From 075eb0dc3670328fa62425449ca4b52bde2d3c17 Mon Sep 17 00:00:00 2001 From: Ksenija Stanojevic Date: Thu, 8 Oct 2015 17:21:49 +0200 Subject: [PATCH] Staging: rtl8192u: Do not DMA on the stack Fix error "doing DMA on the stack" by using kzalloc for buffer allocation. Issue found by smatch. Signed-off-by: Ksenija Stanojevic Reviewed-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtl8192u/r8192U_core.c | 72 ++++++++++++++++++++++---- 1 file changed, 63 insertions(+), 9 deletions(-) diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c index 28b54babf498..0bae93b1132f 100644 --- a/drivers/staging/rtl8192u/r8192U_core.c +++ b/drivers/staging/rtl8192u/r8192U_core.c @@ -259,10 +259,16 @@ void write_nic_byte_E(struct net_device *dev, int indx, u8 data) int status; struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct usb_device *udev = priv->udev; + u8 *usbdata = kzalloc(sizeof(data), GFP_KERNEL); + + if (!usbdata) + return; + *usbdata = data; status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE, - indx | 0xfe00, 0, &data, 1, HZ / 2); + indx | 0xfe00, 0, usbdata, 1, HZ / 2); + kfree(usbdata); if (status < 0) netdev_err(dev, "write_nic_byte_E TimeOut! status: %d\n", @@ -274,10 +280,16 @@ int read_nic_byte_E(struct net_device *dev, int indx, u8 *data) int status; struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct usb_device *udev = priv->udev; + u8 *usbdata = kzalloc(sizeof(u8), GFP_KERNEL); + + if (!usbdata) + return -ENOMEM; status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), RTL8187_REQ_GET_REGS, RTL8187_REQT_READ, - indx | 0xfe00, 0, data, 1, HZ / 2); + indx | 0xfe00, 0, usbdata, 1, HZ / 2); + *data = *usbdata; + kfree(usbdata); if (status < 0) { netdev_err(dev, "%s failure status: %d\n", __func__, status); @@ -293,11 +305,17 @@ void write_nic_byte(struct net_device *dev, int indx, u8 data) struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct usb_device *udev = priv->udev; + u8 *usbdata = kzalloc(sizeof(data), GFP_KERNEL); + + if (!usbdata) + return; + *usbdata = data; status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE, (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, - &data, 1, HZ / 2); + usbdata, 1, HZ / 2); + kfree(usbdata); if (status < 0) netdev_err(dev, "write_nic_byte TimeOut! status: %d\n", status); @@ -313,11 +331,17 @@ void write_nic_word(struct net_device *dev, int indx, u16 data) struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct usb_device *udev = priv->udev; + u16 *usbdata = kzalloc(sizeof(data), GFP_KERNEL); + + if (!usbdata) + return; + *usbdata = data; status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE, (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, - &data, 2, HZ / 2); + usbdata, 2, HZ / 2); + kfree(usbdata); if (status < 0) netdev_err(dev, "write_nic_word TimeOut! status: %d\n", status); @@ -332,11 +356,17 @@ void write_nic_dword(struct net_device *dev, int indx, u32 data) struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct usb_device *udev = priv->udev; + u32 *usbdata = kzalloc(sizeof(data), GFP_KERNEL); + + if (!usbdata) + return; + *usbdata = data; status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE, (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, - &data, 4, HZ / 2); + usbdata, 4, HZ / 2); + kfree(usbdata); if (status < 0) @@ -352,11 +382,17 @@ int read_nic_byte(struct net_device *dev, int indx, u8 *data) int status; struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct usb_device *udev = priv->udev; + u8 *usbdata = kzalloc(sizeof(u8), GFP_KERNEL); + + if (!usbdata) + return -ENOMEM; status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), RTL8187_REQ_GET_REGS, RTL8187_REQT_READ, (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, - data, 1, HZ / 2); + usbdata, 1, HZ / 2); + *data = *usbdata; + kfree(usbdata); if (status < 0) { netdev_err(dev, "%s failure status: %d\n", __func__, status); @@ -373,11 +409,17 @@ int read_nic_word(struct net_device *dev, int indx, u16 *data) int status; struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct usb_device *udev = priv->udev; + u16 *usbdata = kzalloc(sizeof(u16), GFP_KERNEL); + + if (!usbdata) + return -ENOMEM; status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), RTL8187_REQ_GET_REGS, RTL8187_REQT_READ, (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, - data, 2, HZ / 2); + usbdata, 2, HZ / 2); + *data = *usbdata; + kfree(usbdata); if (status < 0) { netdev_err(dev, "%s failure status: %d\n", __func__, status); @@ -392,10 +434,16 @@ static int read_nic_word_E(struct net_device *dev, int indx, u16 *data) int status; struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct usb_device *udev = priv->udev; + u16 *usbdata = kzalloc(sizeof(u16), GFP_KERNEL); + + if (!usbdata) + return -ENOMEM; status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), RTL8187_REQ_GET_REGS, RTL8187_REQT_READ, - indx | 0xfe00, 0, data, 2, HZ / 2); + indx | 0xfe00, 0, usbdata, 2, HZ / 2); + *data = *usbdata; + kfree(usbdata); if (status < 0) { netdev_err(dev, "%s failure status: %d\n", __func__, status); @@ -411,11 +459,17 @@ int read_nic_dword(struct net_device *dev, int indx, u32 *data) struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct usb_device *udev = priv->udev; + u32 *usbdata = kzalloc(sizeof(u32), GFP_KERNEL); + + if (!usbdata) + return -ENOMEM; status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), RTL8187_REQ_GET_REGS, RTL8187_REQT_READ, (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, - data, 4, HZ / 2); + usbdata, 4, HZ / 2); + *data = *usbdata; + kfree(usbdata); if (status < 0) { netdev_err(dev, "%s failure status: %d\n", __func__, status); -- 2.34.1