aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2009-04-15 05:24:27 -0400
committerTakashi Iwai <tiwai@suse.de>2009-04-15 05:24:27 -0400
commitf4723b224d21ff546ac1fea4483094548d529479 (patch)
tree1257dceebcacbf04d3cd6eabf7ff75cfac2edd96
parent00610a81df32ea50dba0105078e7369988caef3b (diff)
parent336500f0305dc1552e8d01a60b409a7db781ca28 (diff)
Merge branch 'topic/memdup_user' into for-linus
* topic/memdup_user: ALSA: sound/pci: use memdup_user() ALSA: sound/usb: use memdup_user() ALSA: sound/isa: use memdup_user() ALSA: sound/core: use memdup_user()
-rw-r--r--sound/core/control.c35
-rw-r--r--sound/core/pcm_compat.c11
-rw-r--r--sound/core/pcm_native.c93
-rw-r--r--sound/core/seq/seq_compat.c9
-rw-r--r--sound/core/timer.c11
-rw-r--r--sound/isa/sb/sb16_csp.c19
-rw-r--r--sound/isa/wavefront/wavefront_fx.c14
-rw-r--r--sound/isa/wavefront/wavefront_synth.c11
-rw-r--r--sound/pci/emu10k1/emufx.c41
-rw-r--r--sound/usb/usx2y/us122l.c10
-rw-r--r--sound/usb/usx2y/usX2Yhwdep.c13
11 files changed, 102 insertions, 165 deletions
diff --git a/sound/core/control.c b/sound/core/control.c
index 4b20fa2b7e6d..17b8d47a5cd0 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -723,14 +723,11 @@ static int snd_ctl_elem_read_user(struct snd_card *card,
723{ 723{
724 struct snd_ctl_elem_value *control; 724 struct snd_ctl_elem_value *control;
725 int result; 725 int result;
726 726
727 control = kmalloc(sizeof(*control), GFP_KERNEL); 727 control = memdup_user(_control, sizeof(*control));
728 if (control == NULL) 728 if (IS_ERR(control))
729 return -ENOMEM; 729 return PTR_ERR(control);
730 if (copy_from_user(control, _control, sizeof(*control))) { 730
731 kfree(control);
732 return -EFAULT;
733 }
734 snd_power_lock(card); 731 snd_power_lock(card);
735 result = snd_power_wait(card, SNDRV_CTL_POWER_D0); 732 result = snd_power_wait(card, SNDRV_CTL_POWER_D0);
736 if (result >= 0) 733 if (result >= 0)
@@ -784,13 +781,10 @@ static int snd_ctl_elem_write_user(struct snd_ctl_file *file,
784 struct snd_card *card; 781 struct snd_card *card;
785 int result; 782 int result;
786 783
787 control = kmalloc(sizeof(*control), GFP_KERNEL); 784 control = memdup_user(_control, sizeof(*control));
788 if (control == NULL) 785 if (IS_ERR(control))
789 return -ENOMEM; 786 return PTR_ERR(control);
790 if (copy_from_user(control, _control, sizeof(*control))) { 787
791 kfree(control);
792 return -EFAULT;
793 }
794 card = file->card; 788 card = file->card;
795 snd_power_lock(card); 789 snd_power_lock(card);
796 result = snd_power_wait(card, SNDRV_CTL_POWER_D0); 790 result = snd_power_wait(card, SNDRV_CTL_POWER_D0);
@@ -916,13 +910,10 @@ static int snd_ctl_elem_user_tlv(struct snd_kcontrol *kcontrol,
916 if (op_flag > 0) { 910 if (op_flag > 0) {
917 if (size > 1024 * 128) /* sane value */ 911 if (size > 1024 * 128) /* sane value */
