summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPeter Korsgaard <jacmet@sunsite.dk>2008-07-14 09:07:32 +0200
committerJeff Garzik <jgarzik@redhat.com>2008-07-30 10:43:49 +0200
commit16d78bc255a55d16c0888dde336978d633e80b01 (patch)
tree377b96ddf4439e2f3d775124c22576125ca5c4e3
parentS2io: fix statistics flush after a MTU change (diff)
downloadlinux-16d78bc255a55d16c0888dde336978d633e80b01.tar.xz
linux-16d78bc255a55d16c0888dde336978d633e80b01.zip
dm9601: don't do usb transfers of data on stack
dm_{read,write}() were doing USB transfers of data on stack, which isn't allowed. Fix it by kmalloc'ing a temporary buffer. Clean up the error handling for short transfers while we're at it. Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> Acked-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-rw-r--r--drivers/net/usb/dm9601.c52
1 files changed, 42 insertions, 10 deletions
diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c
index f7319d326912..78df2be8a728 100644
--- a/drivers/net/usb/dm9601.c
+++ b/drivers/net/usb/dm9601.c
@@ -55,12 +55,28 @@
static int dm_read(struct usbnet *dev, u8 reg, u16 length, void *data)
{
+ void *buf;
+ int err = -ENOMEM;
+
devdbg(dev, "dm_read() reg=0x%02x length=%d", reg, length);
- return usb_control_msg(dev->udev,
- usb_rcvctrlpipe(dev->udev, 0),
- DM_READ_REGS,
- USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
- 0, reg, data, length, USB_CTRL_SET_TIMEOUT);
+
+ buf = kmalloc(length, GFP_KERNEL);
+ if (!buf)
+ goto out;
+
+ err = usb_control_msg(dev->udev,
+ usb_rcvctrlpipe(dev->udev, 0),
+ DM_READ_REGS,
+ USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 0, reg, buf, length, USB_CTRL_SET_TIMEOUT);
+ if (err == length)
+ memcpy(data, buf, length);
+ else if (err >= 0)
+ err = -EINVAL;
+ kfree(buf);
+
+ out:
+ return err;
}
static int dm_read_reg(struct usbnet *dev, u8 reg, u8 *value)
@@ -70,12 +86,28 @@ static int dm_read_reg(struct usbnet *dev, u8 reg, u8 *value)
static int dm_write(struct usbnet *dev, u8 reg, u16 length, void *data)
{
+ void *buf = NULL;
+ int err = -ENOMEM;
+
devdbg(dev, "dm_write() reg=0x%02x, length=%d", reg, length);
- return usb_control_msg(dev->udev,
- usb_sndctrlpipe(dev->udev, 0),
- DM_WRITE_REGS,
- USB_DIR_OUT | USB_TYPE_VENDOR |USB_RECIP_DEVICE,
- 0, reg, data, length, USB_CTRL_SET_TIMEOUT);
+
+ if (data) {
+ buf = kmalloc(length, GFP_KERNEL);
+ if (!buf)
+ goto out;
+ memcpy(buf, data, length);
+ }
+
+ err = usb_control_msg(dev->udev,
+ usb_sndctrlpipe(dev->udev, 0),
+ DM_WRITE_REGS,
+ USB_DIR_OUT | USB_TYPE_VENDOR |USB_RECIP_DEVICE,
+ 0, reg, buf, length, USB_CTRL_SET_TIMEOUT);
+ kfree(buf);
+ if (err >= 0 && err < length)
+ err = -EINVAL;
+ out:
+ return err;
}
static int dm_write_reg(struct usbnet *dev, u8 reg, u8 value)