[linux-usb-devel] [PATCH] Eliminate usb dma to stack addresses

[Dale Farnsworth]

This patch fixes a couple of places where addresses of variables on
the stack were being used a targets of USB DMA.  Stack corruption has
been observed on a PPC 4xx system without this patch.

Please apply.

Signed-off-by: Dale Farnsworth <[EMAIL PROTECTED]>

diff -Nru a/drivers/usb/class/audio.c b/drivers/usb/class/audio.c
--- a/drivers/usb/class/audio.c 2004-08-12 11:21:18 -07:00
+++ b/drivers/usb/class/audio.c 2004-08-12 11:21:18 -07:00
@@ -3122,12 +3122,18 @@
 {
        struct usb_device *dev = state->s->usbdev;
        struct mixerchannel *ch;
-       unsigned char buf[2];
+       unsigned char *buf;
        __s16 v1;
        unsigned int v2, v3;
 
        if (!state->nrmixch || state->nrmixch > SOUND_MIXER_NRDEVICES)
                return;
+       buf = kmalloc(sizeof(*buf) * 2, GFP_KERNEL);
+       if (!buf) {
+               printk(KERN_ERR "prepmixch: out of memory\n") ;
+               return;
+       }
+
        ch = &state->mixch[state->nrmixch-1];
        switch (ch->selector) {
        case 0:  /* mixer unit request */
@@ -3239,13 +3245,16 @@
        default:
                goto err;
        }
-       return;
 
+ freebuf:
+       kfree(buf);
+       return;
  err:
        printk(KERN_ERR "usbaudio: mixer request device %u if %u unit %u ch %u 
selector %u failed\n", 
               dev->devnum, state->ctrlif, ch->unitid, ch->chnum, ch->selector);
        if (state->nrmixch)
                state->nrmixch--;
+       goto freebuf;
 }
 
 
diff -Nru a/drivers/usb/core/message.c b/drivers/usb/core/message.c
--- a/drivers/usb/core/message.c        2004-08-12 11:21:18 -07:00
+++ b/drivers/usb/core/message.c        2004-08-12 11:21:18 -07:00
@@ -797,9 +797,19 @@
  */
 int usb_get_status(struct usb_device *dev, int type, int target, void *data)
 {
-       return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
-               USB_REQ_GET_STATUS, USB_DIR_IN | type, 0, target, data, 2,
-               HZ * USB_CTRL_GET_TIMEOUT);
+       int ret;
+       u16 *status = kmalloc(sizeof(*status), GFP_KERNEL);
+
+       if (!status)
+               return -ENOMEM;
+
+       ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
+               USB_REQ_GET_STATUS, USB_DIR_IN | type, 0, target, status,
+               sizeof(*status), HZ * USB_CTRL_GET_TIMEOUT);
+
+       *(u16 *)data = *status;
+       kfree(status);
+       return ret;
 }
 
 /**


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
[EMAIL PROTECTED]
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel