5 files changed, 60 insertions, 99 deletions
diff --git a/sound/core/control.c b/sound/core/control.c
index 4b20fa2b7e6d..17b8d47a5cd0 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -723,14 +723,11 @@ static int snd_ctl_elem_read_user(struct snd_card *card,
 {
        struct snd_ctl_elem_value *control;
        int result;
-        
-        control = kmalloc(sizeof(*control), GFP_KERNEL);
+        control = memdup_user(_control, sizeof(*control));
-        if (control == NULL)
+        if (IS_ERR(control))
-                return -ENOMEM; 
+                return PTR_ERR(control);
-        if (copy_from_user(control, _control, sizeof(*control))) {
-                kfree(control);
-                return -EFAULT;
-        }
        snd_power_lock(card);
        result = snd_power_wait(card, SNDRV_CTL_POWER_D0);
        if (result >= 0)
@@ -784,13 +781,10 @@ static int snd_ctl_elem_write_user(struct snd_ctl_file *file,
        struct snd_card *card;
        int result;
-        control = kmalloc(sizeof(*control), GFP_KERNEL);
+        control = memdup_user(_control, sizeof(*control));
-        if (control == NULL)
+        if (IS_ERR(control))
-                return -ENOMEM; 
+                return PTR_ERR(control);
-        if (copy_from_user(control, _control, sizeof(*control))) {
-                kfree(control);
-                return -EFAULT;
-        }
        card = file->card;
        snd_power_lock(card);
        result = snd_power_wait(card, SNDRV_CTL_POWER_D0);
@@ -916,13 +910,10 @@ static int snd_ctl_elem_user_tlv(struct snd_kcontrol *kcontrol,
        if (op_flag > 0) {
                if (size > 1024 * 128)  /* sane value */
                        return -EINVAL;
-                new_data = kmalloc(size, GFP_KERNEL);
-                if (new_data == NULL)
+                new_data = memdup_user(tlv, size);
-                        return -ENOMEM;
+                if (IS_ERR(new_data))
-                if (copy_from_user(new_data, tlv, size)) {
+                        return PTR_ERR(new_data);
-                        kfree(new_data);
-                        return -EFAULT;
-                }
                change = ue->tlv_data_size != size;
                if (!change)
                        change = memcmp(ue->tlv_data, new_data, size);
diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c
index 36d7a5998234..08bfed594a83 100644
--- a/sound/core/pcm_compat.c
+++ b/sound/core/pcm_compat.c
@@ -232,14 +232,11 @@ static int snd_pcm_ioctl_hw_params_compat(struct snd_pcm_substream *substream,
        if (! (runtime = substream->runtime))
                return -ENOTTY;
-        data = kmalloc(sizeof(*data), GFP_KERNEL);
-        if (data == NULL)
-                return -ENOMEM;
        /* only fifo_size is different, so just copy all */
-        if (copy_from_user(data, data32, sizeof(*data32))) {
+        data = memdup_user(data32, sizeof(*data32));
-                err = -EFAULT;
+        if (IS_ERR(data))
-                goto error;
+                return PTR_ERR(data);
-        }
        if (refine)
                err = snd_pcm_hw_refine(substream, data);
        else
diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index a151fb01ba82..fc6f98e257df 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -327,21 +327,16 @@ static int snd_pcm_hw_refine_user(struct snd_pcm_substream *substream,
        struct snd_pcm_hw_params *params;
        int err;
-        params = kmalloc(sizeof(*params), GFP_KERNEL);
+        params = memdup_user(_params, sizeof(*params));
-        if (!params) {
+        if (IS_ERR(params))
