--- /dev/null
+From 4cc948b94a222c310ae089c36718aac7a03aec90 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 13 Nov 2013 15:25:35 -0500
+Subject: drm/radeon/vm: don't attempt to update ptes if ib allocation fails
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 4cc948b94a222c310ae089c36718aac7a03aec90 upstream.
+
+If we fail to allocate an indirect buffer (ib) when updating
+the ptes, return an error instead of trying to use the ib.
+Avoids a null pointer dereference.
+
+Bug:
+https://bugzilla.kernel.org/show_bug.cgi?id=58621
+
+v2 (chk): rebased on drm-fixes-3.12 for stable inclusion
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_gart.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/radeon_gart.c
++++ b/drivers/gpu/drm/radeon/radeon_gart.c
+@@ -1156,6 +1156,8 @@ int radeon_vm_bo_update_pte(struct radeo
+ return -ENOMEM;
+
+ r = radeon_ib_get(rdev, ridx, &ib, NULL, ndw * 4);
++ if (r)
++ return r;
+ ib.length_dw = 0;
+
+ r = radeon_vm_update_pdes(rdev, vm, &ib, bo_va->soffset, bo_va->eoffset);
--- /dev/null
+From 65e2f1cb3fe0f0630834b9517ba8f631936f325c Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 07:52:04 -0300
+Subject: media: af9015: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 65e2f1cb3fe0f0630834b9517ba8f631936f325c upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/usb/dvb-usb-v2/af9015.c:433:1: warning: 'af9015_eeprom_hash' uses dynamic stack allocation [enabled by default]
+In this specific case, it is a gcc bug, as the size is a const, but
+it is easy to just change it from const to a #define, getting rid of
+the gcc warning.
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Reviewed-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb-v2/af9015.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb-v2/af9015.c
++++ b/drivers/media/usb/dvb-usb-v2/af9015.c
+@@ -397,12 +397,13 @@ error:
+ return ret;
+ }
+
++#define AF9015_EEPROM_SIZE 256
++
+ /* hash (and dump) eeprom */
+ static int af9015_eeprom_hash(struct dvb_usb_device *d)
+ {
+ struct af9015_state *state = d_to_priv(d);
+ int ret, i;
+- static const unsigned int AF9015_EEPROM_SIZE = 256;
+ u8 buf[AF9015_EEPROM_SIZE];
+ struct req_t req = {READ_I2C, AF9015_I2C_EEPROM, 0, 0, 1, 1, NULL};
+
--- /dev/null
+From 7760e148350bf6df95662bc0db3734e9d991cb03 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 08:07:12 -0300
+Subject: media: af9035: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 7760e148350bf6df95662bc0db3734e9d991cb03 upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/usb/dvb-usb-v2/af9035.c:142:1: warning: 'af9035_wr_regs' uses dynamic stack allocation [enabled by default]
+ drivers/media/usb/dvb-usb-v2/af9035.c:305:1: warning: 'af9035_i2c_master_xfer' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer to be the max size of
+a control URB payload data (64 bytes).
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Reviewed-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb-v2/af9035.c | 29 ++++++++++++++++++++++++++---
+ 1 file changed, 26 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb-v2/af9035.c
++++ b/drivers/media/usb/dvb-usb-v2/af9035.c
+@@ -21,6 +21,9 @@
+
+ #include "af9035.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ DVB_DEFINE_MOD_OPT_ADAPTER_NR(adapter_nr);
+
+ static u16 af9035_checksum(const u8 *buf, size_t len)
+@@ -126,10 +129,16 @@ exit:
+ /* write multiple registers */
+ static int af9035_wr_regs(struct dvb_usb_device *d, u32 reg, u8 *val, int len)
+ {
+- u8 wbuf[6 + len];
++ u8 wbuf[MAX_XFER_SIZE];
+ u8 mbox = (reg >> 16) & 0xff;
+ struct usb_req req = { CMD_MEM_WR, mbox, sizeof(wbuf), wbuf, 0, NULL };
+
++ if (6 + len > sizeof(wbuf)) {
++ dev_warn(&d->udev->dev, "%s: i2c wr: len=%d is too big!\n",
++ KBUILD_MODNAME, len);
++ return -EOPNOTSUPP;
++ }
++
+ wbuf[0] = len;
+ wbuf[1] = 2;
+ wbuf[2] = 0;
+@@ -228,9 +237,16 @@ static int af9035_i2c_master_xfer(struct
+ msg[1].len);
+ } else {
+ /* I2C */
+- u8 buf[5 + msg[0].len];
++ u8 buf[MAX_XFER_SIZE];
+ struct usb_req req = { CMD_I2C_RD, 0, sizeof(buf),
+ buf, msg[1].len, msg[1].buf };
++
++ if (5 + msg[0].len > sizeof(buf)) {
++ dev_warn(&d->udev->dev,
++ "%s: i2c xfer: len=%d is too big!\n",
++ KBUILD_MODNAME, msg[0].len);
++ return -EOPNOTSUPP;
++ }
+ req.mbox |= ((msg[0].addr & 0x80) >> 3);
+ buf[0] = msg[1].len;
+ buf[1] = msg[0].addr << 1;
+@@ -257,9 +273,16 @@ static int af9035_i2c_master_xfer(struct
+ msg[0].len - 3);
+ } else {
+ /* I2C */
+- u8 buf[5 + msg[0].len];
++ u8 buf[MAX_XFER_SIZE];
+ struct usb_req req = { CMD_I2C_WR, 0, sizeof(buf), buf,
+ 0, NULL };
++
++ if (5 + msg[0].len > sizeof(buf)) {
++ dev_warn(&d->udev->dev,
++ "%s: i2c xfer: len=%d is too big!\n",
++ KBUILD_MODNAME, msg[0].len);
++ return -EOPNOTSUPP;
++ }
+ req.mbox |= ((msg[0].addr & 0x80) >> 3);
+ buf[0] = msg[0].len;
+ buf[1] = msg[0].addr << 1;
--- /dev/null
+From 5bf30b3bc4ff80ef71a733a1f459cca4fa507892 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 05:51:59 -0300
+Subject: media: av7110_hw: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 5bf30b3bc4ff80ef71a733a1f459cca4fa507892 upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/pci/ttpci/av7110_hw.c:510:1: warning: 'av7110_fw_cmd' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer.
+In the specific case of this driver, the maximum fw command size
+is 6 + 2, as checked using:
+ $ git grep -A1 av7110_fw_cmd drivers/media/pci/ttpci/
+So, use 8 for the buffer size.
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/pci/ttpci/av7110_hw.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/pci/ttpci/av7110_hw.c
++++ b/drivers/media/pci/ttpci/av7110_hw.c
+@@ -22,7 +22,7 @@
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ * Or, point your browser to http://www.gnu.org/copyleft/gpl.html
+ *
+- * the project's page is at http://www.linuxtv.org/
++ * the project's page is at http://www.linuxtv.org/
+ */
+
+ /* for debugging ARM communication: */
+@@ -40,6 +40,14 @@
+
+ #define _NOHANDSHAKE
+
++/*
++ * Max transfer size done by av7110_fw_cmd()
++ *
++ * The maximum size passed to this function is 6 bytes. The buffer also
++ * uses two additional ones for type and size. So, 8 bytes is enough.
++ */
++#define MAX_XFER_SIZE 8
++
+ /****************************************************************************
+ * DEBI functions
+ ****************************************************************************/
+@@ -488,11 +496,18 @@ static int av7110_send_fw_cmd(struct av7
+ int av7110_fw_cmd(struct av7110 *av7110, int type, int com, int num, ...)
+ {
+ va_list args;
+- u16 buf[num + 2];
++ u16 buf[MAX_XFER_SIZE];
+ int i, ret;
+
+ // dprintk(4, "%p\n", av7110);
+
++ if (2 + num > sizeof(buf)) {
++ printk(KERN_WARNING
++ "%s: %s len=%d is too big!\n",
++ KBUILD_MODNAME, __func__, num);
++ return -EINVAL;
++ }
++
+ buf[0] = ((type << 8) | com);
+ buf[1] = num;
+
--- /dev/null
+From 278ba83a3a1932805be726bdd7dfb3156286d33a Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 06:17:47 -0300
+Subject: media: cimax2: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 278ba83a3a1932805be726bdd7dfb3156286d33a upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/pci/cx23885/cimax2.c:149:1: warning: 'netup_write_i2c' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer. Considering that I2C
+transfers are generally limited, and that devices used on USB has a
+max data length of 64 bytes for the control URBs.
+So, it seem safe to use 64 bytes as the hard limit for all those devices.
+On most cases, the limit is a way lower than that, but this limit
+is small enough to not affect the Kernel stack, and it is a no brain
+limit, as using smaller ones would require to either carefully each
+driver or to take a look on each datasheet.
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/pci/cx23885/cimax2.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/pci/cx23885/cimax2.c
++++ b/drivers/media/pci/cx23885/cimax2.c
+@@ -26,6 +26,10 @@
+ #include "cx23885.h"
+ #include "cimax2.h"
+ #include "dvb_ca_en50221.h"
++
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ /**** Bit definitions for MC417_RWD and MC417_OEN registers ***
+ bits 31-16
+ +-----------+
+@@ -125,7 +129,7 @@ static int netup_write_i2c(struct i2c_ad
+ u8 *buf, int len)
+ {
+ int ret;
+- u8 buffer[len + 1];
++ u8 buffer[MAX_XFER_SIZE];
+
+ struct i2c_msg msg = {
+ .addr = addr,
+@@ -134,6 +138,13 @@ static int netup_write_i2c(struct i2c_ad
+ .len = len + 1
+ };
+
++ if (1 + len > sizeof(buffer)) {
++ printk(KERN_WARNING
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ buffer[0] = reg;
+ memcpy(&buffer[1], buf, len);
+
--- /dev/null
+From 1d212cf0c2d89adf3d0a6d62d729076f49f087dc Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Fri, 1 Nov 2013 13:09:47 -0300
+Subject: media: cx18: struct i2c_client is too big for stack
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 1d212cf0c2d89adf3d0a6d62d729076f49f087dc upstream.
