3.16.62-rc1 review patch. If anyone has any objections, please let me know.
------------------ From: Akihiro Tsukada <[email protected]> commit 86f65c218123c4e36fd855fbbc38147ffaf29974 upstream. i2c message buf might be on stack. Signed-off-by: Akihiro Tsukada <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]> [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings <[email protected]> --- drivers/media/usb/dvb-usb-v2/gl861.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) --- a/drivers/media/usb/dvb-usb-v2/gl861.c +++ b/drivers/media/usb/dvb-usb-v2/gl861.c @@ -20,6 +20,8 @@ static int gl861_i2c_msg(struct dvb_usb_ u16 value = addr << (8 + 1); int wo = (rbuf == NULL || rlen == 0); /* write-only */ u8 req, type; + u8 *buf; + int ret; if (wo) { req = GL861_REQ_I2C_WRITE; @@ -42,11 +44,23 @@ static int gl861_i2c_msg(struct dvb_usb_ KBUILD_MODNAME, wlen); return -EINVAL; } - + buf = NULL; + if (rlen > 0) { + buf = kmalloc(rlen, GFP_KERNEL); + if (!buf) + return -ENOMEM; + } msleep(1); /* avoid I2C errors */ - return usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), req, type, - value, index, rbuf, rlen, 2000); + ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), req, type, + value, index, buf, rlen, 2000); + if (rlen > 0) { + if (ret > 0) + memcpy(rbuf, buf, rlen); + kfree(buf); + } + + return ret; } /* I2C */
