Commit be570e55 authored by Ben Hutchings's avatar Ben Hutchings Committed by Greg Kroah-Hartman

pegasus: Use heap buffers for all register access

commit 5593523f upstream.

Allocating USB buffers on the stack is not portable, and no longer
works on x86_64 (with VMAP_STACK enabled as per default).

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
References: https://bugs.debian.org/852556Reported-by: default avatarLisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
Tested-by: default avatarLisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Cc: Brad Spengler <spender@grsecurity.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent eb526765
...@@ -126,40 +126,61 @@ static void async_ctrl_callback(struct urb *urb) ...@@ -126,40 +126,61 @@ static void async_ctrl_callback(struct urb *urb)
static int get_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data) static int get_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data)
{ {
u8 *buf;
int ret; int ret;
buf = kmalloc(size, GFP_NOIO);
if (!buf)
return -ENOMEM;
ret = usb_control_msg(pegasus->usb, usb_rcvctrlpipe(pegasus->usb, 0), ret = usb_control_msg(pegasus->usb, usb_rcvctrlpipe(pegasus->usb, 0),
PEGASUS_REQ_GET_REGS, PEGASUS_REQT_READ, 0, PEGASUS_REQ_GET_REGS, PEGASUS_REQT_READ, 0,
indx, data, size, 1000); indx, buf, size, 1000);
if (ret < 0) if (ret < 0)
netif_dbg(pegasus, drv, pegasus->net, netif_dbg(pegasus, drv, pegasus->net,
"%s returned %d\n", __func__, ret); "%s returned %d\n", __func__, ret);
else if (ret <= size)
memcpy(data, buf, ret);
kfree(buf);
return ret; return ret;
} }
static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data) static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size,
const void *data)
{ {
u8 *buf;
int ret; int ret;
buf = kmemdup(data, size, GFP_NOIO);
if (!buf)
return -ENOMEM;
ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0), ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
PEGASUS_REQ_SET_REGS, PEGASUS_REQT_WRITE, 0, PEGASUS_REQ_SET_REGS, PEGASUS_REQT_WRITE, 0,
indx, data, size, 100); indx, buf, size, 100);
if (ret < 0) if (ret < 0)
netif_dbg(pegasus, drv, pegasus->net, netif_dbg(pegasus, drv, pegasus->net,
"%s returned %d\n", __func__, ret); "%s returned %d\n", __func__, ret);
kfree(buf);
return ret; return ret;
} }
static int set_register(pegasus_t *pegasus, __u16 indx, __u8 data) static int set_register(pegasus_t *pegasus, __u16 indx, __u8 data)
{ {
u8 *buf;
int ret; int ret;
buf = kmemdup(&data, 1, GFP_NOIO);
if (!buf)
return -ENOMEM;
ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0), ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
PEGASUS_REQ_SET_REG, PEGASUS_REQT_WRITE, data, PEGASUS_REQ_SET_REG, PEGASUS_REQT_WRITE, data,
indx, &data, 1, 1000); indx, buf, 1, 1000);
if (ret < 0) if (ret < 0)
netif_dbg(pegasus, drv, pegasus->net, netif_dbg(pegasus, drv, pegasus->net,
"%s returned %d\n", __func__, ret); "%s returned %d\n", __func__, ret);
kfree(buf);
return ret; return ret;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment