| Message ID | 200901211248.30794.ceggers@gmx.de |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
From: Christian Eggers <ceggers@gmx.de> Date: Wed, 21 Jan 2009 12:48:30 +0100 > mcs7830_set_reg() and mcs7830_get_reg() are called with buffers > from stack which must not be used directly for USB transfers. > This causes corruption of the stack particulary on non x86 > architectures because DMA may be used for these transfers. > > Signed-off-by: Christian Eggers <christian.eggers@kathrein.de> Applied, thanks everyone. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff -uprN linux-2.6.28.1.orig/drivers/net/usb/mcs7830.c linux-2.6.28.1/drivers/net/usb/mcs7830.c --- linux-2.6.28.1.orig/drivers/net/usb/mcs7830.c 2009-01-18 19:45:37.000000000 +0100 +++ linux-2.6.28.1/drivers/net/usb/mcs7830.c 2009-01-20 20:53:59.000000000 +0100 @@ -94,10 +94,18 @@ static int mcs7830_get_reg(struct usbnet { struct usb_device *xdev = dev->udev; int ret; + void *buffer; + + buffer = kmalloc(size, GFP_NOIO); + if (buffer == NULL) + return -ENOMEM; ret = usb_control_msg(xdev, usb_rcvctrlpipe(xdev, 0), MCS7830_RD_BREQ, - MCS7830_RD_BMREQ, 0x0000, index, data, + MCS7830_RD_BMREQ, 0x0000, index, buffer, size, MCS7830_CTRL_TIMEOUT); + memcpy(data, buffer, size); + kfree(buffer); + return ret; } @@ -105,10 +113,18 @@ static int mcs7830_set_reg(struct usbnet { struct usb_device *xdev = dev->udev; int ret; + void *buffer; + + buffer = kmalloc(size, GFP_NOIO); + if (buffer == NULL) + return -ENOMEM; + + memcpy(buffer, data, size); ret = usb_control_msg(xdev, usb_sndctrlpipe(xdev, 0), MCS7830_WR_BREQ, - MCS7830_WR_BMREQ, 0x0000, index, data, + MCS7830_WR_BMREQ, 0x0000, index, buffer, size, MCS7830_CTRL_TIMEOUT); + kfree(buffer); return ret; }