx.c
+++ b/sound/pci/emu10k1/emufx.c
@@ -671,10 +671,9 @@ static unsigned int *copy_tlv(const unsigned int __user *_tlv, bool in_kernel)
return NULL;
if (data[1] >= MAX_TLV_SIZE)
return NULL;
- tlv = kmalloc(data[1] + sizeof(data), GFP_KERNEL);
+ tlv = kmemdup(data, data[1] + sizeof(data), GFP_KERNEL);
if (!tlv)
return NULL;
- memcpy(tlv, data, sizeof(data));
if (in_kernel) {
memcpy(tlv + 2, (__force void *)(_tlv + 2), data[1]);
} else if (copy_from_user(tlv + 2, _tlv + 2, data[1])) {
--
1.8.3.1
On Mon, 24 Dec 2018 09:42:48 +0100,
huang.zijiang wrote:
>
> From: "huang.zijiang" <[email protected]>
>
> kmemdup has implemented the function that kmalloc() and memcpy().
>
> Signed-off-by: huang.zijiang <[email protected]>
> ---
> sound/pci/emu10k1/emufx.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/sound/pci/emu10k1/emufx.c b/sound/pci/emu10k1/emufx.c
> index 6ebe817..b4fe4c5 100644
> --- a/sound/pci/emu10k1/emufx.c
> +++ b/sound/pci/emu10k1/emufx.c
> @@ -671,10 +671,9 @@ static unsigned int *copy_tlv(const unsigned int __user *_tlv, bool in_kernel)
> return NULL;
> if (data[1] >= MAX_TLV_SIZE)
> return NULL;
> - tlv = kmalloc(data[1] + sizeof(data), GFP_KERNEL);
> + tlv = kmemdup(data, data[1] + sizeof(data), GFP_KERNEL);
> if (!tlv)
> return NULL;
> - memcpy(tlv, data, sizeof(data));
These changes are not equivalent, and rather dangerous, unfortunately.
The memcpy() performs only for sizeof(data), and in this case, it's
not the same size as the allocation above.
thanks,
Takashi