usb/mcs7830: Don't use buffers from stack for USB transfers

mcs7830_set_reg() and mcs7830_get_reg() are called with buffers from stack which must not be used directly for USB transfers. This causes corruption of the stack particulary on non x86 architectures because DMA may be used for these transfers. Signed-off-by: Christian Eggers <christian.eggers@kathrein.de> Acked-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: David S. Miller <davem@davemloft.net>

usb/mcs7830: Don't use buffers from stack for USB transfers
mcs7830_set_reg() and mcs7830_get_reg() are called with buffers from stack which must not be used directly for USB transfers. This causes corruption of the stack particulary on non x86 architectures because DMA may be used for these transfers. Signed-off-by: Christian Eggers <christian.eggers@kathrein.de> Acked-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: David S. Miller <davem@davemloft.net>
Christian Eggers · David S. Miller
1 parent 0b491eee46
Showing 1 changed file with 18 additions and 2 deletions Side-by-side Diff
drivers/net/usb/mcs7830.c
@@ -94,10 +94,18 @@
 {
 	struct usb_device *xdev = dev->udev;
 	int ret;
+	void *buffer;
  
+	buffer = kmalloc(size, GFP_NOIO);
+	if (buffer == NULL)
+		return -ENOMEM;
+
 	ret = usb_control_msg(xdev, usb_rcvctrlpipe(xdev, 0), MCS7830_RD_BREQ,
-			      MCS7830_RD_BMREQ, 0x0000, index, data,
+			      MCS7830_RD_BMREQ, 0x0000, index, buffer,
 			      size, MCS7830_CTRL_TIMEOUT);
+	memcpy(data, buffer, size);
+	kfree(buffer);
+
 	return ret;
 }
  
  
  
  
@@ -105,10 +113,18 @@
 {
 	struct usb_device *xdev = dev->udev;
 	int ret;
+	void *buffer;
  
+	buffer = kmalloc(size, GFP_NOIO);
+	if (buffer == NULL)
+		return -ENOMEM;
+
+	memcpy(buffer, data, size);
+
 	ret = usb_control_msg(xdev, usb_sndctrlpipe(xdev, 0), MCS7830_WR_BREQ,
-			      MCS7830_WR_BMREQ, 0x0000, index, data,
+			      MCS7830_WR_BMREQ, 0x0000, index, buffer,
 			      size, MCS7830_CTRL_TIMEOUT);
+	kfree(buffer);
 	return ret;
 }
...	...	@@ -94,10 +94,18 @@
94	94	{
95	95	struct usb_device *xdev = dev->udev;
96	96	int ret;
	97	+ void *buffer;
97	98
	99	+ buffer = kmalloc(size, GFP_NOIO);
	100	+ if (buffer == NULL)
	101	+ return -ENOMEM;
	102	+
98	103	ret = usb_control_msg(xdev, usb_rcvctrlpipe(xdev, 0), MCS7830_RD_BREQ,
99		- MCS7830_RD_BMREQ, 0x0000, index, data,
	104	+ MCS7830_RD_BMREQ, 0x0000, index, buffer,
100	105	size, MCS7830_CTRL_TIMEOUT);
	106	+ memcpy(data, buffer, size);
	107	+ kfree(buffer);
	108	+
101	109	return ret;
102	110	}
103	111
104	112
105	113
106	114
...	...	@@ -105,10 +113,18 @@
105	113	{
106	114	struct usb_device *xdev = dev->udev;
107	115	int ret;
	116	+ void *buffer;
108	117
	118	+ buffer = kmalloc(size, GFP_NOIO);
	119	+ if (buffer == NULL)
	120	+ return -ENOMEM;
	121	+
	122	+ memcpy(buffer, data, size);
	123	+
109	124	ret = usb_control_msg(xdev, usb_sndctrlpipe(xdev, 0), MCS7830_WR_BREQ,
110		- MCS7830_WR_BMREQ, 0x0000, index, data,
	125	+ MCS7830_WR_BMREQ, 0x0000, index, buffer,
111	126	size, MCS7830_CTRL_TIMEOUT);
	127	+ kfree(buffer);
112	128	return ret;
113	129	}
114	130