+
+ drivers/media/pci/cx18/cx18-driver.c: In function 'cx18_read_eeprom':
+ drivers/media/pci/cx18/cx18-driver.c:357:1: warning: the frame size of 1072 bytes is larger than 1024 bytes [-Wframe-larger-than=]
+That happens because the routine allocates 256 bytes for an eeprom buffer, plus
+the size of struct i2c_client, with is big.
+Change the logic to dynamically allocate/deallocate space for struct i2c_client,
+instead of using the stack.
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/pci/cx18/cx18-driver.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/pci/cx18/cx18-driver.c
++++ b/drivers/media/pci/cx18/cx18-driver.c
+@@ -324,23 +324,24 @@ static void cx18_eeprom_dump(struct cx18
+ /* Hauppauge card? get values from tveeprom */
+ void cx18_read_eeprom(struct cx18 *cx, struct tveeprom *tv)
+ {
+- struct i2c_client c;
++ struct i2c_client *c;
+ u8 eedata[256];
+
+- memset(&c, 0, sizeof(c));
+- strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
+- c.adapter = &cx->i2c_adap[0];
+- c.addr = 0xA0 >> 1;
++ c = kzalloc(sizeof(*c), GFP_KERNEL);
++
++ strlcpy(c->name, "cx18 tveeprom tmp", sizeof(c->name));
++ c->adapter = &cx->i2c_adap[0];
++ c->addr = 0xa0 >> 1;
+
+ memset(tv, 0, sizeof(*tv));
+- if (tveeprom_read(&c, eedata, sizeof(eedata)))
+- return;
++ if (tveeprom_read(c, eedata, sizeof(eedata)))
++ goto ret;
+
+ switch (cx->card->type) {
+ case CX18_CARD_HVR_1600_ESMT:
+ case CX18_CARD_HVR_1600_SAMSUNG:
+ case CX18_CARD_HVR_1600_S5H1411:
+- tveeprom_hauppauge_analog(&c, tv, eedata);
++ tveeprom_hauppauge_analog(c, tv, eedata);
+ break;
+ case CX18_CARD_YUAN_MPC718:
+ case CX18_CARD_GOTVIEW_PCI_DVD3:
+@@ -354,6 +355,9 @@ void cx18_read_eeprom(struct cx18 *cx, s
+ cx18_eeprom_dump(cx, eedata, sizeof(eedata));
+ break;
+ }
++
++ret:
++ kfree(c);
+ }
+
+ static void cx18_process_eeprom(struct cx18 *cx)
--- /dev/null
+From 64f7ef8afbf89f3c72c4d2472e4914ca198c0668 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 07:18:09 -0300
+Subject: media: cxusb: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 64f7ef8afbf89f3c72c4d2472e4914ca198c0668 upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/usb/dvb-usb/cxusb.c:209:1: warning: 'cxusb_i2c_xfer' uses dynamic stack allocation [enabled by default]
+ drivers/media/usb/dvb-usb/cxusb.c:69:1: warning: 'cxusb_ctrl_msg' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer to be the max size of
+a control URB payload data (64 bytes).
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/cxusb.c | 41 ++++++++++++++++++++++++++++++++++----
+ 1 file changed, 37 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/cxusb.c
++++ b/drivers/media/usb/dvb-usb/cxusb.c
+@@ -43,6 +43,9 @@
+ #include "lgs8gxx.h"
+ #include "atbm8830.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ /* debug */
+ static int dvb_usb_cxusb_debug;
+ module_param_named(debug, dvb_usb_cxusb_debug, int, 0644);
+@@ -57,7 +60,14 @@ static int cxusb_ctrl_msg(struct dvb_usb
+ u8 cmd, u8 *wbuf, int wlen, u8 *rbuf, int rlen)
+ {
+ int wo = (rbuf == NULL || rlen == 0); /* write-only */
+- u8 sndbuf[1+wlen];
++ u8 sndbuf[MAX_XFER_SIZE];
++
++ if (1 + wlen > sizeof(sndbuf)) {
++ warn("i2c wr: len=%d is too big!\n",
++ wlen);
++ return -EOPNOTSUPP;
++ }
++
+ memset(sndbuf, 0, 1+wlen);
+
+ sndbuf[0] = cmd;
+@@ -158,7 +168,13 @@ static int cxusb_i2c_xfer(struct i2c_ada
+
+ if (msg[i].flags & I2C_M_RD) {
+ /* read only */
+- u8 obuf[3], ibuf[1+msg[i].len];
++ u8 obuf[3], ibuf[MAX_XFER_SIZE];
++
++ if (1 + msg[i].len > sizeof(ibuf)) {
++ warn("i2c rd: len=%d is too big!\n",
++ msg[i].len);
++ return -EOPNOTSUPP;
++ }
+ obuf[0] = 0;
+ obuf[1] = msg[i].len;
+ obuf[2] = msg[i].addr;
+@@ -172,7 +188,18 @@ static int cxusb_i2c_xfer(struct i2c_ada
+ } else if (i+1 < num && (msg[i+1].flags & I2C_M_RD) &&
+ msg[i].addr == msg[i+1].addr) {
+ /* write to then read from same address */
+- u8 obuf[3+msg[i].len], ibuf[1+msg[i+1].len];
++ u8 obuf[MAX_XFER_SIZE], ibuf[MAX_XFER_SIZE];
++
++ if (3 + msg[i].len > sizeof(obuf)) {
++ warn("i2c wr: len=%d is too big!\n",
++ msg[i].len);
++ return -EOPNOTSUPP;
++ }
++ if (1 + msg[i + 1].len > sizeof(ibuf)) {
++ warn("i2c rd: len=%d is too big!\n",
++ msg[i + 1].len);
++ return -EOPNOTSUPP;
++ }
+ obuf[0] = msg[i].len;
+ obuf[1] = msg[i+1].len;
+ obuf[2] = msg[i].addr;
+@@ -191,7 +218,13 @@ static int cxusb_i2c_xfer(struct i2c_ada
+ i++;
+ } else {
+ /* write only */
+- u8 obuf[2+msg[i].len], ibuf;
++ u8 obuf[MAX_XFER_SIZE], ibuf;
++
++ if (2 + msg[i].len > sizeof(obuf)) {
++ warn("i2c wr: len=%d is too big!\n",
++ msg[i].len);
++ return -EOPNOTSUPP;
++ }
+ obuf[0] = msg[i].addr;
+ obuf[1] = msg[i].len;
+ memcpy(&obuf[2], msg[i].buf, msg[i].len);
--- /dev/null
+From 1d7fa359d4c0fbb2756fa01cc47212908d90b7b0 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 07:23:49 -0300
+Subject: media: dibusb-common: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 1d7fa359d4c0fbb2756fa01cc47212908d90b7b0 upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/usb/dvb-usb/dibusb-common.c:124:1: warning: 'dibusb_i2c_msg' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer to be the max size of
+a control URB payload data (64 bytes).
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/dibusb-common.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb/dibusb-common.c
++++ b/drivers/media/usb/dvb-usb/dibusb-common.c
+@@ -12,6 +12,9 @@
+ #include <linux/kconfig.h>
+ #include "dibusb.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ static int debug;
+ module_param(debug, int, 0644);
+ MODULE_PARM_DESC(debug, "set debugging level (1=info (|-able))." DVB_USB_DEBUG_STATUS);
+@@ -105,11 +108,16 @@ EXPORT_SYMBOL(dibusb2_0_power_ctrl);
+ static int dibusb_i2c_msg(struct dvb_usb_device *d, u8 addr,
+ u8 *wbuf, u16 wlen, u8 *rbuf, u16 rlen)
+ {
+- u8 sndbuf[wlen+4]; /* lead(1) devaddr,direction(1) addr(2) data(wlen) (len(2) (when reading)) */
++ u8 sndbuf[MAX_XFER_SIZE]; /* lead(1) devaddr,direction(1) addr(2) data(wlen) (len(2) (when reading)) */
+ /* write only ? */
+ int wo = (rbuf == NULL || rlen == 0),
+ len = 2 + wlen + (wo ? 0 : 2);
+
++ if (4 + wlen > sizeof(sndbuf)) {
++ warn("i2c wr: len=%d is too big!\n", wlen);
++ return -EOPNOTSUPP;
++ }
++
+ sndbuf[0] = wo ? DIBUSB_REQ_I2C_WRITE : DIBUSB_REQ_I2C_READ;
+ sndbuf[1] = (addr << 1) | (wo ? 0 : 1);
+
--- /dev/null
+From 8393796dfa4cf5dffcceec464c7789bec3a2f471 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 05:05:18 -0300
+Subject: media: dvb-frontends: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 8393796dfa4cf5dffcceec464c7789bec3a2f471 upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/dvb-frontends/bcm3510.c:230:1: warning: 'bcm3510_do_hab_cmd' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/itd1000.c:69:1: warning: 'itd1000_write_regs.constprop.0' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/mt312.c:126:1: warning: 'mt312_write' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/nxt200x.c:111:1: warning: 'nxt200x_writebytes' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/stb6100.c:216:1: warning: 'stb6100_write_reg_range.constprop.3' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/stv6110.c:98:1: warning: 'stv6110_write_regs' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/stv6110x.c:85:1: warning: 'stv6110x_write_regs' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/tda18271c2dd.c:147:1: warning: 'WriteRegs' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/zl10039.c:119:1: warning: 'zl10039_write' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer. Considering that I2C
+transfers are generally limited, and that devices used on USB has a
+max data length of 64 bytes for the control URBs.
