From patchwork Wed Jan 21 11:48:30 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Eggers X-Patchwork-Id: 19652 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id C87CADDE0A for ; Wed, 21 Jan 2009 22:48:42 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758215AbZAULsj (ORCPT ); Wed, 21 Jan 2009 06:48:39 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1757391AbZAULsj (ORCPT ); Wed, 21 Jan 2009 06:48:39 -0500 Received: from mout2.freenet.de ([195.4.92.92]:36678 "EHLO mout2.freenet.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756180AbZAULsi (ORCPT ); Wed, 21 Jan 2009 06:48:38 -0500 Received: from [195.4.92.23] (helo=13.mx.freenet.de) by mout2.freenet.de with esmtpa (ID wgnetz@freenet.de) (port 25) (Exim 4.69 #76) id 1LPbZS-00032B-I4; Wed, 21 Jan 2009 12:48:34 +0100 Received: from p57a34e14.dip.t-dialin.net ([87.163.78.20]:59166 helo=server.wgnetz.xx) by 13.mx.freenet.de with esmtpsa (ID wgnetz@freenet.de) (TLSv1:AES256-SHA:256) (port 25) (Exim 4.69 #76) id 1LPbZS-0003Ah-Bd; Wed, 21 Jan 2009 12:48:34 +0100 Received: from [192.168.0.40] (helo=p2400.wgnetz.xx) by server.wgnetz.xx with esmtp (Exim 4.63) (envelope-from ) id 1LPbZV-0002nN-Bw; Wed, 21 Jan 2009 12:48:37 +0100 From: Christian Eggers To: netdev@vger.kernel.org Subject: [Resubmit] [PATCH] usb/mcs7830: Don't use buffers from stack for USB transfers Date: Wed, 21 Jan 2009 12:48:30 +0100 User-Agent: KMail/1.9.9 Cc: torvalds@osdl.org, linux-kernel@vger.kernel.org MIME-Version: 1.0 Content-Disposition: inline Message-Id: <200901211248.30794.ceggers@gmx.de> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Christian Eggers mcs7830_set_reg() and mcs7830_get_reg() are called with buffers from stack which must not be used directly for USB transfers. This causes corruption of the stack particulary on non x86 architectures because DMA may be used for these transfers. Signed-off-by: Christian Eggers --- This mail was sent by KMail. I hope tabs/spaces are ok now. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff -uprN linux-2.6.28.1.orig/drivers/net/usb/mcs7830.c linux-2.6.28.1/drivers/net/usb/mcs7830.c --- linux-2.6.28.1.orig/drivers/net/usb/mcs7830.c 2009-01-18 19:45:37.000000000 +0100 +++ linux-2.6.28.1/drivers/net/usb/mcs7830.c 2009-01-20 20:53:59.000000000 +0100 @@ -94,10 +94,18 @@ static int mcs7830_get_reg(struct usbnet { struct usb_device *xdev = dev->udev; int ret; + void *buffer; + + buffer = kmalloc(size, GFP_NOIO); + if (buffer == NULL) + return -ENOMEM; ret = usb_control_msg(xdev, usb_rcvctrlpipe(xdev, 0), MCS7830_RD_BREQ, - MCS7830_RD_BMREQ, 0x0000, index, data, + MCS7830_RD_BMREQ, 0x0000, index, buffer, size, MCS7830_CTRL_TIMEOUT); + memcpy(data, buffer, size); + kfree(buffer); + return ret; } @@ -105,10 +113,18 @@ static int mcs7830_set_reg(struct usbnet { struct usb_device *xdev = dev->udev; int ret; + void *buffer; + + buffer = kmalloc(size, GFP_NOIO); + if (buffer == NULL) + return -ENOMEM; + + memcpy(buffer, data, size); ret = usb_control_msg(xdev, usb_sndctrlpipe(xdev, 0), MCS7830_WR_BREQ, - MCS7830_WR_BMREQ, 0x0000, index, data, + MCS7830_WR_BMREQ, 0x0000, index, buffer, size, MCS7830_CTRL_TIMEOUT); + kfree(buffer); return ret; }