-                err = -ENOMEM;
+                return PTR_ERR(params);
-                goto out;
-        }
-        if (copy_from_user(params, _params, sizeof(*params))) {
-                err = -EFAULT;
-                goto out;
-        }
        err = snd_pcm_hw_refine(substream, params);
        if (copy_to_user(_params, params, sizeof(*params))) {
                if (!err)
                        err = -EFAULT;
        }
-out:
        kfree(params);
        return err;
 }
@@ -465,21 +460,16 @@ static int snd_pcm_hw_params_user(struct snd_pcm_substream *substream,
        struct snd_pcm_hw_params *params;
        int err;
-        params = kmalloc(sizeof(*params), GFP_KERNEL);
+        params = memdup_user(_params, sizeof(*params));
-        if (!params) {
+        if (IS_ERR(params))
-                err = -ENOMEM;
+                return PTR_ERR(params);
-                goto out;
-        }
-        if (copy_from_user(params, _params, sizeof(*params))) {
-                err = -EFAULT;
-                goto out;
-        }
        err = snd_pcm_hw_params(substream, params);
        if (copy_to_user(_params, params, sizeof(*params))) {
                if (!err)
                        err = -EFAULT;
        }
-out:
        kfree(params);
        return err;
 }
@@ -2593,13 +2583,11 @@ static int snd_pcm_playback_ioctl1(struct file *file,
                        return -EFAULT;
                if (copy_from_user(&xfern, _xfern, sizeof(xfern)))
                        return -EFAULT;
-                bufs = kmalloc(sizeof(void *) * runtime->channels, GFP_KERNEL);
-                if (bufs == NULL)
+                bufs = memdup_user(xfern.bufs,
-                        return -ENOMEM;
+                                   sizeof(void *) * runtime->channels);
-                if (copy_from_user(bufs, xfern.bufs, sizeof(void *) * runtime->channels)) {
+                if (IS_ERR(bufs))
-                        kfree(bufs);
+                        return PTR_ERR(bufs);
-                        return -EFAULT;
-                }
                result = snd_pcm_lib_writev(substream, bufs, xfern.frames);
                kfree(bufs);
                __put_user(result, &_xfern->result);
@@ -2675,13 +2663,11 @@ static int snd_pcm_capture_ioctl1(struct file *file,
                        return -EFAULT;
                if (copy_from_user(&xfern, _xfern, sizeof(xfern)))
                        return -EFAULT;
-                bufs = kmalloc(sizeof(void *) * runtime->channels, GFP_KERNEL);
-                if (bufs == NULL)
+                bufs = memdup_user(xfern.bufs,
-                        return -ENOMEM;
+                                   sizeof(void *) * runtime->channels);
-                if (copy_from_user(bufs, xfern.bufs, sizeof(void *) * runtime->channels)) {
+                if (IS_ERR(bufs))
-                        kfree(bufs);
+                        return PTR_ERR(bufs);
-                        return -EFAULT;
-                }
                result = snd_pcm_lib_readv(substream, bufs, xfern.frames);
                kfree(bufs);
                __put_user(result, &_xfern->result);
@@ -3312,18 +3298,12 @@ static int snd_pcm_hw_refine_old_user(struct snd_pcm_substream *substream,
        int err;
        params = kmalloc(sizeof(*params), GFP_KERNEL);
-        if (!params) {
+        if (!params)
-                err = -ENOMEM;
+                return -ENOMEM;
-                goto out;
-        }
-        oparams = kmalloc(sizeof(*oparams), GFP_KERNEL);
-        if (!oparams) {
-                err = -ENOMEM;
-                goto out;