+So, it seem safe to use 64 bytes as the hard limit for all those devices.
+ On most cases, the limit is a way lower than that, but this limit
+is small enough to not affect the Kernel stack, and it is a no brain
+limit, as using smaller ones would require to either carefully each
+driver or to take a look on each datasheet.
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-frontends/bcm3510.c | 15 ++++++++++++++-
+ drivers/media/dvb-frontends/itd1000.c | 13 ++++++++++++-
+ drivers/media/dvb-frontends/mt312.c | 10 +++++++++-
+ drivers/media/dvb-frontends/nxt200x.c | 11 ++++++++++-
+ drivers/media/dvb-frontends/stb6100.c | 11 ++++++++++-
+ drivers/media/dvb-frontends/stv6110.c | 12 +++++++++++-
+ drivers/media/dvb-frontends/stv6110x.c | 13 ++++++++++++-
+ drivers/media/dvb-frontends/tda18271c2dd.c | 14 ++++++++++++--
+ drivers/media/dvb-frontends/zl10039.c | 12 +++++++++++-
+ 9 files changed, 101 insertions(+), 10 deletions(-)
+
+--- a/drivers/media/dvb-frontends/bcm3510.c
++++ b/drivers/media/dvb-frontends/bcm3510.c
+@@ -44,6 +44,9 @@
+ #include "bcm3510.h"
+ #include "bcm3510_priv.h"
+
++/* Max transfer size done by bcm3510_do_hab_cmd() function */
++#define MAX_XFER_SIZE 128
++
+ struct bcm3510_state {
+
+ struct i2c_adapter* i2c;
+@@ -201,9 +204,19 @@ static int bcm3510_hab_send_request(stru
+
+ static int bcm3510_do_hab_cmd(struct bcm3510_state *st, u8 cmd, u8 msgid, u8 *obuf, u8 olen, u8 *ibuf, u8 ilen)
+ {
+- u8 ob[olen+2],ib[ilen+2];
++ u8 ob[MAX_XFER_SIZE], ib[MAX_XFER_SIZE];
+ int ret = 0;
+
++ if (ilen + 2 > sizeof(ib)) {
++ deb_hab("do_hab_cmd: ilen=%d is too big!\n", ilen);
++ return -EINVAL;
++ }
++
++ if (olen + 2 > sizeof(ob)) {
++ deb_hab("do_hab_cmd: olen=%d is too big!\n", olen);
++ return -EINVAL;
++ }
++
+ ob[0] = cmd;
+ ob[1] = msgid;
+ memcpy(&ob[2],obuf,olen);
+--- a/drivers/media/dvb-frontends/itd1000.c
++++ b/drivers/media/dvb-frontends/itd1000.c
+@@ -31,6 +31,9 @@
+ #include "itd1000.h"
+ #include "itd1000_priv.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ static int debug;
+ module_param(debug, int, 0644);
+ MODULE_PARM_DESC(debug, "Turn on/off debugging (default:off).");
+@@ -52,10 +55,18 @@ MODULE_PARM_DESC(debug, "Turn on/off deb
+ /* don't write more than one byte with flexcop behind */
+ static int itd1000_write_regs(struct itd1000_state *state, u8 reg, u8 v[], u8 len)
+ {
+- u8 buf[1+len];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg = {
+ .addr = state->cfg->i2c_address, .flags = 0, .buf = buf, .len = len+1
+ };
++
++ if (1 + len > sizeof(buf)) {
++ printk(KERN_WARNING
++ "itd1000: i2c wr reg=%04x: len=%d is too big!\n",
++ reg, len);
++ return -EINVAL;
++ }
++
+ buf[0] = reg;
+ memcpy(&buf[1], v, len);
+
+--- a/drivers/media/dvb-frontends/mt312.c
++++ b/drivers/media/dvb-frontends/mt312.c
+@@ -36,6 +36,8 @@
+ #include "mt312_priv.h"
+ #include "mt312.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
+
+ struct mt312_state {
+ struct i2c_adapter *i2c;
+@@ -96,9 +98,15 @@ static int mt312_write(struct mt312_stat
+ const u8 *src, const size_t count)
+ {
+ int ret;
+- u8 buf[count + 1];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg;
+
++ if (1 + count > sizeof(buf)) {
++ printk(KERN_WARNING
++ "mt312: write: len=%zd is too big!\n", count);
++ return -EINVAL;
++ }
++
+ if (debug) {
+ int i;
+ dprintk("W(%d):", reg & 0x7f);
+--- a/drivers/media/dvb-frontends/nxt200x.c
++++ b/drivers/media/dvb-frontends/nxt200x.c
+@@ -39,6 +39,9 @@
+ */
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ #define NXT2002_DEFAULT_FIRMWARE "dvb-fe-nxt2002.fw"
+ #define NXT2004_DEFAULT_FIRMWARE "dvb-fe-nxt2004.fw"
+ #define CRC_CCIT_MASK 0x1021
+@@ -95,10 +98,16 @@ static int i2c_readbytes(struct nxt200x_
+ static int nxt200x_writebytes (struct nxt200x_state* state, u8 reg,
+ const u8 *buf, u8 len)
+ {
+- u8 buf2 [len+1];
++ u8 buf2[MAX_XFER_SIZE];
+ int err;
+ struct i2c_msg msg = { .addr = state->config->demod_address, .flags = 0, .buf = buf2, .len = len + 1 };
+
++ if (1 + len > sizeof(buf2)) {
++ pr_warn("%s: i2c wr reg=%04x: len=%d is too big!\n",
++ __func__, reg, len);
++ return -EINVAL;
++ }
++
+ buf2[0] = reg;
+ memcpy(&buf2[1], buf, len);
+
+--- a/drivers/media/dvb-frontends/stb6100.c
++++ b/drivers/media/dvb-frontends/stb6100.c
+@@ -31,6 +31,8 @@
+ static unsigned int verbose;
+ module_param(verbose, int, 0644);
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
+
+ #define FE_ERROR 0
+ #define FE_NOTICE 1
+@@ -183,7 +185,7 @@ static int stb6100_read_reg(struct stb61
+ static int stb6100_write_reg_range(struct stb6100_state *state, u8 buf[], int start, int len)
+ {
+ int rc;
+- u8 cmdbuf[len + 1];
++ u8 cmdbuf[MAX_XFER_SIZE];
+ struct i2c_msg msg = {
+ .addr = state->config->tuner_address,
+ .flags = 0,
+@@ -191,6 +193,13 @@ static int stb6100_write_reg_range(struc
+ .len = len + 1
+ };
+
++ if (1 + len > sizeof(buf)) {
++ printk(KERN_WARNING
++ "%s: i2c wr: len=%d is too big!\n",
++ KBUILD_MODNAME, len);
++ return -EINVAL;
++ }
++
+ if (unlikely(start < 1 || start + len > STB6100_NUMREGS)) {
+ dprintk(verbose, FE_ERROR, 1, "Invalid register range %d:%d",
+ start, len);
+--- a/drivers/media/dvb-frontends/stv6110.c
++++ b/drivers/media/dvb-frontends/stv6110.c
+@@ -30,6 +30,9 @@
+
+ #include "stv6110.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ static int debug;
+
+ struct stv6110_priv {
+@@ -68,7 +71,7 @@ static int stv6110_write_regs(struct dvb
+ {
+ struct stv6110_priv *priv = fe->tuner_priv;
+ int rc;
+- u8 cmdbuf[len + 1];
++ u8 cmdbuf[MAX_XFER_SIZE];
+ struct i2c_msg msg = {
+ .addr = priv->i2c_address,
+ .flags = 0,
+@@ -78,6 +81,13 @@ static int stv6110_write_regs(struct dvb
+
+ dprintk("%s\n", __func__);
+
++ if (1 + len > sizeof(cmdbuf)) {
++ printk(KERN_WARNING
++ "%s: i2c wr: len=%d is too big!\n",
++ KBUILD_MODNAME, len);
++ return -EINVAL;
++ }
++
+ if (start + len > 8)
+ return -EINVAL;
+
+--- a/drivers/media/dvb-frontends/stv6110x.c
++++ b/drivers/media/dvb-frontends/stv6110x.c
+@@ -32,6 +32,9 @@
+ #include "stv6110x.h"
+ #include "stv6110x_priv.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ static unsigned int verbose;
+ module_param(verbose, int, 0644);
+ MODULE_PARM_DESC(verbose, "Set Verbosity level");
+@@ -61,7 +64,8 @@ static int stv6110x_write_regs(struct st
+ {
+ int ret;
+ const struct stv6110x_config *config = stv6110x->config;
+- u8 buf[len + 1];
++ u8 buf[MAX_XFER_SIZE];
++
+ struct i2c_msg msg = {
+ .addr = config->addr,
+ .flags = 0,
+@@ -69,6 +73,13 @@ static int stv6110x_write_regs(struct st
+ .len = len + 1
+ };
+
++ if (1 + len > sizeof(buf)) {
++ printk(KERN_WARNING
++ "%s: i2c wr: len=%d is too big!\n",
++ KBUILD_MODNAME, len);
++ return -EINVAL;
++ }
++
+ if (start + len > 8)
+ return -EINVAL;
+
+--- a/drivers/media/dvb-frontends/tda18271c2dd.c
++++ b/drivers/media/dvb-frontends/tda18271c2dd.c
+@@ -34,6 +34,9 @@
+ #include "dvb_frontend.h"
+ #include "tda18271c2dd.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ struct SStandardParam {
+ s32 m_IFFrequency;
+ u32 m_BandWidth;
+@@ -139,11 +142,18 @@ static int i2c_write(struct i2c_adapter
+ static int WriteRegs(struct tda_state *state,
+ u8 SubAddr, u8 *Regs, u16 nRegs)
+ {
+- u8 data[nRegs+1];
++ u8 data[MAX_XFER_SIZE];
++
++ if (1 + nRegs > sizeof(data)) {
++ printk(KERN_WARNING
++ "%s: i2c wr: len=%d is too big!\n",
++ KBUILD_MODNAME, nRegs);
++ return -EINVAL;
++ }
+
+ data[0] = SubAddr;
+ memcpy(data + 1, Regs, nRegs);
+- return i2c_write(state->i2c, state->adr, data, nRegs+1);
++ return i2c_write(state->i2c, state->adr, data, nRegs + 1);
+ }
+
+ static int WriteReg(struct tda_state *state, u8 SubAddr, u8 Reg)
+--- a/drivers/media/dvb-frontends/zl10039.c
++++ b/drivers/media/dvb-frontends/zl10039.c
+@@ -30,6 +30,9 @@
+
+ static int debug;
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ #define dprintk(args...) \
+ do { \
+ if (debug) \
+@@ -98,7 +101,7 @@ static int zl10039_write(struct zl10039_
+ const enum zl10039_reg_addr reg, const u8 *src,
+ const size_t count)
+ {
+- u8 buf[count + 1];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg = {
+ .addr = state->i2c_addr,
+ .flags = 0,
+@@ -106,6 +109,13 @@ static int zl10039_write(struct zl10039_
+ .len = count + 1,
+ };
+
++ if (1 + count > sizeof(buf)) {
++ printk(KERN_WARNING
++ "%s: i2c wr reg=%04x: len=%zd is too big!\n",
++ KBUILD_MODNAME, reg, count);
++ return -EINVAL;
++ }
++
+ dprintk("%s\n", __func__);
+ /* Write register address and data in one go */
+ buf[0] = reg;
--- /dev/null
+From 37ebaf6891ee81687bb558e8375c0712d8264ed8 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 05:11:47 -0300
+Subject: media: dvb-frontends: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 37ebaf6891ee81687bb558e8375c0712d8264ed8 upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/dvb-frontends/af9013.c:77:1: warning: 'af9013_wr_regs_i2c' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/af9033.c:188:1: warning: 'af9033_wr_reg_val_tab' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/af9033.c:68:1: warning: 'af9033_wr_regs' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/bcm3510.c:230:1: warning: 'bcm3510_do_hab_cmd' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/cxd2820r_core.c:84:1: warning: 'cxd2820r_rd_regs_i2c.isra.1' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/rtl2830.c:56:1: warning: 'rtl2830_wr' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/rtl2832.c:187:1: warning: 'rtl2832_wr' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/tda10071.c:52:1: warning: 'tda10071_wr_regs' uses dynamic stack allocation [enabled by default]
+ drivers/media/dvb-frontends/tda10071.c:84:1: warning: 'tda10071_rd_regs' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer. Considering that I2C
+transfers are generally limited, and that devices used on USB has a
+max data length of 64 bytes for the control URBs.
+So, it seem safe to use 64 bytes as the hard limit for all those devices.
+ On most cases, the limit is a way lower than that, but this limit
+is small enough to not affect the Kernel stack, and it is a no brain
+limit, as using smaller ones would require to either carefully each
+driver or to take a look on each datasheet.
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Reviewed-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-frontends/af9013.c | 14 ++++++++++++--
+ drivers/media/dvb-frontends/af9033.c | 23 ++++++++++++++++++++---
+ drivers/media/dvb-frontends/cxd2820r_core.c | 21 +++++++++++++++++++--
+ drivers/media/dvb-frontends/rtl2830.c | 14 ++++++++++++--
+ drivers/media/dvb-frontends/rtl2832.c | 14 ++++++++++++--
+ drivers/media/dvb-frontends/tda10071.c | 25 +++++++++++++++++++++----
+ 6 files changed, 96 insertions(+), 15 deletions(-)
+
+--- a/drivers/media/dvb-frontends/af9013.c
++++ b/drivers/media/dvb-frontends/af9013.c
+@@ -24,6 +24,9 @@
+
+ #include "af9013_priv.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ struct af9013_state {
+ struct i2c_adapter *i2c;
+ struct dvb_frontend fe;
+@@ -50,16 +53,23 @@ static int af9013_wr_regs_i2c(struct af9
+ const u8 *val, int len)
+ {
+ int ret;
+- u8 buf[3+len];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg[1] = {
+ {
+ .addr = priv->config.i2c_addr,
+ .flags = 0,
+- .len = sizeof(buf),
++ .len = 3 + len,
+ .buf = buf,
+ }
+ };
+
++ if (3 + len > sizeof(buf)) {
++ dev_warn(&priv->i2c->dev,
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ buf[0] = (reg >> 8) & 0xff;
+ buf[1] = (reg >> 0) & 0xff;
+ buf[2] = mbox;
+--- a/drivers/media/dvb-frontends/af9033.c
++++ b/drivers/media/dvb-frontends/af9033.c
+@@ -21,6 +21,9 @@
+
+ #include "af9033_priv.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ struct af9033_state {
+ struct i2c_adapter *i2c;
+ struct dvb_frontend fe;
+@@ -40,16 +43,23 @@ static int af9033_wr_regs(struct af9033_
+ int len)
+ {
+ int ret;
+- u8 buf[3 + len];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg[1] = {
+ {
+ .addr = state->cfg.i2c_addr,
+ .flags = 0,
+- .len = sizeof(buf),
++ .len = 3 + len,
+ .buf = buf,
+ }
+ };
+
++ if (3 + len > sizeof(buf)) {
++ dev_warn(&state->i2c->dev,
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ buf[0] = (reg >> 16) & 0xff;
+ buf[1] = (reg >> 8) & 0xff;
+ buf[2] = (reg >> 0) & 0xff;
+@@ -161,7 +171,14 @@ static int af9033_wr_reg_val_tab(struct
+ const struct reg_val *tab, int tab_len)
+ {
+ int ret, i, j;
+- u8 buf[tab_len];
++ u8 buf[MAX_XFER_SIZE];
++
++ if (tab_len > sizeof(buf)) {
++ dev_warn(&state->i2c->dev,
++ "%s: i2c wr len=%d is too big!\n",
++ KBUILD_MODNAME, tab_len);
++ return -EINVAL;
++ }
+
+ dev_dbg(&state->i2c->dev, "%s: tab_len=%d\n", __func__, tab_len);
+
+--- a/drivers/media/dvb-frontends/cxd2820r_core.c
++++ b/drivers/media/dvb-frontends/cxd2820r_core.c
+@@ -21,12 +21,15 @@
+
+ #include "cxd2820r_priv.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ /* write multiple registers */
+ static int cxd2820r_wr_regs_i2c(struct cxd2820r_priv *priv, u8 i2c, u8 reg,
+ u8 *val, int len)
+ {
+ int ret;
+- u8 buf[len+1];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg[1] = {
+ {
+ .addr = i2c,
+@@ -36,6 +39,13 @@ static int cxd2820r_wr_regs_i2c(struct c
+ }
+ };
+
++ if (1 + len > sizeof(buf)) {
++ dev_warn(&priv->i2c->dev,
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ buf[0] = reg;
+ memcpy(&buf[1], val, len);
+
+@@ -55,7 +65,7 @@ static int cxd2820r_rd_regs_i2c(struct c
+ u8 *val, int len)
+ {
+ int ret;
+- u8 buf[len];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg[2] = {
+ {
+ .addr = i2c,
+@@ -70,6 +80,13 @@ static int cxd2820r_rd_regs_i2c(struct c
+ }
+ };
+
++ if (len > sizeof(buf)) {
++ dev_warn(&priv->i2c->dev,
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ ret = i2c_transfer(priv->i2c, msg, 2);
+ if (ret == 2) {
+ memcpy(val, buf, len);
+--- a/drivers/media/dvb-frontends/rtl2830.c
++++ b/drivers/media/dvb-frontends/rtl2830.c
+@@ -27,20 +27,30 @@
+
+ #include "rtl2830_priv.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ /* write multiple hardware registers */
+ static int rtl2830_wr(struct rtl2830_priv *priv, u8 reg, const u8 *val, int len)
+ {
+ int ret;
+- u8 buf[1+len];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg[1] = {
+ {
+ .addr = priv->cfg.i2c_addr,
+ .flags = 0,
+- .len = 1+len,
++ .len = 1 + len,
+ .buf = buf,
+ }
+ };
+
++ if (1 + len > sizeof(buf)) {
++ dev_warn(&priv->i2c->dev,
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ buf[0] = reg;
+ memcpy(&buf[1], val, len);
+
+--- a/drivers/media/dvb-frontends/rtl2832.c
++++ b/drivers/media/dvb-frontends/rtl2832.c
+@@ -22,6 +22,9 @@
+ #include "dvb_math.h"
+ #include <linux/bitops.h>
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ int rtl2832_debug;
+ module_param_named(debug, rtl2832_debug, int, 0644);
+ MODULE_PARM_DESC(debug, "Turn on/off frontend debugging (default:off).");
+@@ -162,16 +165,23 @@ static const struct rtl2832_reg_entry re
+ static int rtl2832_wr(struct rtl2832_priv *priv, u8 reg, u8 *val, int len)
+ {
+ int ret;
+- u8 buf[1+len];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg[1] = {
+ {
+ .addr = priv->cfg.i2c_addr,
+ .flags = 0,
+- .len = 1+len,
++ .len = 1 + len,
+ .buf = buf,
+ }
+ };
+
++ if (1 + len > sizeof(buf)) {
++ dev_warn(&priv->i2c->dev,
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ buf[0] = reg;
+ memcpy(&buf[1], val, len);
+
+--- a/drivers/media/dvb-frontends/tda10071.c
++++ b/drivers/media/dvb-frontends/tda10071.c
+@@ -20,6 +20,9 @@
+
+ #include "tda10071_priv.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ static struct dvb_frontend_ops tda10071_ops;
+
+ /* write multiple registers */
+@@ -27,16 +30,23 @@ static int tda10071_wr_regs(struct tda10
+ int len)
+ {
+ int ret;
+- u8 buf[len+1];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg[1] = {
+ {
+ .addr = priv->cfg.demod_i2c_addr,
+ .flags = 0,
+- .len = sizeof(buf),
++ .len = 1 + len,
+ .buf = buf,
+ }
+ };
+
++ if (1 + len > sizeof(buf)) {
++ dev_warn(&priv->i2c->dev,
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ buf[0] = reg;
+ memcpy(&buf[1], val, len);
+
+@@ -56,7 +66,7 @@ static int tda10071_rd_regs(struct tda10
+ int len)
+ {
+ int ret;
+- u8 buf[len];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg[2] = {
+ {
+ .addr = priv->cfg.demod_i2c_addr,
+@@ -66,11 +76,18 @@ static int tda10071_rd_regs(struct tda10
+ }, {
+ .addr = priv->cfg.demod_i2c_addr,
+ .flags = I2C_M_RD,
+- .len = sizeof(buf),
++ .len = len,
+ .buf = buf,
+ }
+ };
+
++ if (len > sizeof(buf)) {
++ dev_warn(&priv->i2c->dev,
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ ret = i2c_transfer(priv->i2c, msg, 2);
+ if (ret == 2) {
+ memcpy(val, buf, len);
--- /dev/null
+From 0065a79a8698a953e4b201c5fce8db8940530578 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 07:43:40 -0300
+Subject: media: dw2102: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 0065a79a8698a953e4b201c5fce8db8940530578 upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/usb/dvb-usb/dw2102.c:368:1: warning: 'dw2102_earda_i2c_transfer' uses dynamic stack allocation [enabled by default]
+ drivers/media/usb/dvb-usb/dw2102.c:449:1: warning: 'dw2104_i2c_transfer' uses dynamic stack allocation [enabled by default]
+ drivers/media/usb/dvb-usb/dw2102.c:512:1: warning: 'dw3101_i2c_transfer' uses dynamic stack allocation [enabled by default]
+ drivers/media/usb/dvb-usb/dw2102.c:621:1: warning: 's6x0_i2c_transfer' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer to be the max size of
+a control URB payload data (64 bytes).
