Commit 075eb0dc authored by Ksenija Stanojevic's avatar Ksenija Stanojevic Committed by Greg Kroah-Hartman

Staging: rtl8192u: Do not DMA on the stack

Fix error "doing DMA on the stack" by using kzalloc for buffer
allocation.
Issue found by smatch.
Signed-off-by: default avatarKsenija Stanojevic <ksenija.stanojevic@gmail.com>
Reviewed-by: default avatarArnd Bergmann <arnd@arndb.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 806e6e1b
...@@ -259,10 +259,16 @@ void write_nic_byte_E(struct net_device *dev, int indx, u8 data) ...@@ -259,10 +259,16 @@ void write_nic_byte_E(struct net_device *dev, int indx, u8 data)
int status; int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev; struct usb_device *udev = priv->udev;
u8 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);
if (!usbdata)
return;
*usbdata = data;
status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE, RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
indx | 0xfe00, 0, &data, 1, HZ / 2); indx | 0xfe00, 0, usbdata, 1, HZ / 2);
kfree(usbdata);
if (status < 0) if (status < 0)
netdev_err(dev, "write_nic_byte_E TimeOut! status: %d\n", netdev_err(dev, "write_nic_byte_E TimeOut! status: %d\n",
...@@ -274,10 +280,16 @@ int read_nic_byte_E(struct net_device *dev, int indx, u8 *data) ...@@ -274,10 +280,16 @@ int read_nic_byte_E(struct net_device *dev, int indx, u8 *data)
int status; int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev; struct usb_device *udev = priv->udev;
u8 *usbdata = kzalloc(sizeof(u8), GFP_KERNEL);
if (!usbdata)
return -ENOMEM;
status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ, RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
indx | 0xfe00, 0, data, 1, HZ / 2); indx | 0xfe00, 0, usbdata, 1, HZ / 2);
*data = *usbdata;
kfree(usbdata);
if (status < 0) { if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status); netdev_err(dev, "%s failure status: %d\n", __func__, status);
...@@ -293,11 +305,17 @@ void write_nic_byte(struct net_device *dev, int indx, u8 data) ...@@ -293,11 +305,17 @@ void write_nic_byte(struct net_device *dev, int indx, u8 data)
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev; struct usb_device *udev = priv->udev;
u8 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);
if (!usbdata)
return;
*usbdata = data;
status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE, RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
&data, 1, HZ / 2); usbdata, 1, HZ / 2);
kfree(usbdata);
if (status < 0) if (status < 0)
netdev_err(dev, "write_nic_byte TimeOut! status: %d\n", status); netdev_err(dev, "write_nic_byte TimeOut! status: %d\n", status);
...@@ -313,11 +331,17 @@ void write_nic_word(struct net_device *dev, int indx, u16 data) ...@@ -313,11 +331,17 @@ void write_nic_word(struct net_device *dev, int indx, u16 data)
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev; struct usb_device *udev = priv->udev;
u16 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);
if (!usbdata)
return;
*usbdata = data;
status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE, RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
&data, 2, HZ / 2); usbdata, 2, HZ / 2);
kfree(usbdata);
if (status < 0) if (status < 0)
netdev_err(dev, "write_nic_word TimeOut! status: %d\n", status); netdev_err(dev, "write_nic_word TimeOut! status: %d\n", status);
...@@ -332,11 +356,17 @@ void write_nic_dword(struct net_device *dev, int indx, u32 data) ...@@ -332,11 +356,17 @@ void write_nic_dword(struct net_device *dev, int indx, u32 data)
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev; struct usb_device *udev = priv->udev;
u32 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);
if (!usbdata)
return;
*usbdata = data;
status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE, RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
&data, 4, HZ / 2); usbdata, 4, HZ / 2);
kfree(usbdata);
if (status < 0) if (status < 0)
...@@ -352,11 +382,17 @@ int read_nic_byte(struct net_device *dev, int indx, u8 *data) ...@@ -352,11 +382,17 @@ int read_nic_byte(struct net_device *dev, int indx, u8 *data)
int status; int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev; struct usb_device *udev = priv->udev;
u8 *usbdata = kzalloc(sizeof(u8), GFP_KERNEL);
if (!usbdata)
return -ENOMEM;
status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ, RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
data, 1, HZ / 2); usbdata, 1, HZ / 2);
*data = *usbdata;
kfree(usbdata);
if (status < 0) { if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status); netdev_err(dev, "%s failure status: %d\n", __func__, status);
...@@ -373,11 +409,17 @@ int read_nic_word(struct net_device *dev, int indx, u16 *data) ...@@ -373,11 +409,17 @@ int read_nic_word(struct net_device *dev, int indx, u16 *data)
int status; int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev; struct usb_device *udev = priv->udev;
u16 *usbdata = kzalloc(sizeof(u16), GFP_KERNEL);
if (!usbdata)
return -ENOMEM;
status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ, RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
data, 2, HZ / 2); usbdata, 2, HZ / 2);
*data = *usbdata;
kfree(usbdata);
if (status < 0) { if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status); netdev_err(dev, "%s failure status: %d\n", __func__, status);
...@@ -392,10 +434,16 @@ static int read_nic_word_E(struct net_device *dev, int indx, u16 *data) ...@@ -392,10 +434,16 @@ static int read_nic_word_E(struct net_device *dev, int indx, u16 *data)
int status; int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev; struct usb_device *udev = priv->udev;
u16 *usbdata = kzalloc(sizeof(u16), GFP_KERNEL);
if (!usbdata)
return -ENOMEM;
status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ, RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
indx | 0xfe00, 0, data, 2, HZ / 2); indx | 0xfe00, 0, usbdata, 2, HZ / 2);
*data = *usbdata;
kfree(usbdata);
if (status < 0) { if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status); netdev_err(dev, "%s failure status: %d\n", __func__, status);
...@@ -411,11 +459,17 @@ int read_nic_dword(struct net_device *dev, int indx, u32 *data) ...@@ -411,11 +459,17 @@ int read_nic_dword(struct net_device *dev, int indx, u32 *data)
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev); struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev; struct usb_device *udev = priv->udev;
u32 *usbdata = kzalloc(sizeof(u32), GFP_KERNEL);
if (!usbdata)
return -ENOMEM;
status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ, RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
data, 4, HZ / 2); usbdata, 4, HZ / 2);
*data = *usbdata;
kfree(usbdata);
if (status < 0) { if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status); netdev_err(dev, "%s failure status: %d\n", __func__, status);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment