Hi,
This patch raises the arbitrary PAGE_SIZE (or PAGE_SIZE - 8) limit on
control messages (using MAX_USBFS_BUFFER_SIZE instead). It also makes
the limit consistent regardless of whether you are using the
USBDEVFS_CONTROL or USBDEVFS_SUBMITURB ioctl. We also switch to using
kmalloc() instead of get_free_page() in proc_control()
Patch was compiled and tested.
Signed-off-by: Gianni Tedesco <gianni at scaramanga dot co dot uk>
--- linux/drivers/usb/core/devio.c~ 2005-03-13 02:12:12.000000000 +0000
+++ linux/drivers/usb/core/devio.c 2005-03-13 02:15:54.000000000 +0000
@@ -561,14 +561,14 @@
return -EFAULT;
if ((ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.wIndex)))
return ret;
- if (ctrl.wLength > PAGE_SIZE)
+ if (ctrl.wLength > MAX_USBFS_BUFFER_SIZE)
return -EINVAL;
- if (!(tbuf = (unsigned char *)__get_free_page(GFP_KERNEL)))
+ if (!(tbuf = kmalloc(ctrl.wLength, GFP_KERNEL)))
return -ENOMEM;
tmo = (ctrl.timeout * HZ + 999) / 1000;
if (ctrl.bRequestType & 0x80) {
if (ctrl.wLength && !access_ok(VERIFY_WRITE, ctrl.data,
ctrl.wLength)) {
- free_page((unsigned long)tbuf);
+ kfree(tbuf);
return -EINVAL;
}
snoop(&dev->dev, "control read: bRequest=%02x
bRrequestType=%02x wValue=%04x wIndex=%04x\n",
@@ -586,14 +586,14 @@
printk("\n");
}
if (copy_to_user(ctrl.data, tbuf, ctrl.wLength)) {
- free_page((unsigned long)tbuf);
+ kfree(tbuf);
return -EFAULT;
}
}
} else {
if (ctrl.wLength) {
if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) {
- free_page((unsigned long)tbuf);
+ kfree(tbuf);
return -EFAULT;
}
}
@@ -610,7 +610,7 @@
ctrl.wValue, ctrl.wIndex, tbuf,
ctrl.wLength, tmo);
usb_lock_device(dev);
}
- free_page((unsigned long)tbuf);
+ kfree(tbuf);
if (i<0 && i != -EPIPE) {
dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
"failed cmd %s rqt %u rq %u len %u ret %d\n",
@@ -852,8 +852,8 @@
if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK)
!= USB_ENDPOINT_XFER_CONTROL)
return -EINVAL;
- /* min 8 byte setup packet, max arbitrary */
- if (uurb.buffer_length < 8 || uurb.buffer_length > PAGE_SIZE)
+ /* min 8 byte setup packet */
+ if (uurb.buffer_length < 8 || uurb.buffer_length >
(MAX_USBFS_BUFFER_SIZE + 8))
return -EINVAL;
if (!(dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL)))
return -ENOMEM;
--
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/scaramanga.asc | gpg --import
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
[email protected]
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
