Skip to content

Commit

Permalink
Staging: rtl8192u: Do not DMA on the stack
Browse files Browse the repository at this point in the history 
Fix error "doing DMA on the stack" by using kzalloc for buffer
allocation.
Issue found by smatch.

Signed-off-by: Ksenija Stanojevic <[email protected]>
Reviewed-by: Arnd Bergmann <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
  • Loading branch information
@KsenijaS @gregkh
KsenijaS authored and gregkh committed Oct 13, 2015
1 parent 806e6e1 commit 075eb0d
Showing 1 changed file with 63 additions and 9 deletions.
72 changes: 63 additions & 9 deletions drivers/staging/rtl8192u/r8192U_core.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,10 +259,16 @@ void write_nic_byte_E(struct net_device *dev, int indx, u8 data)
int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
u8 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);

if (!usbdata)
return;
*usbdata = data;

status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
indx | 0xfe00, 0, &data, 1, HZ / 2);
indx | 0xfe00, 0, usbdata, 1, HZ / 2);
kfree(usbdata);

if (status < 0)
netdev_err(dev, "write_nic_byte_E TimeOut! status: %d\n",
Expand All @@ -274,10 +280,16 @@ int read_nic_byte_E(struct net_device *dev, int indx, u8 *data)
int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
u8 *usbdata = kzalloc(sizeof(u8), GFP_KERNEL);

if (!usbdata)
return -ENOMEM;

status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
indx | 0xfe00, 0, data, 1, HZ / 2);
indx | 0xfe00, 0, usbdata, 1, HZ / 2);
*data = *usbdata;
kfree(usbdata);

if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status);
Expand All @@ -293,11 +305,17 @@ void write_nic_byte(struct net_device *dev, int indx, u8 data)

struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
u8 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);

if (!usbdata)
return;
*usbdata = data;

status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
&data, 1, HZ / 2);
usbdata, 1, HZ / 2);
kfree(usbdata);

if (status < 0)
netdev_err(dev, "write_nic_byte TimeOut! status: %d\n", status);
Expand All @@ -313,11 +331,17 @@ void write_nic_word(struct net_device *dev, int indx, u16 data)

struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
u16 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);

if (!usbdata)
return;
*usbdata = data;

status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
&data, 2, HZ / 2);
usbdata, 2, HZ / 2);
kfree(usbdata);

if (status < 0)
netdev_err(dev, "write_nic_word TimeOut! status: %d\n", status);
Expand All @@ -332,11 +356,17 @@ void write_nic_dword(struct net_device *dev, int indx, u32 data)

struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
u32 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);

if (!usbdata)
return;
*usbdata = data;

status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
&data, 4, HZ / 2);
usbdata, 4, HZ / 2);
kfree(usbdata);


if (status < 0)
Expand All @@ -352,11 +382,17 @@ int read_nic_byte(struct net_device *dev, int indx, u8 *data)
int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
u8 *usbdata = kzalloc(sizeof(u8), GFP_KERNEL);

if (!usbdata)
return -ENOMEM;

status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
data, 1, HZ / 2);
usbdata, 1, HZ / 2);
*data = *usbdata;
kfree(usbdata);

if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status);
Expand All @@ -373,11 +409,17 @@ int read_nic_word(struct net_device *dev, int indx, u16 *data)
int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
u16 *usbdata = kzalloc(sizeof(u16), GFP_KERNEL);

if (!usbdata)
return -ENOMEM;

status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
data, 2, HZ / 2);
usbdata, 2, HZ / 2);
*data = *usbdata;
kfree(usbdata);

if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status);
Expand All @@ -392,10 +434,16 @@ static int read_nic_word_E(struct net_device *dev, int indx, u16 *data)
int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
u16 *usbdata = kzalloc(sizeof(u16), GFP_KERNEL);

if (!usbdata)
return -ENOMEM;

status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
indx | 0xfe00, 0, data, 2, HZ / 2);
indx | 0xfe00, 0, usbdata, 2, HZ / 2);
*data = *usbdata;
kfree(usbdata);

if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status);
Expand All @@ -411,11 +459,17 @@ int read_nic_dword(struct net_device *dev, int indx, u32 *data)

struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
u32 *usbdata = kzalloc(sizeof(u32), GFP_KERNEL);

if (!usbdata)
return -ENOMEM;

status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
data, 4, HZ / 2);
usbdata, 4, HZ / 2);
*data = *usbdata;
kfree(usbdata);

if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status);
Expand Down

0 comments on commit 075eb0d

Please sign in to comment.