From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Johan Hovold <jhovold@gmail.com>
Subject: [ 06/12] USB: mos7720: fix broken control requests
Date: Sun, 18 Aug 2013 13:30:15 -0700 [thread overview]
Message-ID: <20130818202951.180661317@linuxfoundation.org> (raw)
In-Reply-To: <20130818202949.875887601@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <jhovold@gmail.com>
commit ef6c8c1d733e244f0499035be0dabe1f4ed98c6f upstream.
The parallel-port code of the drivers used a stack allocated
control-request buffer for asynchronous (and possibly deferred) control
requests. This not only violates the no-DMA-from-stack requirement but
could also lead to corrupt control requests being submitted.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/mos7720.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -97,6 +97,7 @@ struct urbtracker {
struct list_head urblist_entry;
struct kref ref_count;
struct urb *urb;
+ struct usb_ctrlrequest *setup;
};
enum mos7715_pp_modes {
@@ -279,6 +280,7 @@ static void destroy_urbtracker(struct kr
struct mos7715_parport *mos_parport = urbtrack->mos_parport;
dbg("%s called", __func__);
usb_free_urb(urbtrack->urb);
+ kfree(urbtrack->setup);
kfree(urbtrack);
kref_put(&mos_parport->ref_count, destroy_mos_parport);
}
@@ -363,7 +365,6 @@ static int write_parport_reg_nonblock(st
struct urbtracker *urbtrack;
int ret_val;
unsigned long flags;
- struct usb_ctrlrequest setup;
struct usb_serial *serial = mos_parport->serial;
struct usb_device *usbdev = serial->dev;
dbg("%s called", __func__);
@@ -382,14 +383,20 @@ static int write_parport_reg_nonblock(st
kfree(urbtrack);
return -ENOMEM;
}
- setup.bRequestType = (__u8)0x40;
- setup.bRequest = (__u8)0x0e;
- setup.wValue = get_reg_value(reg, dummy);
- setup.wIndex = get_reg_index(reg);
- setup.wLength = 0;
+ urbtrack->setup = kmalloc(sizeof(*urbtrack->setup), GFP_KERNEL);
+ if (!urbtrack->setup) {
+ usb_free_urb(urbtrack->urb);
+ kfree(urbtrack);
+ return -ENOMEM;
+ }
+ urbtrack->setup->bRequestType = (__u8)0x40;
+ urbtrack->setup->bRequest = (__u8)0x0e;
+ urbtrack->setup->wValue = get_reg_value(reg, dummy);
+ urbtrack->setup->wIndex = get_reg_index(reg);
+ urbtrack->setup->wLength = 0;
usb_fill_control_urb(urbtrack->urb, usbdev,
usb_sndctrlpipe(usbdev, 0),
- (unsigned char *)&setup,
+ (unsigned char *)urbtrack->setup,
NULL, 0, async_complete, urbtrack);
kref_init(&urbtrack->ref_count);
INIT_LIST_HEAD(&urbtrack->urblist_entry);
next prev parent reply other threads:[~2013-08-18 20:30 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-18 20:30 [ 00/12] 3.0.92-stable review Greg Kroah-Hartman
2013-08-18 20:30 ` [ 01/12] futex: Take hugepages into account when generating futex_key Greg Kroah-Hartman
2013-08-18 20:30 ` [ 02/12] CRIS: Add _sdata to vmlinux.lds.S Greg Kroah-Hartman
2013-08-18 20:30 ` [ 03/12] af_key: initialize satype in key_notify_policy_flush() Greg Kroah-Hartman
2013-08-18 20:30 ` [ 04/12] genetlink: fix family dump race Greg Kroah-Hartman
2013-08-18 20:30 ` [ 05/12] usb: add two quirky touchscreen Greg Kroah-Hartman
2013-08-18 20:30 ` Greg Kroah-Hartman [this message]
2013-08-18 20:30 ` [ 07/12] sparc32: add ucmpdi2 Greg Kroah-Hartman
2013-08-18 20:30 ` [ 08/12] sparc32: Add ucmpdi2.o to obj-y instead of lib-y Greg Kroah-Hartman
2013-08-18 20:30 ` [ 09/12] powerpc: Use -mtraceback=no Greg Kroah-Hartman
2013-08-18 20:30 ` [ 10/12] m68k/atari: ARAnyM - Fix NatFeat module support Greg Kroah-Hartman
2013-08-18 20:30 ` [ 11/12] ARM: 7080/1: l2x0: make sure I&D are not locked down on init Greg Kroah-Hartman
2013-08-18 20:30 ` [ 12/12] vm: add no-mmu vm_iomap_memory() stub Greg Kroah-Hartman
2013-08-18 20:37 ` [ 00/12] 3.0.92-stable review Geert Uytterhoeven
2013-08-18 20:52 ` Greg Kroah-Hartman
2013-08-19 1:39 ` Guenter Roeck
2013-08-19 22:53 ` Shuah Khan
2013-08-19 23:10 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130818202951.180661317@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jhovold@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.