From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 14 Feb 2017 23:15:44 +0000 (+0300)
Subject: staging: bcm2835-audio: allocate enough data for work queues
X-Git-Tag: v4.11-rc1~116^2~22
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f5e2199ae574245b56b32e047c93625a28fe3b3a;p=platform%2Fkernel%2Flinux-exynos.git

staging: bcm2835-audio: allocate enough data for work queues

We accidentally allocate sizeof(void *) bytes instead of 112 bytes.  It
results in memory corruption.

Fixes: 23b028c871e1 ("staging: bcm2835-audio: initial staging submission")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/staging/bcm2835-audio/bcm2835-vchiq.c b/drivers/staging/bcm2835-audio/bcm2835-vchiq.c
index af0cd0b..fa23a13 100644
--- a/drivers/staging/bcm2835-audio/bcm2835-vchiq.c
+++ b/drivers/staging/bcm2835-audio/bcm2835-vchiq.c
@@ -135,8 +135,9 @@ int bcm2835_audio_start(struct bcm2835_alsa_stream *alsa_stream)
 
 	LOG_DBG(" .. IN\n");
 	if (alsa_stream->my_wq) {
-		struct bcm2835_audio_work *work =
-			kmalloc(sizeof(struct bcm2835_audio_work *), GFP_ATOMIC);
+		struct bcm2835_audio_work *work;
+
+		work = kmalloc(sizeof(*work), GFP_ATOMIC);
 		/*--- Queue some work (item 1) ---*/
 		if (work) {
 			INIT_WORK(&work->my_work, my_wq_function);
@@ -157,8 +158,9 @@ int bcm2835_audio_stop(struct bcm2835_alsa_stream *alsa_stream)
 
 	LOG_DBG(" .. IN\n");
 	if (alsa_stream->my_wq) {
-		struct bcm2835_audio_work *work =
-			kmalloc(sizeof(struct bcm2835_audio_work *), GFP_ATOMIC);
+		struct bcm2835_audio_work *work;
+
+		work = kmalloc(sizeof(*work), GFP_ATOMIC);
 		/*--- Queue some work (item 1) ---*/
 		if (work) {
 			INIT_WORK(&work->my_work, my_wq_function);
@@ -180,8 +182,9 @@ int bcm2835_audio_write(struct bcm2835_alsa_stream *alsa_stream,
 
 	LOG_DBG(" .. IN\n");
 	if (alsa_stream->my_wq) {
-		struct bcm2835_audio_work *work =
-			kmalloc(sizeof(struct bcm2835_audio_work *), GFP_ATOMIC);
+		struct bcm2835_audio_work *work;
+
+		work = kmalloc(sizeof(*work), GFP_ATOMIC);
 		/*--- Queue some work (item 1) ---*/
 		if (work) {
 			INIT_WORK(&work->my_work, my_wq_function);