-        }
-        if (copy_from_user(oparams, _oparams, sizeof(*oparams))) {
+        oparams = memdup_user(_oparams, sizeof(*oparams));
-                err = -EFAULT;
+        if (IS_ERR(oparams)) {
+                err = PTR_ERR(oparams);
                goto out;
        }
        snd_pcm_hw_convert_from_old_params(params, oparams);
@@ -3333,9 +3313,10 @@ static int snd_pcm_hw_refine_old_user(struct snd_pcm_substream *substream,
                if (!err)
                        err = -EFAULT;
        }
+        kfree(oparams);
 out:
        kfree(params);
-        kfree(oparams);
        return err;
 }
@@ -3347,17 +3328,12 @@ static int snd_pcm_hw_params_old_user(struct snd_pcm_substream *substream,
        int err;
        params = kmalloc(sizeof(*params), GFP_KERNEL);
-        if (!params) {
+        if (!params)
-                err = -ENOMEM;
+                return -ENOMEM;
-                goto out;
-        }
+        oparams = memdup_user(_oparams, sizeof(*oparams));
-        oparams = kmalloc(sizeof(*oparams), GFP_KERNEL);
+        if (IS_ERR(oparams)) {
-        if (!oparams) {
+                err = PTR_ERR(oparams);
-                err = -ENOMEM;
-                goto out;
-        }
-        if (copy_from_user(oparams, _oparams, sizeof(*oparams))) {
-                err = -EFAULT;
                goto out;
        }
        snd_pcm_hw_convert_from_old_params(params, oparams);
@@ -3367,9 +3343,10 @@ static int snd_pcm_hw_params_old_user(struct snd_pcm_substream *substream,
                if (!err)
                        err = -EFAULT;
        }
+        kfree(oparams);
 out:
        kfree(params);
-        kfree(oparams);
        return err;
 }
 #endif /* CONFIG_SND_SUPPORT_OLD_API */
diff --git a/sound/core/seq/seq_compat.c b/sound/core/seq/seq_compat.c
index 38693f47c262..c956fe462569 100644
--- a/sound/core/seq/seq_compat.c
+++ b/sound/core/seq/seq_compat.c
@@ -48,12 +48,11 @@ static int snd_seq_call_port_info_ioctl(struct snd_seq_client *client, unsigned
        struct snd_seq_port_info *data;
        mm_segment_t fs;
-        data = kmalloc(sizeof(*data), GFP_KERNEL);
+        data = memdup_user(data32, sizeof(*data32));
-        if (! data)
+        if (IS_ERR(data))
-                return -ENOMEM;
+                return PTR_ERR(data);
-        if (copy_from_user(data, data32, sizeof(*data32)) ||
+        if (get_user(data->flags, &data32->flags) ||
-            get_user(data->flags, &data32->flags) ||
            get_user(data->time_queue, &data32->time_queue))
                goto error;
        data->kernel = NULL;
diff --git a/sound/core/timer.c b/sound/core/timer.c
index 3f0050d0b71e..8f8b17ac074d 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1395,13 +1395,10 @@ static int snd_timer_user_ginfo(struct file *file,
        struct list_head *p;
        int err = 0;
-        ginfo = kmalloc(sizeof(*ginfo), GFP_KERNEL);
+        ginfo = memdup_user(_ginfo, sizeof(*ginfo));
-        if (! ginfo)
+        if (IS_ERR(ginfo))
-                return -ENOMEM;
+                return PTR_ERR(ginfo);
-        if (copy_from_user(ginfo, _ginfo, sizeof(*ginfo))) {
-                kfree(ginfo);
-                return -EFAULT;
-        }
        tid = ginfo->tid;
        memset(ginfo, 0, sizeof(*ginfo));
        ginfo->tid = tid;

diff --git a/sound/core/control.c b/sound/core/control.c index 4b20fa2b7e6d..17b8d47a5cd0 100644 --- a/sound/core/control.c +++ b/sound/core/control.c
@@ -723,14 +723,11 @@ static int snd_ctl_elem_read_user(struct snd_card *card,
723	{	723	{
724	struct snd_ctl_elem_value *control;	724	struct snd_ctl_elem_value *control;
