* [PATCH] staging: comedi: drivers: usbduxsigma.c: fix DMA buffers on stack
@ 2013-02-21 17:47 Kumar Amit Mehta
2013-02-21 18:47 ` Dan Carpenter
0 siblings, 1 reply; 2+ messages in thread
From: Kumar Amit Mehta @ 2013-02-21 17:47 UTC (permalink / raw)
To: abbotti; +Cc: fmhess, gregkh, hsweeten, devel, linux-kernel, kernel-janitors
This patch fixes an instance of DMA buffer on stack(being passed to
usb_control_msg)for the USB-DUXsigma Board driver. Found using smatch.
Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
---
drivers/staging/comedi/drivers/usbduxsigma.c | 37 +++++++++++++++++---------
1 file changed, 24 insertions(+), 13 deletions(-)
diff --git a/drivers/staging/comedi/drivers/usbduxsigma.c b/drivers/staging/comedi/drivers/usbduxsigma.c
index dc6b017..46137e8 100644
--- a/drivers/staging/comedi/drivers/usbduxsigma.c
+++ b/drivers/staging/comedi/drivers/usbduxsigma.c
@@ -681,10 +681,14 @@ static void usbduxsub_ao_IsocIrq(struct urb *urb)
static int usbduxsub_start(struct usbduxsub *usbduxsub)
{
int errcode = 0;
- uint8_t local_transfer_buffer[16];
-
+ uint8_t *local_transfer_buffer;
+ local_transfer_buffer = kmalloc(16, GFP_KERNEL);
+ if (!local_transfer_buffer) {
+ errcode = -ENOMEM;
+ goto exit;
+ }
/* 7f92 to zero */
- local_transfer_buffer[0] = 0;
+ *local_transfer_buffer = 0;
errcode = usb_control_msg(usbduxsub->usbdev,
/* create a pipe for a control transfer */
usb_sndctrlpipe(usbduxsub->usbdev, 0),
@@ -702,22 +706,28 @@ static int usbduxsub_start(struct usbduxsub *usbduxsub)
1,
/* Timeout */
BULK_TIMEOUT);
- if (errcode < 0) {
+ if (errcode < 0)
dev_err(&usbduxsub->interface->dev,
"comedi_: control msg failed (start)\n");
- return errcode;
- }
- return 0;
+
+ kfree(local_transfer_buffer);
+exit:
+ return errcode;
}
static int usbduxsub_stop(struct usbduxsub *usbduxsub)
{
int errcode = 0;
- uint8_t local_transfer_buffer[16];
+ uint8_t *local_transfer_buffer;
+ local_transfer_buffer = kmalloc(16, GFP_KERNEL);
+ if (!local_transfer_buffer) {
+ errcode = -ENOMEM;
+ goto exit;
+ }
/* 7f92 to one */
- local_transfer_buffer[0] = 1;
+ *local_transfer_buffer = 1;
errcode = usb_control_msg(usbduxsub->usbdev,
usb_sndctrlpipe(usbduxsub->usbdev, 0),
/* bRequest, "Firmware" */
@@ -732,12 +742,13 @@ static int usbduxsub_stop(struct usbduxsub *usbduxsub)
1,
/* Timeout */
BULK_TIMEOUT);
- if (errcode < 0) {
+ if (errcode < 0)
dev_err(&usbduxsub->interface->dev,
"comedi_: control msg failed (stop)\n");
- return errcode;
- }
- return 0;
+
+ kfree(local_transfer_buffer);
+exit:
+ return errcode;
}
static int usbduxsub_upload(struct usbduxsub *usbduxsub,
--
1.7.9.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] staging: comedi: drivers: usbduxsigma.c: fix DMA buffers on stack
2013-02-21 17:47 [PATCH] staging: comedi: drivers: usbduxsigma.c: fix DMA buffers on stack Kumar Amit Mehta
@ 2013-02-21 18:47 ` Dan Carpenter
0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2013-02-21 18:47 UTC (permalink / raw)
To: Kumar Amit Mehta
Cc: abbotti, devel, fmhess, gregkh, kernel-janitors, linux-kernel
A couple small style issues.
On Thu, Feb 21, 2013 at 09:47:06AM -0800, Kumar Amit Mehta wrote:
> This patch fixes an instance of DMA buffer on stack(being passed to
> usb_control_msg)for the USB-DUXsigma Board driver. Found using smatch.
>
> Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
> ---
> drivers/staging/comedi/drivers/usbduxsigma.c | 37 +++++++++++++++++---------
> 1 file changed, 24 insertions(+), 13 deletions(-)
>
> diff --git a/drivers/staging/comedi/drivers/usbduxsigma.c b/drivers/staging/comedi/drivers/usbduxsigma.c
> index dc6b017..46137e8 100644
> --- a/drivers/staging/comedi/drivers/usbduxsigma.c
> +++ b/drivers/staging/comedi/drivers/usbduxsigma.c
> @@ -681,10 +681,14 @@ static void usbduxsub_ao_IsocIrq(struct urb *urb)
> static int usbduxsub_start(struct usbduxsub *usbduxsub)
> {
> int errcode = 0;
> - uint8_t local_transfer_buffer[16];
> -
> + uint8_t *local_transfer_buffer;
Put a blank line here between the declaration and the code.
> + local_transfer_buffer = kmalloc(16, GFP_KERNEL);
> + if (!local_transfer_buffer) {
> + errcode = -ENOMEM;
> + goto exit;
Just return directly.
> + }
> /* 7f92 to zero */
> - local_transfer_buffer[0] = 0;
> + *local_transfer_buffer = 0;
The original is sort of nicer. local_transfer is an array and we're
setting the first element. It seems more clear to me. Also I
already had to argue with everyone to get comedi to use arrays
instead of pointer math. :P
I wonder why we have a 16 byte array when we only use the first
byte and we pass 1 as the length to usb_control_msg(). Odd.
Perhaps it shouldn't be an array after all.
regards,
dan carpenter
> static int usbduxsub_stop(struct usbduxsub *usbduxsub)
> {
> int errcode = 0;
>
Delete this blank line...
> - uint8_t local_transfer_buffer[16];
> + uint8_t *local_transfer_buffer;
> + local_transfer_buffer = kmalloc(16, GFP_KERNEL);
> + if (!local_transfer_buffer) {
> + errcode = -ENOMEM;
> + goto exit;
> + }
>
regards,
dan carpenter
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-02-21 18:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-21 17:47 [PATCH] staging: comedi: drivers: usbduxsigma.c: fix DMA buffers on stack Kumar Amit Mehta
2013-02-21 18:47 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).