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/dw2102.c | 90 ++++++++++++++++++++++++++++++++-----
+ 1 file changed, 80 insertions(+), 10 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/dw2102.c
++++ b/drivers/media/usb/dvb-usb/dw2102.c
+@@ -30,6 +30,9 @@
+ #include "stb6100_proc.h"
+ #include "m88rs2000.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ #ifndef USB_PID_DW2102
+ #define USB_PID_DW2102 0x2102
+ #endif
+@@ -308,7 +311,14 @@ static int dw2102_earda_i2c_transfer(str
+ case 2: {
+ /* read */
+ /* first write first register number */
+- u8 ibuf[msg[1].len + 2], obuf[3];
++ u8 ibuf[MAX_XFER_SIZE], obuf[3];
++
++ if (2 + msg[1].len > sizeof(ibuf)) {
++ warn("i2c rd: len=%d is too big!\n",
++ msg[1].len);
++ return -EOPNOTSUPP;
++ }
++
+ obuf[0] = msg[0].addr << 1;
+ obuf[1] = msg[0].len;
+ obuf[2] = msg[0].buf[0];
+@@ -325,7 +335,14 @@ static int dw2102_earda_i2c_transfer(str
+ switch (msg[0].addr) {
+ case 0x68: {
+ /* write to register */
+- u8 obuf[msg[0].len + 2];
++ u8 obuf[MAX_XFER_SIZE];
++
++ if (2 + msg[0].len > sizeof(obuf)) {
++ warn("i2c wr: len=%d is too big!\n",
++ msg[1].len);
++ return -EOPNOTSUPP;
++ }
++
+ obuf[0] = msg[0].addr << 1;
+ obuf[1] = msg[0].len;
+ memcpy(obuf + 2, msg[0].buf, msg[0].len);
+@@ -335,7 +352,14 @@ static int dw2102_earda_i2c_transfer(str
+ }
+ case 0x61: {
+ /* write to tuner */
+- u8 obuf[msg[0].len + 2];
++ u8 obuf[MAX_XFER_SIZE];
++
++ if (2 + msg[0].len > sizeof(obuf)) {
++ warn("i2c wr: len=%d is too big!\n",
++ msg[1].len);
++ return -EOPNOTSUPP;
++ }
++
+ obuf[0] = msg[0].addr << 1;
+ obuf[1] = msg[0].len;
+ memcpy(obuf + 2, msg[0].buf, msg[0].len);
+@@ -401,7 +425,14 @@ static int dw2104_i2c_transfer(struct i2
+ default: {
+ if (msg[j].flags == I2C_M_RD) {
+ /* read registers */
+- u8 ibuf[msg[j].len + 2];
++ u8 ibuf[MAX_XFER_SIZE];
++
++ if (2 + msg[j].len > sizeof(ibuf)) {
++ warn("i2c rd: len=%d is too big!\n",
++ msg[j].len);
++ return -EOPNOTSUPP;
++ }
++
+ dw210x_op_rw(d->udev, 0xc3,
+ (msg[j].addr << 1) + 1, 0,
+ ibuf, msg[j].len + 2,
+@@ -430,7 +461,14 @@ static int dw2104_i2c_transfer(struct i2
+ } while (len > 0);
+ } else {
+ /* write registers */
+- u8 obuf[msg[j].len + 2];
++ u8 obuf[MAX_XFER_SIZE];
++
++ if (2 + msg[j].len > sizeof(obuf)) {
++ warn("i2c wr: len=%d is too big!\n",
++ msg[j].len);
++ return -EOPNOTSUPP;
++ }
++
+ obuf[0] = msg[j].addr << 1;
+ obuf[1] = msg[j].len;
+ memcpy(obuf + 2, msg[j].buf, msg[j].len);
+@@ -463,7 +501,13 @@ static int dw3101_i2c_transfer(struct i2
+ case 2: {
+ /* read */
+ /* first write first register number */
+- u8 ibuf[msg[1].len + 2], obuf[3];
++ u8 ibuf[MAX_XFER_SIZE], obuf[3];
++
++ if (2 + msg[1].len > sizeof(ibuf)) {
++ warn("i2c rd: len=%d is too big!\n",
++ msg[1].len);
++ return -EOPNOTSUPP;
++ }
+ obuf[0] = msg[0].addr << 1;
+ obuf[1] = msg[0].len;
+ obuf[2] = msg[0].buf[0];
+@@ -481,7 +525,13 @@ static int dw3101_i2c_transfer(struct i2
+ case 0x60:
+ case 0x0c: {
+ /* write to register */
+- u8 obuf[msg[0].len + 2];
++ u8 obuf[MAX_XFER_SIZE];
++
++ if (2 + msg[0].len > sizeof(obuf)) {
++ warn("i2c wr: len=%d is too big!\n",
++ msg[0].len);
++ return -EOPNOTSUPP;
++ }
+ obuf[0] = msg[0].addr << 1;
+ obuf[1] = msg[0].len;
+ memcpy(obuf + 2, msg[0].buf, msg[0].len);
+@@ -563,7 +613,14 @@ static int s6x0_i2c_transfer(struct i2c_
+ default: {
+ if (msg[j].flags == I2C_M_RD) {
+ /* read registers */
+- u8 ibuf[msg[j].len];
++ u8 ibuf[MAX_XFER_SIZE];
++
++ if (msg[j].len > sizeof(ibuf)) {
++ warn("i2c rd: len=%d is too big!\n",
++ msg[j].len);
++ return -EOPNOTSUPP;
++ }
++
+ dw210x_op_rw(d->udev, 0x91, 0, 0,
+ ibuf, msg[j].len,
+ DW210X_READ_MSG);
+@@ -590,7 +647,14 @@ static int s6x0_i2c_transfer(struct i2c_
+ } while (len > 0);
+ } else if (j < (num - 1)) {
+ /* write register addr before read */
+- u8 obuf[msg[j].len + 2];
++ u8 obuf[MAX_XFER_SIZE];
++
++ if (2 + msg[j].len > sizeof(obuf)) {
++ warn("i2c wr: len=%d is too big!\n",
++ msg[j].len);
++ return -EOPNOTSUPP;
++ }
++
+ obuf[0] = msg[j + 1].len;
+ obuf[1] = (msg[j].addr << 1);
+ memcpy(obuf + 2, msg[j].buf, msg[j].len);
+@@ -602,7 +666,13 @@ static int s6x0_i2c_transfer(struct i2c_
+ break;
+ } else {
+ /* write registers */
+- u8 obuf[msg[j].len + 2];
++ u8 obuf[MAX_XFER_SIZE];
++
++ if (2 + msg[j].len > sizeof(obuf)) {
++ warn("i2c wr: len=%d is too big!\n",
++ msg[j].len);
++ return -EOPNOTSUPP;
++ }
+ obuf[0] = msg[j].len + 1;
+ obuf[1] = (msg[j].addr << 1);
+ memcpy(obuf + 2, msg[j].buf, msg[j].len);
--- /dev/null
+From ac5b4b6bf0c84c48d7e2e3fce22e35b04282ba76 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 08:16:47 -0300
+Subject: media: lirc_zilog: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit ac5b4b6bf0c84c48d7e2e3fce22e35b04282ba76 upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+ompilation complains about it on some archs:
+ drivers/staging/media/lirc/lirc_zilog.c:967:1: warning: 'read' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer to be 64. That should
+be more than enough.
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/media/lirc/lirc_zilog.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/media/lirc/lirc_zilog.c
++++ b/drivers/staging/media/lirc/lirc_zilog.c
+@@ -61,6 +61,9 @@
+ #include <media/lirc_dev.h>
+ #include <media/lirc.h>
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ struct IR;
+
+ struct IR_rx {
+@@ -941,7 +944,14 @@ static ssize_t read(struct file *filep,
+ schedule();
+ set_current_state(TASK_INTERRUPTIBLE);
+ } else {
+- unsigned char buf[rbuf->chunk_size];
++ unsigned char buf[MAX_XFER_SIZE];
++
++ if (rbuf->chunk_size > sizeof(buf)) {
++ zilog_error("chunk_size is too big (%d)!\n",
++ rbuf->chunk_size);
++ ret = -EINVAL;
++ break;
++ }
+ m = lirc_buffer_read(rbuf, buf);
+ if (m == rbuf->chunk_size) {
+ ret = copy_to_user((void *)outbuf+written, buf,
--- /dev/null
+From c98300a0e8cf160aaea60bc05d2cd156a7666173 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 08:13:02 -0300
+Subject: media: mxl111sf: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit c98300a0e8cf160aaea60bc05d2cd156a7666173 upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/usb/dvb-usb-v2/mxl111sf.c:74:1: warning: 'mxl111sf_ctrl_msg' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer to be the max size of
+a control URB payload data (64 bytes).
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb-v2/mxl111sf.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb-v2/mxl111sf.c
++++ b/drivers/media/usb/dvb-usb-v2/mxl111sf.c
+@@ -23,6 +23,9 @@
+ #include "lgdt3305.h"
+ #include "lg2160.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ int dvb_usb_mxl111sf_debug;
+ module_param_named(debug, dvb_usb_mxl111sf_debug, int, 0644);
+ MODULE_PARM_DESC(debug, "set debugging level "
+@@ -57,7 +60,12 @@ int mxl111sf_ctrl_msg(struct dvb_usb_dev
+ {
+ int wo = (rbuf == NULL || rlen == 0); /* write-only */
+ int ret;
+- u8 sndbuf[1+wlen];
++ u8 sndbuf[MAX_XFER_SIZE];
++
++ if (1 + wlen > sizeof(sndbuf)) {
++ pr_warn("%s: len=%d is too big!\n", __func__, wlen);
++ return -EOPNOTSUPP;
++ }
+
+ pr_debug("%s(wlen = %d, rlen = %d)\n", __func__, wlen, rlen);
+
--- /dev/null
+From 9736a89dafe07359d9c86bf9c3b815a250b354bc Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 04:29:42 -0300
+Subject: media: s5h1420: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 9736a89dafe07359d9c86bf9c3b815a250b354bc upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/dvb-frontends/s5h1420.c:851:1: warning: 's5h1420_tuner_i2c_tuner_xfer' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer.
+In the specific case of this frontend, only ttpci uses it. The maximum
+number of messages there is two, on I2C read operations. As the logic
+can add an extra operation, change the size to 3.
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-frontends/s5h1420.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/dvb-frontends/s5h1420.c
++++ b/drivers/media/dvb-frontends/s5h1420.c
+@@ -836,9 +836,16 @@ static u32 s5h1420_tuner_i2c_func(struct
+ static int s5h1420_tuner_i2c_tuner_xfer(struct i2c_adapter *i2c_adap, struct i2c_msg msg[], int num)
+ {
+ struct s5h1420_state *state = i2c_get_adapdata(i2c_adap);
+- struct i2c_msg m[1 + num];
++ struct i2c_msg m[3];
+ u8 tx_open[2] = { CON_1, state->CON_1_val | 1 }; /* repeater stops once there was a stop condition */
+
++ if (1 + num > ARRAY_SIZE(m)) {
++ printk(KERN_WARNING
++ "%s: i2c xfer: num=%d is too big!\n",
++ KBUILD_MODNAME, num);
++ return -EOPNOTSUPP;
++ }
++
+ memset(m, 0, sizeof(struct i2c_msg) * (1 + num));
+
+ m[0].addr = state->config->demod_address;
+@@ -847,7 +854,7 @@ static int s5h1420_tuner_i2c_tuner_xfer(
+
+ memcpy(&m[1], msg, sizeof(struct i2c_msg) * num);
+
+- return i2c_transfer(state->i2c, m, 1+num) == 1 + num ? num : -EIO;
++ return i2c_transfer(state->i2c, m, 1 + num) == 1 + num ? num : -EIO;
+ }
+
+ static struct i2c_algorithm s5h1420_tuner_i2c_algo = {
--- /dev/null
+From ba4746423488aafa435739c32bfe0758f3dd5d77 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 05:14:58 -0300
+Subject: media: stb0899_drv: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit ba4746423488aafa435739c32bfe0758f3dd5d77 upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/dvb-frontends/stb0899_drv.c:540:1: warning: 'stb0899_write_regs' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer. Considering that I2C
+transfers are generally limited, and that devices used on USB has a
+max data length of 64 bytes for the control URBs.
+So, it seem safe to use 64 bytes as the hard limit for all those devices.
+ On most cases, the limit is a way lower than that, but this limit
+is small enough to not affect the Kernel stack, and it is a no brain
+limit, as using smaller ones would require to either carefully each
+driver or to take a look on each datasheet.
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-frontends/stb0899_drv.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/stb0899_drv.c
++++ b/drivers/media/dvb-frontends/stb0899_drv.c
+@@ -32,6 +32,9 @@
+ #include "stb0899_priv.h"
+ #include "stb0899_reg.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ static unsigned int verbose = 0;//1;
+ module_param(verbose, int, 0644);
+
+@@ -499,7 +502,7 @@ err:
+ int stb0899_write_regs(struct stb0899_state *state, unsigned int reg, u8 *data, u32 count)
+ {
+ int ret;
+- u8 buf[2 + count];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg i2c_msg = {
+ .addr = state->config->demod_address,
+ .flags = 0,
+@@ -507,6 +510,13 @@ int stb0899_write_regs(struct stb0899_st
+ .len = 2 + count
+ };
+
++ if (2 + count > sizeof(buf)) {
++ printk(KERN_WARNING
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, count);
++ return -EINVAL;
++ }
++
+ buf[0] = reg >> 8;
+ buf[1] = reg & 0xff;
+ memcpy(&buf[2], data, count);
--- /dev/null
+From 9aca4fb0571ce9cfef680ceb08d19dd008015307 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 05:17:01 -0300
+Subject: media: stv0367: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 9aca4fb0571ce9cfef680ceb08d19dd008015307 upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/dvb-frontends/stv0367.c:791:1: warning: 'stv0367_writeregs.constprop.4' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer. Considering that I2C
+transfers are generally limited, and that devices used on USB has a
+max data length of 64 bytes for the control URBs.
+So, it seem safe to use 64 bytes as the hard limit for all those devices.
+ On most cases, the limit is a way lower than that, but this limit
+is small enough to not affect the Kernel stack, and it is a no brain
+limit, as using smaller ones would require to either carefully each
+driver or to take a look on each datasheet.
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-frontends/stv0367.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/stv0367.c
++++ b/drivers/media/dvb-frontends/stv0367.c
+@@ -33,6 +33,9 @@
+ #include "stv0367_regs.h"
+ #include "stv0367_priv.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ static int stvdebug;
+ module_param_named(debug, stvdebug, int, 0644);
+
+@@ -767,7 +770,7 @@ static struct st_register def0367cab[STV
+ static
+ int stv0367_writeregs(struct stv0367_state *state, u16 reg, u8 *data, int len)
+ {
+- u8 buf[len + 2];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg = {
+ .addr = state->config->demod_address,
+ .flags = 0,
+@@ -776,6 +779,14 @@ int stv0367_writeregs(struct stv0367_sta
+ };
+ int ret;
+
++ if (2 + len > sizeof(buf)) {
++ printk(KERN_WARNING
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
++
+ buf[0] = MSB(reg);
+ buf[1] = LSB(reg);
+ memcpy(buf + 2, data, len);
--- /dev/null
+From f7a35df15b1f7de7823946aebc9164854e66ea07 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 05:18:49 -0300
+Subject: media: stv090x: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit f7a35df15b1f7de7823946aebc9164854e66ea07 upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/dvb-frontends/stv090x.c:750:1: warning: 'stv090x_write_regs.constprop.6' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer. Considering that I2C
+transfers are generally limited, and that devices used on USB has a
+max data length of 64 bytes for the control URBs.
+So, it seem safe to use 64 bytes as the hard limit for all those devices.
+ On most cases, the limit is a way lower than that, but this limit
+is small enough to not affect the Kernel stack, and it is a no brain
+limit, as using smaller ones would require to either carefully each
+driver or to take a look on each datasheet.
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-frontends/stv090x.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/stv090x.c
++++ b/drivers/media/dvb-frontends/stv090x.c
+@@ -35,6 +35,9 @@
+ #include "stv090x.h"
+ #include "stv090x_priv.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ static unsigned int verbose;
+ module_param(verbose, int, 0644);
+
+@@ -722,9 +725,16 @@ static int stv090x_write_regs(struct stv
+ {
+ const struct stv090x_config *config = state->config;
+ int ret;
+- u8 buf[2 + count];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg i2c_msg = { .addr = config->address, .flags = 0, .buf = buf, .len = 2 + count };
+
++ if (2 + count > sizeof(buf)) {
++ printk(KERN_WARNING
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, count);
++ return -EINVAL;
++ }
++
+ buf[0] = reg >> 8;
+ buf[1] = reg & 0xff;
+ memcpy(&buf[2], data, count);
--- /dev/null
+From 56ac033725ec93a45170caf3979eb2b1211a59a8 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 06:13:11 -0300
+Subject: media: tuner-xc2028: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 56ac033725ec93a45170caf3979eb2b1211a59a8 upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/tuners/tuner-xc2028.c:651:1: warning: 'load_firmware' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer.