725	int result;	725	int result;
726		726
727	control = kmalloc(sizeof(*control), GFP_KERNEL);	727	control = memdup_user(_control, sizeof(*control));
728	if (control == NULL)	728	if (IS_ERR(control))
729	return -ENOMEM;	729	return PTR_ERR(control);
730	if (copy_from_user(control, _control, sizeof(*control))) {	730
731	kfree(control);
732	return -EFAULT;
733	}
734	snd_power_lock(card);	731	snd_power_lock(card);
735	result = snd_power_wait(card, SNDRV_CTL_POWER_D0);	732	result = snd_power_wait(card, SNDRV_CTL_POWER_D0);
736	if (result >= 0)	733	if (result >= 0)
@@ -784,13 +781,10 @@ static int snd_ctl_elem_write_user(struct snd_ctl_file *file,
784	struct snd_card *card;	781	struct snd_card *card;
785	int result;	782	int result;
786		783
787	control = kmalloc(sizeof(*control), GFP_KERNEL);	784	control = memdup_user(_control, sizeof(*control));
788	if (control == NULL)	785	if (IS_ERR(control))
789	return -ENOMEM;	786	return PTR_ERR(control);
790	if (copy_from_user(control, _control, sizeof(*control))) {	787
791	kfree(control);
792	return -EFAULT;
793	}
794	card = file->card;	788	card = file->card;
795	snd_power_lock(card);	789	snd_power_lock(card);
796	result = snd_power_wait(card, SNDRV_CTL_POWER_D0);	790	result = snd_power_wait(card, SNDRV_CTL_POWER_D0);
@@ -916,13 +910,10 @@ static int snd_ctl_elem_user_tlv(struct snd_kcontrol *kcontrol,
916	if (op_flag > 0) {	910	if (op_flag > 0) {
917	if (size > 1024 * 128) /* sane value */	911	if (size > 1024 * 128) /* sane value */
918	return -EINVAL;	912	return -EINVAL;
919	new_data = kmalloc(size, GFP_KERNEL);	913
920	if (new_data == NULL)	914	new_data = memdup_user(tlv, size);
921	return -ENOMEM;	915	if (IS_ERR(new_data))
922	if (copy_from_user(new_data, tlv, size)) {	916	return PTR_ERR(new_data);
923	kfree(new_data);
924	return -EFAULT;
925	}
926	change = ue->tlv_data_size != size;	917	change = ue->tlv_data_size != size;
927	if (!change)	918	if (!change)
928	change = memcmp(ue->tlv_data, new_data, size);	919	change = memcmp(ue->tlv_data, new_data, size);


diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c index 36d7a5998234..08bfed594a83 100644 --- a/sound/core/pcm_compat.c +++ b/sound/core/pcm_compat.c
@@ -232,14 +232,11 @@ static int snd_pcm_ioctl_hw_params_compat(struct snd_pcm_substream *substream,
232	if (! (runtime = substream->runtime))	232	if (! (runtime = substream->runtime))
233	return -ENOTTY;	233	return -ENOTTY;
234		234
235	data = kmalloc(sizeof(*data), GFP_KERNEL);
236	if (data == NULL)
237	return -ENOMEM;
238	/* only fifo_size is different, so just copy all */	235	/* only fifo_size is different, so just copy all */
239	if (copy_from_user(data, data32, sizeof(*data32))) {	236	data = memdup_user(data32, sizeof(*data32));
240	err = -EFAULT;	237	if (IS_ERR(data))
241	goto error;	238	return PTR_ERR(data);
242	}	239
243	if (refine)	240	if (refine)
244	err = snd_pcm_hw_refine(substream, data);	241	err = snd_pcm_hw_refine(substream, data);
245	else	242	else


diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c index a151fb01ba82..fc6f98e257df 100644 --- a/sound/core/pcm_native.c +++ b/sound/core/pcm_native.c
@@ -327,21 +327,16 @@ static int snd_pcm_hw_refine_user(struct snd_pcm_substream *substream,
327	struct snd_pcm_hw_params *params;	327	struct snd_pcm_hw_params *params;
328	int err;	328	int err;
329		329
330	params = kmalloc(sizeof(*params), GFP_KERNEL);	330	params = memdup_user(_params, sizeof(*params));
331	if (!params) {	331	if (IS_ERR(params))
332	err = -ENOMEM;	332	return PTR_ERR(params);
333	goto out;	333
334	}
335	if (copy_from_user(params, _params, sizeof(*params))) {
