[PATCH 5/5 v2] [media] lmedm04: get rid of on-stack dma buffers

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Florian Mickler <florian@mickler.org>
To: mchehab@infradead.org
Cc: linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
	crope@iki.fi, tvboxspy@gmail.com,
	Florian Mickler <florian@mickler.org>
Subject: [PATCH 5/5 v2] [media] lmedm04: get rid of on-stack dma buffers
Date: Sun, 20 Mar 2011 22:50:52 +0100	[thread overview]
Message-ID: <1300657852-29318-6-git-send-email-florian@mickler.org> (raw)
In-Reply-To: <1300657852-29318-1-git-send-email-florian@mickler.org>

usb_control_msg initiates (and waits for completion of) a dma transfer using
the supplied buffer. That buffer thus has to be seperately allocated on
the heap.

In lib/dma_debug.c the function check_for_stack even warns about it:
	WARNING: at lib/dma-debug.c:866 check_for_stack

Tested-By: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Florian Mickler <florian@mickler.org>

---

[v2: fix use after free as noted by Malcom]

drivers/media/dvb/dvb-usb/lmedm04.c |   19 +++++++++++++++----
 1 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/drivers/media/dvb/dvb-usb/lmedm04.c b/drivers/media/dvb/dvb-usb/lmedm04.c
index 0a3e88f..8a79354 100644
--- a/drivers/media/dvb/dvb-usb/lmedm04.c
+++ b/drivers/media/dvb/dvb-usb/lmedm04.c
@@ -314,13 +314,19 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap)
 static int lme2510_return_status(struct usb_device *dev)
 {
 	int ret = 0;
-	u8 data[10] = {0};
+	u8 *data;
+
+	data = kzalloc(10, GFP_KERNEL);
+	if (!data)
+		return -ENOMEM;
 
 	ret |= usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
 			0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
 	info("Firmware Status: %x (%x)", ret , data[2]);
 
-	return (ret < 0) ? -ENODEV : data[2];
+	ret = (ret < 0) ? -ENODEV : data[2];
+	kfree(data);
+	return ret;
 }
 
 static int lme2510_msg(struct dvb_usb_device *d,
@@ -603,7 +609,7 @@ static int lme2510_download_firmware(struct usb_device *dev,
 					const struct firmware *fw)
 {
 	int ret = 0;
-	u8 data[512] = {0};
+	u8 *data;
 	u16 j, wlen, len_in, start, end;
 	u8 packet_size, dlen, i;
 	u8 *fw_data;
@@ -611,6 +617,11 @@ static int lme2510_download_firmware(struct usb_device *dev,
 	packet_size = 0x31;
 	len_in = 1;
 
+	data = kzalloc(512, GFP_KERNEL);
+	if (!data) {
+		info("FRM Could not start Firmware Download (Buffer allocation failed)");
+		return -ENOMEM;
+	}
 
 	info("FRM Starting Firmware Download");
 
@@ -654,7 +665,7 @@ static int lme2510_download_firmware(struct usb_device *dev,
 	else
 		info("FRM Firmware Download Completed - Resetting Device");
 
-
+	kfree(data);
 	return (ret < 0) ? -ENODEV : 0;
 }
 
-- 
1.7.4.1

next prev parent reply	other threads:[~2011-03-20 21:51 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-20 21:50 [PATCH 0/5] get rid of on-stack dma buffers (part1) Florian Mickler
2011-03-20 21:50 ` [PATCH 1/5] [media] ec168: get rid of on-stack dma buffers Florian Mickler
2011-03-20 21:50 ` [PATCH 2/5] [media] ce6230: get rid of on-stack dma buffer Florian Mickler
2011-03-20 21:50 ` [PATCH 3/5] [media] au6610: " Florian Mickler
2011-03-20 21:50 ` [PATCH 4/5] [media] lmedm04: correct indentation Florian Mickler
2011-03-20 21:50 ` Florian Mickler [this message]
2011-04-30 18:54 ` [PATCH 0/5] get rid of on-stack dma buffers (part1) Florian Mickler
2011-04-30 22:30   ` Mauro Carvalho Chehab
2011-05-01 10:38     ` Florian Mickler
2011-05-01 15:59       ` Mauro Carvalho Chehab

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0a3e88f dfblob:8a79354 )
 OR (
bs:"[PATCH 5/5 v2] [media] lmedm04: get rid of on-stack dma buffers" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1300657852-29318-6-git-send-email-florian@mickler.org \
    --to=florian@mickler.org \
    --cc=crope@iki.fi \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@infradead.org \
    --cc=tvboxspy@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).