+In the specific case of this driver, the maximum limit is 80, used only
+on tm6000 driver. This limit is due to the size of the USB control URBs.
+Ok, it would be theoretically possible to use a bigger size on PCI
+devices, but the firmware load time is already good enough. Anyway,
+if some usage requires more, it is just a matter of also increasing
+the buffer size at load_firmware().
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/tuners/tuner-xc2028.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/tuners/tuner-xc2028.c
++++ b/drivers/media/tuners/tuner-xc2028.c
+@@ -24,6 +24,9 @@
+ #include <linux/dvb/frontend.h>
+ #include "dvb_frontend.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 80
++
+ /* Registers (Write-only) */
+ #define XREG_INIT 0x00
+ #define XREG_RF_FREQ 0x02
+@@ -547,7 +550,10 @@ static int load_firmware(struct dvb_fron
+ {
+ struct xc2028_data *priv = fe->tuner_priv;
+ int pos, rc;
+- unsigned char *p, *endp, buf[priv->ctrl.max_len];
++ unsigned char *p, *endp, buf[MAX_XFER_SIZE];
++
++ if (priv->ctrl.max_len > sizeof(buf))
++ priv->ctrl.max_len = sizeof(buf);
+
+ tuner_dbg("%s called\n", __func__);
+
--- /dev/null
+From f1baab870f6e93b668af7b34d6f6ba49f1b0e982 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 06:07:42 -0300
+Subject: media: tuners: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit f1baab870f6e93b668af7b34d6f6ba49f1b0e982 upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/tuners/e4000.c:50:1: warning: 'e4000_wr_regs' uses dynamic stack allocation [enabled by default]
+ drivers/media/tuners/e4000.c:83:1: warning: 'e4000_rd_regs' uses dynamic stack allocation [enabled by default]
+ drivers/media/tuners/fc2580.c:66:1: warning: 'fc2580_wr_regs.constprop.1' uses dynamic stack allocation [enabled by default]
+ drivers/media/tuners/fc2580.c:98:1: warning: 'fc2580_rd_regs.constprop.0' uses dynamic stack allocation [enabled by default]
+ drivers/media/tuners/tda18212.c:57:1: warning: 'tda18212_wr_regs' uses dynamic stack allocation [enabled by default]
+ drivers/media/tuners/tda18212.c:90:1: warning: 'tda18212_rd_regs.constprop.0' uses dynamic stack allocation [enabled by default]
+ drivers/media/tuners/tda18218.c:60:1: warning: 'tda18218_wr_regs' uses dynamic stack allocation [enabled by default]
+ drivers/media/tuners/tda18218.c:92:1: warning: 'tda18218_rd_regs.constprop.0' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer. Considering that I2C
+transfers are generally limited, and that devices used on USB has a
+max data length of 64 bytes for the control URBs.
+So, it seem safe to use 64 bytes as the hard limit for all those devices.
+ On most cases, the limit is a way lower than that, but this limit
+is small enough to not affect the Kernel stack, and it is a no brain
+limit, as using smaller ones would require to either carefully each
+driver or to take a look on each datasheet.
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Reviewed-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/tuners/e4000.c | 25 +++++++++++++++++++++----
+ drivers/media/tuners/fc2580.c | 25 +++++++++++++++++++++----
+ drivers/media/tuners/tda18212.c | 25 +++++++++++++++++++++----
+ drivers/media/tuners/tda18218.c | 23 ++++++++++++++++++++---
+ 4 files changed, 83 insertions(+), 15 deletions(-)
+
+--- a/drivers/media/tuners/e4000.c
++++ b/drivers/media/tuners/e4000.c
+@@ -21,20 +21,30 @@
+ #include "e4000_priv.h"
+ #include <linux/math64.h>
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ /* write multiple registers */
+ static int e4000_wr_regs(struct e4000_priv *priv, u8 reg, u8 *val, int len)
+ {
+ int ret;
+- u8 buf[1 + len];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg[1] = {
+ {
+ .addr = priv->cfg->i2c_addr,
+ .flags = 0,
+- .len = sizeof(buf),
++ .len = 1 + len,
+ .buf = buf,
+ }
+ };
+
++ if (1 + len > sizeof(buf)) {
++ dev_warn(&priv->i2c->dev,
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ buf[0] = reg;
+ memcpy(&buf[1], val, len);
+
+@@ -54,7 +64,7 @@ static int e4000_wr_regs(struct e4000_pr
+ static int e4000_rd_regs(struct e4000_priv *priv, u8 reg, u8 *val, int len)
+ {
+ int ret;
+- u8 buf[len];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg[2] = {
+ {
+ .addr = priv->cfg->i2c_addr,
+@@ -64,11 +74,18 @@ static int e4000_rd_regs(struct e4000_pr
+ }, {
+ .addr = priv->cfg->i2c_addr,
+ .flags = I2C_M_RD,
+- .len = sizeof(buf),
++ .len = len,
+ .buf = buf,
+ }
+ };
+
++ if (len > sizeof(buf)) {
++ dev_warn(&priv->i2c->dev,
++ "%s: i2c rd reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ ret = i2c_transfer(priv->i2c, msg, 2);
+ if (ret == 2) {
+ memcpy(val, buf, len);
+--- a/drivers/media/tuners/fc2580.c
++++ b/drivers/media/tuners/fc2580.c
+@@ -20,6 +20,9 @@
+
+ #include "fc2580_priv.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ /*
+ * TODO:
+ * I2C write and read works only for one single register. Multiple registers
+@@ -41,16 +44,23 @@
+ static int fc2580_wr_regs(struct fc2580_priv *priv, u8 reg, u8 *val, int len)
+ {
+ int ret;
+- u8 buf[1 + len];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg[1] = {
+ {
+ .addr = priv->cfg->i2c_addr,
+ .flags = 0,
+- .len = sizeof(buf),
++ .len = 1 + len,
+ .buf = buf,
+ }
+ };
+
++ if (1 + len > sizeof(buf)) {
++ dev_warn(&priv->i2c->dev,
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ buf[0] = reg;
+ memcpy(&buf[1], val, len);
+
+@@ -69,7 +79,7 @@ static int fc2580_wr_regs(struct fc2580_
+ static int fc2580_rd_regs(struct fc2580_priv *priv, u8 reg, u8 *val, int len)
+ {
+ int ret;
+- u8 buf[len];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg[2] = {
+ {
+ .addr = priv->cfg->i2c_addr,
+@@ -79,11 +89,18 @@ static int fc2580_rd_regs(struct fc2580_
+ }, {
+ .addr = priv->cfg->i2c_addr,
+ .flags = I2C_M_RD,
+- .len = sizeof(buf),
++ .len = len,
+ .buf = buf,
+ }
+ };
+
++ if (len > sizeof(buf)) {
++ dev_warn(&priv->i2c->dev,
++ "%s: i2c rd reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ ret = i2c_transfer(priv->i2c, msg, 2);
+ if (ret == 2) {
+ memcpy(val, buf, len);
+--- a/drivers/media/tuners/tda18212.c
++++ b/drivers/media/tuners/tda18212.c
+@@ -20,6 +20,9 @@
+
+ #include "tda18212.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ struct tda18212_priv {
+ struct tda18212_config *cfg;
+ struct i2c_adapter *i2c;
+@@ -32,16 +35,23 @@ static int tda18212_wr_regs(struct tda18
+ int len)
+ {
+ int ret;
+- u8 buf[len+1];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg[1] = {
+ {
+ .addr = priv->cfg->i2c_address,
+ .flags = 0,
+- .len = sizeof(buf),
++ .len = 1 + len,
+ .buf = buf,
+ }
+ };
+
++ if (1 + len > sizeof(buf)) {
++ dev_warn(&priv->i2c->dev,
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ buf[0] = reg;
+ memcpy(&buf[1], val, len);
+
+@@ -61,7 +71,7 @@ static int tda18212_rd_regs(struct tda18
+ int len)
+ {
+ int ret;
+- u8 buf[len];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg[2] = {
+ {
+ .addr = priv->cfg->i2c_address,
+@@ -71,11 +81,18 @@ static int tda18212_rd_regs(struct tda18
+ }, {
+ .addr = priv->cfg->i2c_address,
+ .flags = I2C_M_RD,
+- .len = sizeof(buf),
++ .len = len,
+ .buf = buf,
+ }
+ };
+
++ if (len > sizeof(buf)) {
++ dev_warn(&priv->i2c->dev,
++ "%s: i2c rd reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ ret = i2c_transfer(priv->i2c, msg, 2);
+ if (ret == 2) {
+ memcpy(val, buf, len);
+--- a/drivers/media/tuners/tda18218.c
++++ b/drivers/media/tuners/tda18218.c
+@@ -20,11 +20,14 @@
+
+ #include "tda18218_priv.h"
+
++/* Max transfer size done by I2C transfer functions */
++#define MAX_XFER_SIZE 64
++
+ /* write multiple registers */
+ static int tda18218_wr_regs(struct tda18218_priv *priv, u8 reg, u8 *val, u8 len)
+ {
+ int ret = 0, len2, remaining;
+- u8 buf[1 + len];
++ u8 buf[MAX_XFER_SIZE];
+ struct i2c_msg msg[1] = {
+ {
+ .addr = priv->cfg->i2c_address,
+@@ -33,6 +36,13 @@ static int tda18218_wr_regs(struct tda18
+ }
+ };
+
++ if (1 + len > sizeof(buf)) {
++ dev_warn(&priv->i2c->dev,
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ for (remaining = len; remaining > 0;
+ remaining -= (priv->cfg->i2c_wr_max - 1)) {
+ len2 = remaining;
+@@ -63,7 +73,7 @@ static int tda18218_wr_regs(struct tda18
+ static int tda18218_rd_regs(struct tda18218_priv *priv, u8 reg, u8 *val, u8 len)
+ {
+ int ret;
+- u8 buf[reg+len]; /* we must start read always from reg 0x00 */
++ u8 buf[MAX_XFER_SIZE]; /* we must start read always from reg 0x00 */
+ struct i2c_msg msg[2] = {
+ {
+ .addr = priv->cfg->i2c_address,
+@@ -73,11 +83,18 @@ static int tda18218_rd_regs(struct tda18
+ }, {
+ .addr = priv->cfg->i2c_address,
+ .flags = I2C_M_RD,
+- .len = sizeof(buf),
++ .len = reg + len,
+ .buf = buf,
+ }
+ };
+
++ if (reg + len > sizeof(buf)) {
++ dev_warn(&priv->i2c->dev,
++ "%s: i2c wr reg=%04x: len=%d is too big!\n",
++ KBUILD_MODNAME, reg, len);
++ return -EINVAL;
++ }
++
+ ret = i2c_transfer(priv->i2c, msg, 2);
+ if (ret == 2) {
+ memcpy(val, &buf[reg], len);
--- /dev/null
+From 24e9a47e14f0a97ee97abc3dd86b2ef254448a17 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Sat, 2 Nov 2013 06:20:16 -0300
+Subject: media: v4l2-async: Don't use dynamic static allocation
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 24e9a47e14f0a97ee97abc3dd86b2ef254448a17 upstream.
