From b96bb6529471c250c32459afe4c6b067b54d8f9f Mon Sep 17 00:00:00 2001
From: Kulikov Vasiliy <segooon@gmail.com>
Date: Wed, 28 Jul 2010 20:41:56 +0400
Subject: [PATCH] --- yaml --- r: 206695 b: refs/heads/master c:
 ec9d04b2a8f00b14a3df4714820cb2cda46dc4d6 h: refs/heads/master i:   206693:
 cb56281fc9892e460e668002442acbae06cf6599   206691:
 92b3737d8fd96f79f933add866cdc472df86bda6   206687:
 c18f559c272bae02c43e1df76b370f478816532b v: v3

---
 [refs]                           |  2 +-
 trunk/sound/pci/asihpi/hpioctl.c | 17 +++++++++++++----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/[refs] b/[refs]
index 849e4c7c2b0c..165906cbdbe5 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: b3390ceab95601afc12213c3ec5551d3bc7b638f
+refs/heads/master: ec9d04b2a8f00b14a3df4714820cb2cda46dc4d6
diff --git a/trunk/sound/pci/asihpi/hpioctl.c b/trunk/sound/pci/asihpi/hpioctl.c
index 311499992a22..62895a719fcb 100644
--- a/trunk/sound/pci/asihpi/hpioctl.c
+++ b/trunk/sound/pci/asihpi/hpioctl.c
@@ -121,11 +121,17 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 	phpi_ioctl_data = (struct hpi_ioctl_linux __user *)arg;
 
 	/* Read the message and response pointers from user space.  */
-	get_user(puhm, &phpi_ioctl_data->phm);
-	get_user(puhr, &phpi_ioctl_data->phr);
+	if (get_user(puhm, &phpi_ioctl_data->phm) ||
+	    get_user(puhr, &phpi_ioctl_data->phr)) {
+		err = -EFAULT;
+		goto out;
+	}
 
 	/* Now read the message size and data from user space.  */
-	get_user(hm->h.size, (u16 __user *)puhm);
+	if (get_user(hm->h.size, (u16 __user *)puhm)) {
+		err = -EFAULT;
+		goto out;
+	}
 	if (hm->h.size > sizeof(*hm))
 		hm->h.size = sizeof(*hm);
 
@@ -138,7 +144,10 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		goto out;
 	}
 
-	get_user(res_max_size, (u16 __user *)puhr);
+	if (get_user(res_max_size, (u16 __user *)puhr)) {
+		err = -EFAULT;
+		goto out;
+	}
 	/* printk(KERN_INFO "user response size %d\n", res_max_size); */
 	if (res_max_size < sizeof(struct hpi_response_header)) {
 		HPI_DEBUG_LOG(WARNING, "small res size %d\n", res_max_size);