[PATCH 5/5 v2] [media] lmedm04: get rid of on-stack dma buffers

From: Florian Mickler
Date: Sun Mar 20 2011 - 17:52:05 EST

Next message: Florian Mickler: "[PATCH 1/5] [media] ec168: get rid of on-stack dma buffers"
Previous message: Rafael Fernandez: "[PATCH] Code style issues fixed."
In reply to: Florian Mickler: "[PATCH 0/5] get rid of on-stack dma buffers (part1)"
Next in thread: Florian Mickler: "[PATCH 1/5] [media] ec168: get rid of on-stack dma buffers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

usb_control_msg initiates (and waits for completion of) a dma transfer using
the supplied buffer. That buffer thus has to be seperately allocated on
the heap.

In lib/dma_debug.c the function check_for_stack even warns about it:
WARNING: at lib/dma-debug.c:866 check_for_stack

Tested-By: Malcolm Priestley <tvboxspy@xxxxxxxxx>
Signed-off-by: Florian Mickler <florian@xxxxxxxxxxx>

---

[v2: fix use after free as noted by Malcom]

drivers/media/dvb/dvb-usb/lmedm04.c | 19 +++++++++++++++----
1 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/drivers/media/dvb/dvb-usb/lmedm04.c b/drivers/media/dvb/dvb-usb/lmedm04.c
index 0a3e88f..8a79354 100644
--- a/drivers/media/dvb/dvb-usb/lmedm04.c
+++ b/drivers/media/dvb/dvb-usb/lmedm04.c
@@ -314,13 +314,19 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap)
static int lme2510_return_status(struct usb_device *dev)
{
int ret = 0;
- u8 data[10] = {0};
+ u8 *data;
+
+ data = kzalloc(10, GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;

ret |= usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
info("Firmware Status: %x (%x)", ret , data[2]);

- return (ret < 0) ? -ENODEV : data[2];
+ ret = (ret < 0) ? -ENODEV : data[2];
+ kfree(data);
+ return ret;
}

static int lme2510_msg(struct dvb_usb_device *d,
@@ -603,7 +609,7 @@ static int lme2510_download_firmware(struct usb_device *dev,
const struct firmware *fw)
{
int ret = 0;
- u8 data[512] = {0};
+ u8 *data;
u16 j, wlen, len_in, start, end;
u8 packet_size, dlen, i;
u8 *fw_data;
@@ -611,6 +617,11 @@ static int lme2510_download_firmware(struct usb_device *dev,
packet_size = 0x31;
len_in = 1;

+ data = kzalloc(512, GFP_KERNEL);
+ if (!data) {
+ info("FRM Could not start Firmware Download (Buffer allocation failed)");
+ return -ENOMEM;
+ }

info("FRM Starting Firmware Download");

@@ -654,7 +665,7 @@ static int lme2510_download_firmware(struct usb_device *dev,
else
info("FRM Firmware Download Completed - Resetting Device");

-
+ kfree(data);
return (ret < 0) ? -ENODEV : 0;
}

--
1.7.4.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Florian Mickler: "[PATCH 1/5] [media] ec168: get rid of on-stack dma buffers"
Previous message: Rafael Fernandez: "[PATCH] Code style issues fixed."
In reply to: Florian Mickler: "[PATCH 0/5] get rid of on-stack dma buffers (part1)"
Next in thread: Florian Mickler: "[PATCH 1/5] [media] ec168: get rid of on-stack dma buffers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]