pcm_compat.c:507 snd_pcm_ioctl_sync_ptr_buggy() error: copy_from_user() 'sync_cp' too small (16 vs 20)

kernel test robot Sun, 23 Jan 2022 12:38:15 -0800

CC: [email protected]
CC: [email protected]
TO: Takashi Iwai <[email protected]>
CC: Arnd Bergmann <[email protected]>


tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 
master
head:   dd81e1c7d5fb126e5fbc5c9e334d7b3ec29a16a0
commit: 228af5a4fa3a8293bd8b7ac5cf59548ee29627bf ALSA: pcm: Workaround for a 
wrong offset in SYNC_PTR compat ioctl
date:   3 months ago
:::::: branch date: 5 hours ago
:::::: commit date: 3 months ago
config: powerpc64-randconfig-m031-20220120 
(https://download.01.org/0day-ci/archive/20220124/[email protected]/config)
compiler: powerpc64-linux-gcc (GCC) 11.2.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
Reported-by: Dan Carpenter <[email protected]>

smatch warnings:
sound/core/pcm_compat.c:507 snd_pcm_ioctl_sync_ptr_buggy() error: 
copy_from_user() 'sync_cp' too small (16 vs 20)

vim +/sync_cp +507 sound/core/pcm_compat.c

228af5a4fa3a82 Takashi Iwai 2021-10-10  492  
228af5a4fa3a82 Takashi Iwai 2021-10-10  493  static int 
snd_pcm_ioctl_sync_ptr_buggy(struct snd_pcm_substream *substream,
228af5a4fa3a82 Takashi Iwai 2021-10-10  494                                     
struct snd_pcm_sync_ptr __user *_sync_ptr)
228af5a4fa3a82 Takashi Iwai 2021-10-10  495  {
228af5a4fa3a82 Takashi Iwai 2021-10-10  496     struct snd_pcm_runtime *runtime 
= substream->runtime;
228af5a4fa3a82 Takashi Iwai 2021-10-10  497     struct snd_pcm_sync_ptr 
sync_ptr;
228af5a4fa3a82 Takashi Iwai 2021-10-10  498     struct 
__snd_pcm_mmap_control64_buggy *sync_cp;
228af5a4fa3a82 Takashi Iwai 2021-10-10  499     volatile struct 
snd_pcm_mmap_status *status;
228af5a4fa3a82 Takashi Iwai 2021-10-10  500     volatile struct 
snd_pcm_mmap_control *control;
228af5a4fa3a82 Takashi Iwai 2021-10-10  501     int err;
228af5a4fa3a82 Takashi Iwai 2021-10-10  502  
228af5a4fa3a82 Takashi Iwai 2021-10-10  503     memset(&sync_ptr, 0, 
sizeof(sync_ptr));
228af5a4fa3a82 Takashi Iwai 2021-10-10  504     sync_cp = (struct 
__snd_pcm_mmap_control64_buggy *)&sync_ptr.c.control;
228af5a4fa3a82 Takashi Iwai 2021-10-10  505     if (get_user(sync_ptr.flags, 
(unsigned __user *)&(_sync_ptr->flags)))
228af5a4fa3a82 Takashi Iwai 2021-10-10  506             return -EFAULT;
228af5a4fa3a82 Takashi Iwai 2021-10-10 @507     if (copy_from_user(sync_cp, 
&(_sync_ptr->c.control), sizeof(*sync_cp)))
228af5a4fa3a82 Takashi Iwai 2021-10-10  508             return -EFAULT;
228af5a4fa3a82 Takashi Iwai 2021-10-10  509     status = runtime->status;
228af5a4fa3a82 Takashi Iwai 2021-10-10  510     control = runtime->control;
228af5a4fa3a82 Takashi Iwai 2021-10-10  511     if (sync_ptr.flags & 
SNDRV_PCM_SYNC_PTR_HWSYNC) {
228af5a4fa3a82 Takashi Iwai 2021-10-10  512             err = 
snd_pcm_hwsync(substream);
228af5a4fa3a82 Takashi Iwai 2021-10-10  513             if (err < 0)
228af5a4fa3a82 Takashi Iwai 2021-10-10  514                     return err;
228af5a4fa3a82 Takashi Iwai 2021-10-10  515     }
228af5a4fa3a82 Takashi Iwai 2021-10-10  516     
snd_pcm_stream_lock_irq(substream);
228af5a4fa3a82 Takashi Iwai 2021-10-10  517     if (!(sync_ptr.flags & 
SNDRV_PCM_SYNC_PTR_APPL)) {
228af5a4fa3a82 Takashi Iwai 2021-10-10  518             err = 
pcm_lib_apply_appl_ptr(substream, sync_cp->appl_ptr);
228af5a4fa3a82 Takashi Iwai 2021-10-10  519             if (err < 0) {
228af5a4fa3a82 Takashi Iwai 2021-10-10  520                     
snd_pcm_stream_unlock_irq(substream);
228af5a4fa3a82 Takashi Iwai 2021-10-10  521                     return err;
228af5a4fa3a82 Takashi Iwai 2021-10-10  522             }
228af5a4fa3a82 Takashi Iwai 2021-10-10  523     } else {
228af5a4fa3a82 Takashi Iwai 2021-10-10  524             sync_cp->appl_ptr = 
control->appl_ptr;
228af5a4fa3a82 Takashi Iwai 2021-10-10  525     }
228af5a4fa3a82 Takashi Iwai 2021-10-10  526     if (!(sync_ptr.flags & 
SNDRV_PCM_SYNC_PTR_AVAIL_MIN))
228af5a4fa3a82 Takashi Iwai 2021-10-10  527             control->avail_min = 
sync_cp->avail_min;
228af5a4fa3a82 Takashi Iwai 2021-10-10  528     else
228af5a4fa3a82 Takashi Iwai 2021-10-10  529             sync_cp->avail_min = 
control->avail_min;
228af5a4fa3a82 Takashi Iwai 2021-10-10  530     sync_ptr.s.status.state = 
status->state;
228af5a4fa3a82 Takashi Iwai 2021-10-10  531     sync_ptr.s.status.hw_ptr = 
status->hw_ptr;
228af5a4fa3a82 Takashi Iwai 2021-10-10  532     sync_ptr.s.status.tstamp = 
status->tstamp;
228af5a4fa3a82 Takashi Iwai 2021-10-10  533     
sync_ptr.s.status.suspended_state = status->suspended_state;
228af5a4fa3a82 Takashi Iwai 2021-10-10  534     sync_ptr.s.status.audio_tstamp 
= status->audio_tstamp;
228af5a4fa3a82 Takashi Iwai 2021-10-10  535     
snd_pcm_stream_unlock_irq(substream);
228af5a4fa3a82 Takashi Iwai 2021-10-10  536     if (copy_to_user(_sync_ptr, 
&sync_ptr, sizeof(sync_ptr)))
228af5a4fa3a82 Takashi Iwai 2021-10-10  537             return -EFAULT;
228af5a4fa3a82 Takashi Iwai 2021-10-10  538     return 0;
228af5a4fa3a82 Takashi Iwai 2021-10-10  539  }
228af5a4fa3a82 Takashi Iwai 2021-10-10  540  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]
_______________________________________________
kbuild mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[kbuild] sound/core/pcm_compat.c:507 snd_pcm_ioctl_sync_ptr_buggy() error: copy_from_user() 'sync_cp' too small (16 vs 20)

Reply via email to