918 return -EINVAL; 912 return -EINVAL;
919 new_data = kmalloc(size, GFP_KERNEL); 913
920 if (new_data == NULL) 914 new_data = memdup_user(tlv, size);
921 return -ENOMEM; 915 if (IS_ERR(new_data))
922 if (copy_from_user(new_data, tlv, size)) { 916 return PTR_ERR(new_data);
923 kfree(new_data);
924 return -EFAULT;
925 }
926 change = ue->tlv_data_size != size; 917 change = ue->tlv_data_size != size;
927 if (!change) 918 if (!change)
928 change = memcmp(ue->tlv_data, new_data, size); 919 change = memcmp(ue->tlv_data, new_data, size);
diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c
index 36d7a5998234..08bfed594a83 100644
--- a/sound/core/pcm_compat.c
+++ b/sound/core/pcm_compat.c
@@ -232,14 +232,11 @@ static int snd_pcm_ioctl_hw_params_compat(struct snd_pcm_substream *substream,
232 if (! (runtime = substream->runtime)) 232 if (! (runtime = substream->runtime))
233 return -ENOTTY; 233 return -ENOTTY;
234 234
235 data = kmalloc(sizeof(*data), GFP_KERNEL);
236 if (data == NULL)
237 return -ENOMEM;
238 /* only fifo_size is different, so just copy all */ 235 /* only fifo_size is different, so just copy all */
239 if (copy_from_user(data, data32, sizeof(*data32))) { 236 data = memdup_user(data32, sizeof(*data32));
240 err = -EFAULT; 237 if (IS_ERR(data))
241 goto error; 238 return PTR_ERR(data);
242 } 239
243 if (refine) 240 if (refine)
244 err = snd_pcm_hw_refine(substream, data); 241 err = snd_pcm_hw_refine(substream, data);
245 else 242 else
diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index a151fb01ba82..fc6f98e257df 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -327,21 +327,16 @@ static int snd_pcm_hw_refine_user(struct snd_pcm_substream *substream,
327 struct snd_pcm_hw_params *params; 327 struct snd_pcm_hw_params *params;
328 int err; 328 int err;
329 329
330 params = kmalloc(sizeof(*params), GFP_KERNEL); 330 params = memdup_user(_params, sizeof(*params));
331 if (!params) { 331 if (IS_ERR(params))
332 err = -ENOMEM; 332 return PTR_ERR(params);
333 goto out; 333
334 }
335 if (copy_from_user(params, _params, sizeof(*params))) {
336 err = -EFAULT;
337 goto out;
338 }
339 err = snd_pcm_hw_refine(substream, params); 334 err = snd_pcm_hw_refine(substream, params);
340 if (copy_to_user(_params, params, sizeof(*params))) { 335 if (copy_to_user(_params, params, sizeof(*params))) {
341 if (!err) 336 if (!err)
342 err = -EFAULT; 337 err = -EFAULT;
343 } 338 }
344out: 339
345 kfree(params); 340 kfree(params);
346 return err; 341 return err;
347} 342}
@@ -465,21 +460,16 @@ static int snd_pcm_hw_params_user(struct snd_pcm_substream *substream,
465 struct snd_pcm_hw_params *params; 460 struct snd_pcm_hw_params *params;
466 int err; 461 int err;
467 462
468 params = kmalloc(sizeof(*params), GFP_KERNEL); 463 params = memdup_user(_params, sizeof(*params));
469 if (!params) { 464 if (IS_ERR(params))
470 err = -ENOMEM; 465 return PTR_ERR(params);
471 goto out; 466
472 }
473 if (copy_from_user(params, _params, sizeof(*params))) {
474 err = -EFAULT;
475 goto out;
476 }
477 err = snd_pcm_hw_params(substream, params); 467 err = snd_pcm_hw_params(substream, params);
478 if (copy_to_user(_params, params, sizeof(*params))) { 468 if (copy_to_user(_params, params, sizeof(*params))) {
479 if (!err) 469 if (!err)
480 err = -EFAULT; 470 err = -EFAULT;
481 } 471 }
482out: 472
483 kfree(params); 473 kfree(params);
484 return err; 474 return err;
485} 475}
@@ -2593,13 +2583,11 @@ static int snd_pcm_playback_ioctl1(struct file *file,
2593 return -EFAULT; 2583 return -EFAULT;
2594 if (copy_from_user(&xfern, _xfern, sizeof(xfern))) 2584 if (copy_from_user(&xfern, _xfern, sizeof(xfern)))
2595 return -EFAULT; 2585 return -EFAULT;
2596 bufs = kmalloc(sizeof(void *) * runtime->channels, GFP_KERNEL); 2586
2597 if (bufs == NULL) 2587 bufs = memdup_user(xfern.bufs,
2598 return -ENOMEM; 2588 sizeof(void *) * runtime->channels);
2599 if (copy_from_user(bufs, xfern.bufs, sizeof(void *) * runtime->channels)) { 2589 if (IS_ERR(bufs))
2600 kfree(bufs); 2590 return PTR_ERR(bufs);
2601 return -EFAULT;
2602 }
2603 result = snd_pcm_lib_writev(substream, bufs, xfern.frames); 2591 result = snd_pcm_lib_writev(substream, bufs, xfern.frames);
2604 kfree(bufs); 2592 kfree(bufs);
2605 __put_user(result, &_xfern->result); 2593 __put_user(result, &_xfern->result);
@@ -2675,13 +2663,11 @@ static int snd_pcm_capture_ioctl1(struct file *file,
2675 return -EFAULT; 2663 return -EFAULT;
2676 if (copy_from_user(&xfern, _xfern, sizeof(xfern))) 2664 if (copy_from_user(&xfern, _xfern, sizeof(xfern)))
2677 return -EFAULT; 2665 return -EFAULT;
2678 bufs = kmalloc(sizeof(void *) * runtime->channels, GFP_KERNEL); 2666
2679 if (bufs == NULL) 2667 bufs = memdup_user(xfern.bufs,
2680 return -ENOMEM; 2668 sizeof(void *) * runtime->channels);
2681 if (copy_from_user(bufs, xfern.bufs, sizeof(void *) * runtime->channels)) { 2669 if (IS_ERR(bufs))
2682 kfree(bufs); 2670 return PTR_ERR(bufs);
2683 return -EFAULT;
2684 }
2685 result = snd_pcm_lib_readv(substream, bufs, xfern.frames); 2671 result = snd_pcm_lib_readv(substream, bufs, xfern.frames);
2686 kfree(bufs); 2672 kfree(bufs);
2687 __put_user(result, &_xfern->result); 2673 __put_user(result, &_xfern->result);
@@ -3312,18 +3298,12 @@ static int snd_pcm_hw_refine_old_user(struct snd_pcm_substream *substream,
3312 int err; 3298 int err;
3313 3299
3314 params = kmalloc(sizeof(*params), GFP_KERNEL); 3300 params = kmalloc(sizeof(*params), GFP_KERNEL);
3315 if (!params) { 3301 if (!params)
3316 err = -ENOMEM; 3302 return -ENOMEM;
3317 goto out;
3318 }
3319 oparams = kmalloc(sizeof(*oparams), GFP_KERNEL);
3320 if (!oparams) {
3321 err = -ENOMEM;
3322 goto out;
3323 }
3324 3303
3325 if (copy_from_user(oparams, _oparams, sizeof(*oparams))) { 3304 oparams = memdup_user(_oparams, sizeof(*oparams));
3326 err = -EFAULT; 3305 if (IS_ERR(oparams)) {
3306 err = PTR_ERR(oparams);
3327 goto out; 3307 goto out;
3328 } 3308 }
3329 snd_pcm_hw_convert_from_old_params(params, oparams); 3309 snd_pcm_hw_convert_from_old_params(params, oparams);
@@ -3333,9 +3313,10 @@ static int snd_pcm_hw_refine_old_user(struct snd_pcm_substream *substream,
3333 if (!err) 3313 if (!err)
3334 err = -EFAULT; 3314 err = -EFAULT;
3335 } 3315 }
3316
3317 kfree(oparams);
3336out: 3318out:
3337 kfree(params); 3319 kfree(params);
3338 kfree(oparams);
3339 return err; 3320 return err;
3340} 3321}
3341 3322
@@ -3347,17 +3328,12 @@ static int snd_pcm_hw_params_old_user(struct snd_pcm_substream *substream,
3347 int err; 3328 int err;
3348 3329
3349 params = kmalloc(sizeof(*params), GFP_KERNEL); 3330 params = kmalloc(sizeof(*params), GFP_KERNEL);
3350 if (!params) { 3331 if (!params)
3351 err = -ENOMEM; 3332 return -ENOMEM;
3352 goto out; 3333
3353 } 3334 oparams = memdup_user(_oparams, sizeof(*oparams));
3354 oparams = kmalloc(sizeof(*oparams), GFP_KERNEL); 3335 if (IS_ERR(oparams)) {
3355 if (!oparams) { 3336 err = PTR_ERR(oparams);
3356 err = -ENOMEM;
3357 goto out;
3358 }
3359 if (copy_from_user(oparams, _oparams, sizeof(*oparams))) {
3360 err = -EFAULT;
3361 goto out; 3337 goto out;
3362 } 3338 }
3363 snd_pcm_hw_convert_from_old_params(params, oparams); 3339 snd_pcm_hw_convert_from_old_params(params, oparams);
@@ -3367,9 +3343,10 @@ static int snd_pcm_hw_params_old_user(struct snd_pcm_substream *substream,
3367 if (!err) 3343 if (!err)
3368 err = -EFAULT; 3344 err = -EFAULT;
3369 } 3345 }
3346
3347 kfree(oparams);
3370out: 3348out:
3371 kfree(params); 3349 kfree(params);
3372 kfree(oparams);
3373 return err; 3350 return err;
3374} 3351}
3375#endif /* CONFIG_SND_SUPPORT_OLD_API */ 3352#endif /* CONFIG_SND_SUPPORT_OLD_API */
diff --git a/sound/core/seq/seq_compat.c b/sound/core/seq/seq_compat.c
index 38693f47c262..c956fe462569 100644
--- a/sound/core/seq/seq_compat.c
+++ b/sound/core/seq/seq_compat.c
@@ -48,12 +48,11 @@ static int snd_seq_call_port_info_ioctl(struct snd_seq_client *client, unsigned
48 struct snd_seq_port_info *data; 48 struct snd_seq_port_info *data;
49 mm_segment_t fs; 49 mm_segment_t fs;
50 50
51 data = kmalloc(sizeof(*data), GFP_KERNEL); 51 data = memdup_user(data32, sizeof(*data32));
52 if (! data) 52 if (IS_ERR(data))
53 return -ENOMEM; 53 return PTR_ERR(data);
54 54
55 if (copy_from_user(data, data32, sizeof(*data32)) || 55 if (get_user(data->flags, &data32->flags) ||
56 get_user(data->flags, &data32->flags) ||
57 get_user(data->time_queue, &data32->time_queue)) 56 get_user(data->time_queue, &data32->time_queue))
58 goto error; 57 goto error;
59 data->kernel = NULL; 58 data->kernel = NULL;
diff --git a/sound/core/timer.c b/sound/core/timer.c
index 3f0050d0b71e..8f8b17ac074d 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1395,13 +1395,10 @@ static int snd_timer_user_ginfo(struct file *file,
1395 struct list_head *p; 1395 struct list_head *p;
1396 int err = 0; 1396 int err = 0;
1397 1397
1398 ginfo = kmalloc(sizeof(*ginfo), GFP_KERNEL); 1398 ginfo = memdup_user(_ginfo, sizeof(*ginfo));
1399 if (! ginfo) 1399 if (IS_ERR(ginfo))
1400 return -ENOMEM; 1400 return PTR_ERR(ginfo);
1401 if (copy_from_user(ginfo, _ginfo, sizeof(*ginfo))) { 1401
1402 kfree(ginfo);
1403 return -EFAULT;
1404 }
1405 tid = ginfo->tid; 1402 tid = ginfo->tid;
1406 memset(ginfo, 0, sizeof(*ginfo)); 1403 memset(ginfo, 0, sizeof(*ginfo));
1407 ginfo->tid = tid; 1404 ginfo->tid = tid;
diff --git a/sound/isa/sb/sb16_csp.c b/sound/isa/sb/sb16_csp.c
index 49037d074c71..bdc8dde4e4a2 100644
--- a/sound/isa/sb/sb16_csp.c
+++ b/sound/isa/sb/sb16_csp.c
@@ -684,15 +684,16 @@ static int snd_sb_csp_load(struct snd_sb_csp * p, const unsigned char *buf, int
684 684
685static int snd_sb_csp_load_user(struct snd_sb_csp * p, const unsigned char __user *buf, int size, int load_flags) 685static int snd_sb_csp_load_user(struct snd_sb_csp * p, const unsigned char __user *buf, int size, int load_flags)
686{ 686{
687 int err = -ENOMEM; 687 int err;
688 unsigned char *kbuf = kmalloc(size, GFP_KERNEL); 688 unsigned char *kbuf;
689 if (kbuf) { 689
690 if (copy_from_user(kbuf, buf, size)) 690 kbuf = memdup_user(buf, size);
691 err = -EFAULT; 691 if (IS_ERR(kbuf))
692 else 692 return PTR_ERR(kbuf);
693 err = snd_sb_csp_load(p, kbuf, size, load_flags); 693
694 kfree(kbuf); 694 err = snd_sb_csp_load(p, kbuf, size, load_flags);
695 } 695
696 kfree(kbuf);
696 return err; 697 return err;
697} 698}
698 699
diff --git a/sound/isa/wavefront/wavefront_fx.c b/sound/isa/wavefront/wavefront_fx.c
index a4345fc07561..2bb1cee09255 100644
--- a/sound/isa/wavefront/wavefront_fx.c
+++ b/sound/isa/wavefront/wavefront_fx.c
@@ -202,15 +202,11 @@ snd_wavefront_fx_ioctl (struct snd_hwdep *sdev, struct file *file,
202 "> 512 bytes to FX\n"); 202 "> 512 bytes to FX\n");
203 return -EIO; 203 return -EIO;
204 } 204 }
205 page_data = kmalloc(r.data[2] * sizeof(short), GFP_KERNEL); 205 page_data = memdup_user((unsigned char __user *)
206 if (!page_data) 206 r.data[3],
207 return -ENOMEM; 207 r.data[2] * sizeof(short));
208 if (copy_from_user (page_data, 208 if (IS_ERR(page_data))
209 (unsigned char __user *) r.data[3], 209 return PTR_ERR(page_data);
210 r.data[2] * sizeof(short))) {
211 kfree(page_data);
212 return -EFAULT;
213 }
214 pd = page_data; 210 pd = page_data;
215 } 211 }
216 212
diff --git a/sound/isa/wavefront/wavefront_synth.c b/sound/isa/wavefront/wavefront_synth.c
index beb312cca75b..5d4ff48c4345 100644
--- a/sound/isa/wavefront/wavefront_synth.c
+++ b/sound/isa/wavefront/wavefront_synth.c
@@ -1664,12 +1664,11 @@ snd_wavefront_synth_ioctl (struct snd_hwdep *hw, struct file *file,
1664 break; 1664 break;
1665 1665
1666 case WFCTL_WFCMD: 1666 case WFCTL_WFCMD:
1667 wc = kmalloc(sizeof(*wc), GFP_KERNEL); 1667 wc = memdup_user(argp, sizeof(*wc));
1668 if (! wc) 1668 if (IS_ERR(wc))
1669 return -ENOMEM; 1669 return PTR_ERR(wc);
1670 if (copy_from_user (wc, argp, sizeof (*wc))) 1670
1671 err = -EFAULT; 1671 if (wavefront_synth_control (acard, wc) < 0)
1672 else if (wavefront_synth_control (acard, wc) < 0)
1673 err = -EIO; 1672 err = -EIO;
1674 else if (copy_to_user (argp, wc, sizeof (*wc))) 1673 else if (copy_to_user (argp, wc, sizeof (*wc)))
1675 err = -EFAULT; 1674 err = -EFAULT;
diff --git a/sound/pci/emu10k1/emufx.c b/sound/pci/emu10k1/emufx.c
index 191e1cd9997d..4b302d86f5f2 100644
--- a/sound/pci/emu10k1/emufx.c
+++ b/sound/pci/emu10k1/emufx.c
@@ -2493,24 +2493,17 @@ static int snd_emu10k1_fx8010_ioctl(struct snd_hwdep * hw, struct file *file, un
2493 case SNDRV_EMU10K1_IOCTL_CODE_POKE: 2493 case SNDRV_EMU10K1_IOCTL_CODE_POKE:
2494 if (!capable(CAP_SYS_ADMIN)) 2494 if (!capable(CAP_SYS_ADMIN))
2495 return -EPERM; 2495 return -EPERM;
2496 icode = kmalloc(sizeof(*icode), GFP_KERNEL); 2496
2497 if (icode == NULL) 2497 icode = memdup_user(argp, sizeof(*icode));
2498 return -ENOMEM; 2498 if (IS_ERR(icode))
2499 if (copy_from_user(icode, argp, sizeof(*icode))) { 2499 return PTR_ERR(icode);
2500 kfree(icode);
2501 return -EFAULT;
2502 }
2503 res = snd_emu10k1_icode_poke(emu, icode); 2500 res = snd_emu10k1_icode_poke(emu, icode);
2504 kfree(icode); 2501 kfree(icode);
2505 return res; 2502 return res;
2506 case SNDRV_EMU10K1_IOCTL_CODE_PEEK: 2503 case SNDRV_EMU10K1_IOCTL_CODE_PEEK:
2507 icode = kmalloc(sizeof(*icode), GFP_KERNEL); 2504 icode = memdup_user(argp, sizeof(*icode));
2508 if (icode == NULL) 2505 if (IS_ERR(icode))
2509 return -ENOMEM; 2506 return PTR_ERR(icode);
2510 if (copy_from_user(icode, argp, sizeof(*icode))) {
2511 kfree(icode);
2512 return -EFAULT;
2513 }
2514 res = snd_emu10k1_icode_peek(emu, icode); 2507 res = snd_emu10k1_icode_peek(emu, icode);
2515 if (res == 0 && copy_to_user(argp, icode, sizeof(*icode))) { 2508 if (res == 0 && copy_to_user(argp, icode, sizeof(*icode))) {
2516 kfree(icode); 2509 kfree(icode);
@@ -2519,24 +2512,16 @@ static int snd_emu10k1_fx8010_ioctl(struct snd_hwdep * hw, struct file *file, un
2519 kfree(icode); 2512 kfree(icode);
2520 return res; 2513 return res;
2521 case SNDRV_EMU10K1_IOCTL_PCM_POKE: 2514 case SNDRV_EMU10K1_IOCTL_PCM_POKE:
2522 ipcm = kmalloc(sizeof(*ipcm), GFP_KERNEL); 2515 ipcm = memdup_user(argp, sizeof(*ipcm));
2523 if (ipcm == NULL) 2516 if (IS_ERR(ipcm))