336	err = -EFAULT;
337	goto out;
338	}
339	err = snd_pcm_hw_refine(substream, params);	334	err = snd_pcm_hw_refine(substream, params);
340	if (copy_to_user(_params, params, sizeof(*params))) {	335	if (copy_to_user(_params, params, sizeof(*params))) {
341	if (!err)	336	if (!err)
342	err = -EFAULT;	337	err = -EFAULT;
343	}	338	}
344	out:	339
345	kfree(params);	340	kfree(params);
346	return err;	341	return err;
347	}	342	}
@@ -465,21 +460,16 @@ static int snd_pcm_hw_params_user(struct snd_pcm_substream *substream,
465	struct snd_pcm_hw_params *params;	460	struct snd_pcm_hw_params *params;
466	int err;	461	int err;
467		462
468	params = kmalloc(sizeof(*params), GFP_KERNEL);	463	params = memdup_user(_params, sizeof(*params));
469	if (!params) {	464	if (IS_ERR(params))
470	err = -ENOMEM;	465	return PTR_ERR(params);
471	goto out;	466
472	}
473	if (copy_from_user(params, _params, sizeof(*params))) {
474	err = -EFAULT;
475	goto out;
476	}
477	err = snd_pcm_hw_params(substream, params);	467	err = snd_pcm_hw_params(substream, params);
478	if (copy_to_user(_params, params, sizeof(*params))) {	468	if (copy_to_user(_params, params, sizeof(*params))) {
479	if (!err)	469	if (!err)
480	err = -EFAULT;	470	err = -EFAULT;
481	}	471	}
482	out:	472
483	kfree(params);	473	kfree(params);
484	return err;	474	return err;
485	}	475	}
@@ -2593,13 +2583,11 @@ static int snd_pcm_playback_ioctl1(struct file *file,
2593	return -EFAULT;	2583	return -EFAULT;
2594	if (copy_from_user(&xfern, _xfern, sizeof(xfern)))	2584	if (copy_from_user(&xfern, _xfern, sizeof(xfern)))
2595	return -EFAULT;	2585	return -EFAULT;
2596	bufs = kmalloc(sizeof(void ) runtime->channels, GFP_KERNEL);	2586
2597	if (bufs == NULL)	2587	bufs = memdup_user(xfern.bufs,
2598	return -ENOMEM;	2588	sizeof(void ) runtime->channels);
2599	if (copy_from_user(bufs, xfern.bufs, sizeof(void ) runtime->channels)) {	2589	if (IS_ERR(bufs))
2600	kfree(bufs);	2590	return PTR_ERR(bufs);
2601	return -EFAULT;
2602	}
2603	result = snd_pcm_lib_writev(substream, bufs, xfern.frames);	2591	result = snd_pcm_lib_writev(substream, bufs, xfern.frames);
2604	kfree(bufs);	2592	kfree(bufs);
2605	__put_user(result, &_xfern->result);	2593	__put_user(result, &_xfern->result);
@@ -2675,13 +2663,11 @@ static int snd_pcm_capture_ioctl1(struct file *file,
2675	return -EFAULT;	2663	return -EFAULT;
2676	if (copy_from_user(&xfern, _xfern, sizeof(xfern)))	2664	if (copy_from_user(&xfern, _xfern, sizeof(xfern)))
2677	return -EFAULT;	2665	return -EFAULT;
2678	bufs = kmalloc(sizeof(void ) runtime->channels, GFP_KERNEL);	2666
2679	if (bufs == NULL)	2667	bufs = memdup_user(xfern.bufs,
2680	return -ENOMEM;	2668	sizeof(void ) runtime->channels);
2681	if (copy_from_user(bufs, xfern.bufs, sizeof(void ) runtime->channels)) {	2669	if (IS_ERR(bufs))
2682	kfree(bufs);	2670	return PTR_ERR(bufs);
2683	return -EFAULT;
2684	}
2685	result = snd_pcm_lib_readv(substream, bufs, xfern.frames);	2671	result = snd_pcm_lib_readv(substream, bufs, xfern.frames);
2686	kfree(bufs);	2672	kfree(bufs);
2687	__put_user(result, &_xfern->result);	2673	__put_user(result, &_xfern->result);
@@ -3312,18 +3298,12 @@ static int snd_pcm_hw_refine_old_user(struct snd_pcm_substream *substream,
3312	int err;	3298	int err;
3313		3299
3314	params = kmalloc(sizeof(*params), GFP_KERNEL);	3300	params = kmalloc(sizeof(*params), GFP_KERNEL);
3315	if (!params) {	3301	if (!params)
3316	err = -ENOMEM;	3302	return -ENOMEM;
3317	goto out;
3318	}
3319	oparams = kmalloc(sizeof(*oparams), GFP_KERNEL);
3320	if (!oparams) {
3321	err = -ENOMEM;
3322	goto out;
3323	}
3324		3303
3325	if (copy_from_user(oparams, _oparams, sizeof(*oparams))) {	3304	oparams = memdup_user(_oparams, sizeof(*oparams));
3326	err = -EFAULT;	3305	if (IS_ERR(oparams)) {
		3306	err = PTR_ERR(oparams);
3327	goto out;	3307	goto out;
3328	}	3308	}
3329	snd_pcm_hw_convert_from_old_params(params, oparams);	3309	snd_pcm_hw_convert_from_old_params(params, oparams);
@@ -3333,9 +3313,10 @@ static int snd_pcm_hw_refine_old_user(struct snd_pcm_substream *substream,
3333	if (!err)	3313	if (!err)
3334	err = -EFAULT;	3314	err = -EFAULT;
3335	}	3315	}
		3316
		3317	kfree(oparams);
3336	out:	3318	out:
3337	kfree(params);	3319	kfree(params);
3338	kfree(oparams);
3339	return err;	3320	return err;
3340	}	3321	}
3341		3322
@@ -3347,17 +3328,12 @@ static int snd_pcm_hw_params_old_user(struct snd_pcm_substream *substream,
3347	int err;	3328	int err;
3348		3329
3349	params = kmalloc(sizeof(*params), GFP_KERNEL);	3330	params = kmalloc(sizeof(*params), GFP_KERNEL);
3350	if (!params) {	3331	if (!params)
3351	err = -ENOMEM;	3332	return -ENOMEM;
3352	goto out;	3333
3353	}	3334	oparams = memdup_user(_oparams, sizeof(*oparams));
3354	oparams = kmalloc(sizeof(*oparams), GFP_KERNEL);	3335	if (IS_ERR(oparams)) {
3355	if (!oparams) {	3336	err = PTR_ERR(oparams);
3356	err = -ENOMEM;
3357	goto out;
3358	}
3359	if (copy_from_user(oparams, _oparams, sizeof(*oparams))) {
3360	err = -EFAULT;
3361	goto out;	3337	goto out;
3362	}	3338	}
3363	snd_pcm_hw_convert_from_old_params(params, oparams);	3339	snd_pcm_hw_convert_from_old_params(params, oparams);
@@ -3367,9 +3343,10 @@ static int snd_pcm_hw_params_old_user(struct snd_pcm_substream *substream,
3367	if (!err)	3343	if (!err)
3368	err = -EFAULT;	3344	err = -EFAULT;
3369	}	3345	}
		3346
		3347	kfree(oparams);
3370	out:	3348	out:
3371	kfree(params);	3349	kfree(params);
3372	kfree(oparams);
3373	return err;	3350	return err;
3374	}	3351	}
3375	#endif /* CONFIG_SND_SUPPORT_OLD_API */	3352	#endif /* CONFIG_SND_SUPPORT_OLD_API */


diff --git a/sound/core/seq/seq_compat.c b/sound/core/seq/seq_compat.c index 38693f47c262..c956fe462569 100644 --- a/sound/core/seq/seq_compat.c +++ b/sound/core/seq/seq_compat.c
@@ -48,12 +48,11 @@ static int snd_seq_call_port_info_ioctl(struct snd_seq_client *client, unsigned
48	struct snd_seq_port_info *data;	48	struct snd_seq_port_info *data;
49	mm_segment_t fs;	49	mm_segment_t fs;
50		50
51	data = kmalloc(sizeof(*data), GFP_KERNEL);	51	data = memdup_user(data32, sizeof(*data32));
52	if (! data)	52	if (IS_ERR(data))
53	return -ENOMEM;	53	return PTR_ERR(data);
54		54
55	if (copy_from_user(data, data32, sizeof(*data32)) \|\|	55	if (get_user(data->flags, &data32->flags) \|\|
56	get_user(data->flags, &data32->flags) \|\|
57	get_user(data->time_queue, &data32->time_queue))	56	get_user(data->time_queue, &data32->time_queue))
58	goto error;	57	goto error;
59	data->kernel = NULL;	58	data->kernel = NULL;


diff --git a/sound/core/timer.c b/sound/core/timer.c index 3f0050d0b71e..8f8b17ac074d 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c
@@ -1395,13 +1395,10 @@ static int snd_timer_user_ginfo(struct file *file,
1395	struct list_head *p;	1395	struct list_head *p;
1396	int err = 0;	1396	int err = 0;
1397		1397
1398	ginfo = kmalloc(sizeof(*ginfo), GFP_KERNEL);	1398	ginfo = memdup_user(_ginfo, sizeof(*ginfo));
1399	if (! ginfo)	1399	if (IS_ERR(ginfo))
1400	return -ENOMEM;	1400	return PTR_ERR(ginfo);
1401	if (copy_from_user(ginfo, _ginfo, sizeof(*ginfo))) {	1401
1402	kfree(ginfo);
1403	return -EFAULT;
1404	}
1405	tid = ginfo->tid;	1402	tid = ginfo->tid;
1406	memset(ginfo, 0, sizeof(*ginfo));	1403	memset(ginfo, 0, sizeof(*ginfo));
1407	ginfo->tid = tid;	1404	ginfo->tid = tid;