From: Hollis Blanchard <hollisb@us.ibm.com>

Another simple case of a memcpy that should be copy_from_user...

Also fix some error-path memory leaks.


 25-akpm/drivers/pnp/pnpbios/proc.c |   33 ++++++++++++++++++++++++---------
 1 files changed, 24 insertions(+), 9 deletions(-)

diff -puN drivers/pnp/pnpbios/proc.c~pnpbios-oops-leak-fix drivers/pnp/pnpbios/proc.c
--- 25/drivers/pnp/pnpbios/proc.c~pnpbios-oops-leak-fix	Mon Jun  2 14:14:08 2003
+++ 25-akpm/drivers/pnp/pnpbios/proc.c	Mon Jun  2 14:15:01 2003
@@ -29,6 +29,8 @@
 #include <linux/pnpbios.h>
 #include <linux/init.h>
 
+#include <asm/uaccess.h>
+
 static struct proc_dir_entry *proc_pnp = NULL;
 static struct proc_dir_entry *proc_pnp_boot = NULL;
 
@@ -178,18 +180,31 @@ static int proc_write_node(struct file *
 	struct pnp_bios_node *node;
 	int boot = (long)data >> 8;
 	u8 nodenum = (long)data;
+	int ret = count;
 
 	node = pnpbios_kmalloc(node_info.max_node_size, GFP_KERNEL);
-	if (!node) return -ENOMEM;
-	if ( pnp_bios_get_dev_node(&nodenum, boot, node) )
-		return -EIO;
-	if (count != node->size - sizeof(struct pnp_bios_node))
-		return -EINVAL;
-	memcpy(node->data, buf, count);
-	if (pnp_bios_set_dev_node(node->handle, boot, node) != 0)
-	    return -EINVAL;
+	if (!node)
+		return -ENOMEM;
+	if (pnp_bios_get_dev_node(&nodenum, boot, node)) {
+		ret = -EIO;
+		goto out;
+	}
+	if (count != node->size - sizeof(struct pnp_bios_node)) {
+		ret = -EINVAL;
+		goto out;
+	}
+	if (copy_from_user(node->data, buf, count)) {
+		ret = -EFAULT;
+		goto out;
+	}
+	if (pnp_bios_set_dev_node(node->handle, boot, node) != 0) {
+		ret = -EINVAL;
+		goto out;
+	}
+	ret = count;
+out:
 	kfree(node);
-	return count;
+	return ret;
 }
 
 int pnpbios_interface_attach_device(struct pnp_bios_node * node)

_