2524 return -ENOMEM; 2517 return PTR_ERR(ipcm);
2525 if (copy_from_user(ipcm, argp, sizeof(*ipcm))) {
2526 kfree(ipcm);
2527 return -EFAULT;
2528 }
2529 res = snd_emu10k1_ipcm_poke(emu, ipcm); 2518 res = snd_emu10k1_ipcm_poke(emu, ipcm);
2530 kfree(ipcm); 2519 kfree(ipcm);
2531 return res; 2520 return res;
2532 case SNDRV_EMU10K1_IOCTL_PCM_PEEK: 2521 case SNDRV_EMU10K1_IOCTL_PCM_PEEK:
2533 ipcm = kzalloc(sizeof(*ipcm), GFP_KERNEL); 2522 ipcm = memdup_user(argp, sizeof(*ipcm));
2534 if (ipcm == NULL) 2523 if (IS_ERR(ipcm))
2535 return -ENOMEM; 2524 return PTR_ERR(ipcm);
2536 if (copy_from_user(ipcm, argp, sizeof(*ipcm))) {
2537 kfree(ipcm);
2538 return -EFAULT;
2539 }
2540 res = snd_emu10k1_ipcm_peek(emu, ipcm); 2525 res = snd_emu10k1_ipcm_peek(emu, ipcm);
2541 if (res == 0 && copy_to_user(argp, ipcm, sizeof(*ipcm))) { 2526 if (res == 0 && copy_to_user(argp, ipcm, sizeof(*ipcm))) {
2542 kfree(ipcm); 2527 kfree(ipcm);
diff --git a/sound/usb/usx2y/us122l.c b/sound/usb/usx2y/us122l.c
index 98276aafefe6..012ff1f6f8af 100644
--- a/sound/usb/usx2y/us122l.c
+++ b/sound/usb/usx2y/us122l.c
@@ -349,14 +349,10 @@ static int usb_stream_hwdep_ioctl(struct snd_hwdep *hw, struct file *file,
349 if (cmd != SNDRV_USB_STREAM_IOCTL_SET_PARAMS) 349 if (cmd != SNDRV_USB_STREAM_IOCTL_SET_PARAMS)
350 return -ENOTTY; 350 return -ENOTTY;
351 351
352 cfg = kmalloc(sizeof(*cfg), GFP_KERNEL); 352 cfg = memdup_user((void *)arg, sizeof(*cfg));
353 if (!cfg) 353 if (IS_ERR(cfg))
354 return -ENOMEM; 354 return PTR_ERR(cfg);
355 355
356 if (copy_from_user(cfg, (void *)arg, sizeof(*cfg))) {
357 err = -EFAULT;
358 goto free;
359 }
360 if (cfg->version != USB_STREAM_INTERFACE_VERSION) { 356 if (cfg->version != USB_STREAM_INTERFACE_VERSION) {
361 err = -ENXIO; 357 err = -ENXIO;
362 goto free; 358 goto free;
diff --git a/sound/usb/usx2y/usX2Yhwdep.c b/sound/usb/usx2y/usX2Yhwdep.c
index 4af8740db717..f3d8f71265dd 100644
--- a/sound/usb/usx2y/usX2Yhwdep.c
+++ b/sound/usb/usx2y/usX2Yhwdep.c
@@ -203,13 +203,12 @@ static int snd_usX2Y_hwdep_dsp_load(struct snd_hwdep *hw,
203 203
204 if (access_ok(VERIFY_READ, dsp->image, dsp->length)) { 204 if (access_ok(VERIFY_READ, dsp->image, dsp->length)) {
205 struct usb_device* dev = priv->chip.dev; 205 struct usb_device* dev = priv->chip.dev;
206 char *buf = kmalloc(dsp->length, GFP_KERNEL); 206 char *buf;
207 if (!buf) 207
208 return -ENOMEM; 208 buf = memdup_user(dsp->image, dsp->length);
209 if (copy_from_user(buf, dsp->image, dsp->length)) { 209 if (IS_ERR(buf))
210 kfree(buf); 210 return PTR_ERR(buf);
211 return -EFAULT; 211
212 }
213 err = usb_set_interface(dev, 0, 1); 212 err = usb_set_interface(dev, 0, 1);
214 if (err) 213 if (err)
215 snd_printk(KERN_ERR "usb_set_interface error \n"); 214 snd_printk(KERN_ERR "usb_set_interface error \n");