+++ /dev/null
-From 942a48730faf149ccbf3e12ac718aee120bb3529 Mon Sep 17 00:00:00 2001
-From: Maksim Salau <maksim.salau@gmail.com>
-Date: Tue, 25 Apr 2017 22:49:21 +0300
-Subject: usb: misc: legousbtower: Fix buffers on stack
-
-From: Maksim Salau <maksim.salau@gmail.com>
-
-commit 942a48730faf149ccbf3e12ac718aee120bb3529 upstream.
-
-Allocate buffers on HEAP instead of STACK for local structures
-that are to be received using usb_control_msg().
-
-Signed-off-by: Maksim Salau <maksim.salau@gmail.com>
-Tested-by: Alfredo Rafael Vicente Boix <alviboi@gmail.com>;
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/usb/misc/legousbtower.c | 37 +++++++++++++++++++++++++++----------
- 1 file changed, 27 insertions(+), 10 deletions(-)
-
---- a/drivers/usb/misc/legousbtower.c
-+++ b/drivers/usb/misc/legousbtower.c
-@@ -317,9 +317,16 @@ static int tower_open (struct inode *ino
- int subminor;
- int retval = 0;
- struct usb_interface *interface;
-- struct tower_reset_reply reset_reply;
-+ struct tower_reset_reply *reset_reply;
- int result;
-
-+ reset_reply = kmalloc(sizeof(*reset_reply), GFP_KERNEL);
-+
-+ if (!reset_reply) {
-+ retval = -ENOMEM;
-+ goto exit;
-+ }
-+
- nonseekable_open(inode, file);
- subminor = iminor(inode);
-
-@@ -364,8 +371,8 @@ static int tower_open (struct inode *ino
- USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE,
- 0,
- 0,
-- &reset_reply,
-- sizeof(reset_reply),
-+ reset_reply,
-+ sizeof(*reset_reply),
- 1000);
- if (result < 0) {
- dev_err(&dev->udev->dev,
-@@ -406,6 +413,7 @@ unlock_exit:
- mutex_unlock(&dev->lock);
-
- exit:
-+ kfree(reset_reply);
- return retval;
- }
-
-@@ -808,7 +816,7 @@ static int tower_probe (struct usb_inter
- struct lego_usb_tower *dev = NULL;
- struct usb_host_interface *iface_desc;
- struct usb_endpoint_descriptor* endpoint;
-- struct tower_get_version_reply get_version_reply;
-+ struct tower_get_version_reply *get_version_reply = NULL;
- int i;
- int retval = -ENOMEM;
- int result;
-@@ -886,6 +894,13 @@ static int tower_probe (struct usb_inter
- dev->interrupt_in_interval = interrupt_in_interval ? interrupt_in_interval : dev->interrupt_in_endpoint->bInterval;
- dev->interrupt_out_interval = interrupt_out_interval ? interrupt_out_interval : dev->interrupt_out_endpoint->bInterval;
-
-+ get_version_reply = kmalloc(sizeof(*get_version_reply), GFP_KERNEL);
-+
-+ if (!get_version_reply) {
-+ retval = -ENOMEM;
-+ goto error;
-+ }
-+
- /* get the firmware version and log it */
- result = usb_control_msg (udev,
- usb_rcvctrlpipe(udev, 0),
-@@ -893,18 +908,19 @@ static int tower_probe (struct usb_inter
- USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE,
- 0,
- 0,
-- &get_version_reply,
-- sizeof(get_version_reply),
-+ get_version_reply,
-+ sizeof(*get_version_reply),
- 1000);
- if (result < 0) {
- dev_err(idev, "LEGO USB Tower get version control request failed\n");
- retval = result;
- goto error;
- }
-- dev_info(&interface->dev, "LEGO USB Tower firmware version is %d.%d "
-- "build %d\n", get_version_reply.major,
-- get_version_reply.minor,
-- le16_to_cpu(get_version_reply.build_no));
-+ dev_info(&interface->dev,
-+ "LEGO USB Tower firmware version is %d.%d build %d\n",
-+ get_version_reply->major,
-+ get_version_reply->minor,
-+ le16_to_cpu(get_version_reply->build_no));
-
- /* we can register the device now, as it is ready */
- usb_set_intfdata (interface, dev);
-@@ -928,6 +944,7 @@ exit:
- return retval;
-
- error:
-+ kfree(get_version_reply);
- tower_delete(dev);
- return retval;
- }
projects / thirdparty / kernel / stable-queue.git / commitdiff
