Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
phyus
/
linux-vybrid_public
8
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Pārlūkot izejas kodu

ums_realtek: do not use stack memory for DMA

This patch changes rts51x_read_mem, rts51x_write_mem, and rts51x_read_status to
allocate temporary buffers with kmalloc. This way stack addresses are not used
for DMA when these functions call rts51x_bulk_transport.

Signed-off-by: Adam Cozzette <acozzette@cs.hmc.edu>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Adam Cozzette 14 gadi atpakaļ
vecāks
5de9ec4dc1
revīzija
065e60964e
1 mainītis faili ar 30 papildinājumiem un 5 dzēšanām
Apvienotais skats Rādīt salīdzināšanas statistiku
  1. 30 5
      drivers/usb/storage/realtek_cr.c

+ 30 - 5
drivers/usb/storage/realtek_cr.c
Parādīt failu 

@@ -320,6 +320,11 @@ static int rts51x_read_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
 
 {
 
 {
 
 	int retval;
 
 	int retval;
 
 	u8 cmnd[12] = { 0 };
 
 	u8 cmnd[12] = { 0 };
 
+	u8 *buf;
 
+
 
+	buf = kmalloc(len, GFP_NOIO);
 
+	if (buf == NULL)
 
+		return USB_STOR_TRANSPORT_ERROR;
 
 
 
 	US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len);
 
 	US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len);
 
 
 
@@ -331,10 +336,14 @@ static int rts51x_read_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
 
 	cmnd[5] = (u8) len;
 
 	cmnd[5] = (u8) len;
 
 
 
 	retval = rts51x_bulk_transport(us, 0, cmnd, 12,
 
 	retval = rts51x_bulk_transport(us, 0, cmnd, 12,
 
-				       data, len, DMA_FROM_DEVICE, NULL);
 
-	if (retval != USB_STOR_TRANSPORT_GOOD)
 
+				       buf, len, DMA_FROM_DEVICE, NULL);
 
+	if (retval != USB_STOR_TRANSPORT_GOOD) {
 
+		kfree(buf);
 
 		return -EIO;
 
 		return -EIO;
 
+	}
 
 
 
+	memcpy(data, buf, len);
 
+	kfree(buf);
 
 	return 0;
 
 	return 0;
 
 }
 
 }
 
 
 
@@ -342,6 +351,12 @@ static int rts51x_write_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
 
 {
 
 {
 
 	int retval;
 
 	int retval;
 
 	u8 cmnd[12] = { 0 };
 
 	u8 cmnd[12] = { 0 };
 
+	u8 *buf;
 
+
 
+	buf = kmalloc(len, GFP_NOIO);
 
+	if (buf == NULL)
 
+		return USB_STOR_TRANSPORT_ERROR;
 
+	memcpy(buf, data, len);
 
 
 
 	US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len);
 
 	US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len);
 
 
 
@@ -353,7 +368,8 @@ static int rts51x_write_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
 
 	cmnd[5] = (u8) len;
 
 	cmnd[5] = (u8) len;
 
 
 
 	retval = rts51x_bulk_transport(us, 0, cmnd, 12,
 
 	retval = rts51x_bulk_transport(us, 0, cmnd, 12,
 
-				       data, len, DMA_TO_DEVICE, NULL);
 
+				       buf, len, DMA_TO_DEVICE, NULL);
 
+	kfree(buf);
 
 	if (retval != USB_STOR_TRANSPORT_GOOD)
 
 	if (retval != USB_STOR_TRANSPORT_GOOD)
 
 		return -EIO;
 
 		return -EIO;
 
 
 
@@ -365,6 +381,11 @@ static int rts51x_read_status(struct us_data *us,
 
 {
 
 {
 
 	int retval;
 
 	int retval;
 
 	u8 cmnd[12] = { 0 };
 
 	u8 cmnd[12] = { 0 };
 
+	u8 *buf;
 
+
 
+	buf = kmalloc(len, GFP_NOIO);
 
+	if (buf == NULL)
 
+		return USB_STOR_TRANSPORT_ERROR;
 
 
 
 	US_DEBUGP("%s, lun = %d\n", __func__, lun);
 
 	US_DEBUGP("%s, lun = %d\n", __func__, lun);
 
 
 
@@ -372,10 +393,14 @@ static int rts51x_read_status(struct us_data *us,
 
 	cmnd[1] = 0x09;
 
 	cmnd[1] = 0x09;
 
 
 
 	retval = rts51x_bulk_transport(us, lun, cmnd, 12,
 
 	retval = rts51x_bulk_transport(us, lun, cmnd, 12,
 
-				       status, len, DMA_FROM_DEVICE, actlen);
 
-	if (retval != USB_STOR_TRANSPORT_GOOD)
 
+				       buf, len, DMA_FROM_DEVICE, actlen);
 
+	if (retval != USB_STOR_TRANSPORT_GOOD) {
 
+		kfree(buf);
 
 		return -EIO;
 
 		return -EIO;
 
+	}
 
 
 
+	memcpy(status, buf, len);
 
+	kfree(buf);
 
 	return 0;
 
 	return 0;
 
 }
 
 }