+
+Dynamic static allocation is evil, as Kernel stack is too low, and
+compilation complains about it on some archs:
+ drivers/media/v4l2-core/v4l2-async.c:238:1: warning: 'v4l2_async_notifier_unregister' uses dynamic stack allocation [enabled by default]
+Instead, let's enforce a limit for the buffer.
+In this specific case, there's a hard limit imposed by V4L2_MAX_SUBDEVS,
+with is currently 128. That means that the buffer size can be up to
+128x8 = 1024 bytes (on a 64bits kernel), with is too big for stack.
+Worse than that, someone could increase it and cause real troubles.
+So, let's use dynamically allocated data, instead.
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-async.c | 30 +++++++++++++++++++++++++++---
+ 1 file changed, 27 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-async.c
++++ b/drivers/media/v4l2-core/v4l2-async.c
+@@ -189,30 +189,53 @@ void v4l2_async_notifier_unregister(stru
+ struct v4l2_subdev *sd, *tmp;
+ unsigned int notif_n_subdev = notifier->num_subdevs;
+ unsigned int n_subdev = min(notif_n_subdev, V4L2_MAX_SUBDEVS);
+- struct device *dev[n_subdev];
++ struct device **dev;
+ int i = 0;
+
+ if (!notifier->v4l2_dev)
+ return;
+
++ dev = kmalloc(n_subdev * sizeof(*dev), GFP_KERNEL);
++ if (!dev) {
++ dev_err(notifier->v4l2_dev->dev,
++ "Failed to allocate device cache!\n");
++ }
++
+ mutex_lock(&list_lock);
+
+ list_del(¬ifier->list);
+
+ list_for_each_entry_safe(sd, tmp, ¬ifier->done, async_list) {
+- dev[i] = get_device(sd->dev);
++ struct device *d;
++
++ d = get_device(sd->dev);
+
+ v4l2_async_cleanup(sd);
+
+ /* If we handled USB devices, we'd have to lock the parent too */
+- device_release_driver(dev[i++]);
++ device_release_driver(d);
+
+ if (notifier->unbind)
+ notifier->unbind(notifier, sd, sd->asd);
++
++ /*
++ * Store device at the device cache, in order to call
++ * put_device() on the final step
++ */
++ if (dev)
++ dev[i++] = d;
++ else
++ put_device(d);
+ }
+
+ mutex_unlock(&list_lock);
+
++ /*
++ * Call device_attach() to reprobe devices
++ *
++ * NOTE: If dev allocation fails, i is 0, and the whole loop won't be
++ * executed.
++ */
+ while (i--) {
+ struct device *d = dev[i];
+
+@@ -228,6 +251,7 @@ void v4l2_async_notifier_unregister(stru
+ }
+ put_device(d);
+ }
++ kfree(dev);
+
+ notifier->v4l2_dev = NULL;
+
hid-hid-lg4ff-initialize-device-properties-before-we-touch-autocentering.patch
hid-lg-fix-reportdescriptor-for-logitech-formula-vibration.patch
gpio-pl061-move-irqdomain-initialization.patch
+drm-radeon-vm-don-t-attempt-to-update-ptes-if-ib-allocation-fails.patch
+media-mxl111sf-don-t-use-dynamic-static-allocation.patch
+media-af9035-don-t-use-dynamic-static-allocation.patch
+media-af9015-don-t-use-dynamic-static-allocation.patch
+media-dw2102-don-t-use-dynamic-static-allocation.patch
+media-dibusb-common-don-t-use-dynamic-static-allocation.patch
+media-cxusb-don-t-use-dynamic-static-allocation.patch
+media-av7110_hw-don-t-use-dynamic-static-allocation.patch
+media-cimax2-don-t-use-dynamic-static-allocation.patch
+media-cx18-struct-i2c_client-is-too-big-for-stack.patch
+media-lirc_zilog-don-t-use-dynamic-static-allocation.patch
+media-v4l2-async-don-t-use-dynamic-static-allocation.patch
+media-tuner-xc2028-don-t-use-dynamic-static-allocation.patch
+media-tuners-don-t-use-dynamic-static-allocation.patch
+media-stv090x-don-t-use-dynamic-static-allocation.patch
+media-stv0367-don-t-use-dynamic-static-allocation.patch
+media-stb0899_drv-don-t-use-dynamic-static-allocation.patch
+media-dvb-frontends-don-t-use-dynamic-static-allocation.patch
+media-dvb-frontends-again-don-t-use-dynamic-static-allocation.patch
+media-s5h1420-don-t-use-dynamic-static-allocation.patch
+x.509-remove-certificate-date-checks.patch
--- /dev/null
+From 124df926090b32a998483f6e43ebeccdbe5b5302 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 18 Jun 2013 17:40:44 +0100
+Subject: X.509: Remove certificate date checks
+
+From: David Howells <dhowells@redhat.com>
+
+commit 124df926090b32a998483f6e43ebeccdbe5b5302 upstream.
+
+Remove the certificate date checks that are performed when a certificate is
+parsed. There are two checks: a valid from and a valid to. The first check is
+causing a lot of problems with system clocks that don't keep good time and the
+second places an implicit expiry date upon the kernel when used for module
+signing, so do we really need them?
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: David Woodhouse <dwmw2@infradead.org>
+cc: Rusty Russell <rusty@rustcorp.com.au>
+cc: Josh Boyer <jwboyer@redhat.com>
+cc: Alexander Holler <holler@ahsoftware.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/x509_public_key.c | 38 -------------------------------
+ 1 file changed, 38 deletions(-)
+
+--- a/crypto/asymmetric_keys/x509_public_key.c
++++ b/crypto/asymmetric_keys/x509_public_key.c
+@@ -106,7 +106,6 @@ error_no_sig:
+ static int x509_key_preparse(struct key_preparsed_payload *prep)
+ {
+ struct x509_certificate *cert;
+- struct tm now;
+ size_t srlen, sulen;
+ char *desc = NULL;
+ int ret;
+@@ -137,43 +136,6 @@ static int x509_key_preparse(struct key_
+ goto error_free_cert;
+ }
+
+- time_to_tm(CURRENT_TIME.tv_sec, 0, &now);
+- pr_devel("Now: %04ld-%02d-%02d %02d:%02d:%02d\n",
+- now.tm_year + 1900, now.tm_mon + 1, now.tm_mday,
+- now.tm_hour, now.tm_min, now.tm_sec);
+- if (now.tm_year < cert->valid_from.tm_year ||
+- (now.tm_year == cert->valid_from.tm_year &&
+- (now.tm_mon < cert->valid_from.tm_mon ||
+- (now.tm_mon == cert->valid_from.tm_mon &&
+- (now.tm_mday < cert->valid_from.tm_mday ||
+- (now.tm_mday == cert->valid_from.tm_mday &&
+- (now.tm_hour < cert->valid_from.tm_hour ||
+- (now.tm_hour == cert->valid_from.tm_hour &&
+- (now.tm_min < cert->valid_from.tm_min ||
+- (now.tm_min == cert->valid_from.tm_min &&
+- (now.tm_sec < cert->valid_from.tm_sec
+- ))))))))))) {
+- pr_warn("Cert %s is not yet valid\n", cert->fingerprint);
+- ret = -EKEYREJECTED;
+- goto error_free_cert;
+- }
+- if (now.tm_year > cert->valid_to.tm_year ||
+- (now.tm_year == cert->valid_to.tm_year &&
+- (now.tm_mon > cert->valid_to.tm_mon ||
+- (now.tm_mon == cert->valid_to.tm_mon &&
+- (now.tm_mday > cert->valid_to.tm_mday ||
+- (now.tm_mday == cert->valid_to.tm_mday &&
+- (now.tm_hour > cert->valid_to.tm_hour ||
+- (now.tm_hour == cert->valid_to.tm_hour &&
+- (now.tm_min > cert->valid_to.tm_min ||
+- (now.tm_min == cert->valid_to.tm_min &&
+- (now.tm_sec > cert->valid_to.tm_sec
+- ))))))))))) {
+- pr_warn("Cert %s has expired\n", cert->fingerprint);
+- ret = -EKEYEXPIRED;
+- goto error_free_cert;
+- }
+-
+ cert->pub->algo = x509_public_key_algorithms[cert->pkey_algo];
+ cert->pub->id_type = PKEY_ID_X509;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
