From: Ian Abbott <abbotti@mev.co.uk>
Date: Fri, 22 Feb 2013 10:16:58 +0000 (+0000)
Subject: usbdux*: fix DMA buffers on stack
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=eb5a78af97c3e9f3e56b20d0bd16bf6f2588f10f;p=comedi.git

usbdux*: fix DMA buffers on stack

Fix instances of DMA buffer on stack being passed to usb_control_msg()
for the usbdux, usbduxfast and usbduxsigma drivers.

Spotted by Kumar Amit Mehta <gmate _dot_ amit _at_ gmail _dot_ com> in
the "staging" sources.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
---

diff --git a/comedi/drivers/usbdux.c b/comedi/drivers/usbdux.c
index cd7a6aa7..bdcfa9cf 100644
--- a/comedi/drivers/usbdux.c
+++ b/comedi/drivers/usbdux.c
@@ -814,7 +814,11 @@ static void usbduxsub_ao_IsocIrq(struct urb *urb PT_REGS_ARG)
 static int usbduxsub_start(usbduxsub_t * usbduxsub)
 {
 	int errcode = 0;
-	uint8_t local_transfer_buffer[16];
+	uint8_t *local_transfer_buffer;
+
+	local_transfer_buffer = kmalloc(16, GFP_KERNEL);
+	if (!local_transfer_buffer)
+		return -ENOMEM;
 
 	// 7f92 to zero
 	local_transfer_buffer[0] = 0;
@@ -835,18 +839,21 @@ static int usbduxsub_start(usbduxsub_t * usbduxsub)
 				  1,
 				  // Timeout
 				  BULK_TIMEOUT);
-	if (errcode < 0) {
+	if (errcode < 0)
 		printk("comedi_: usbdux_: control msg failed (start)\n");
-		return errcode;
-	}
-	return 0;
+
+	kfree(local_transfer_buffer);
+	return errcode;
 }
 
 static int usbduxsub_stop(usbduxsub_t * usbduxsub)
 {
 	int errcode = 0;
+	uint8_t *local_transfer_buffer;
 
-	uint8_t local_transfer_buffer[16];
+	local_transfer_buffer = kmalloc(16, GFP_KERNEL);
+	if (!local_transfer_buffer)
+		return -ENOMEM;
 
 	// 7f92 to one
 	local_transfer_buffer[0] = 1;
@@ -865,11 +872,11 @@ static int usbduxsub_stop(usbduxsub_t * usbduxsub)
 		 1,
 		 // Timeout
 		 BULK_TIMEOUT);
-	if (errcode < 0) {
+	if (errcode < 0)
 		printk("comedi_: usbdux: control msg failed (stop)\n");
-		return errcode;
-	}
-	return 0;
+
+	kfree(local_transfer_buffer);
+	return errcode;
 }
 
 static int usbduxsub_upload(usbduxsub_t * usbduxsub,
diff --git a/comedi/drivers/usbduxfast.c b/comedi/drivers/usbduxfast.c
index d8380620..5586b7ad 100644
--- a/comedi/drivers/usbduxfast.c
+++ b/comedi/drivers/usbduxfast.c
@@ -452,7 +452,11 @@ static void usbduxfastsub_ai_Irq(struct urb *urb PT_REGS_ARG)
 static int usbduxfastsub_start(usbduxfastsub_t * usbduxfastsub)
 {
 	int errcode = 0;
-	unsigned char local_transfer_buffer[16];
+	unsigned char *local_transfer_buffer;
+
+	local_transfer_buffer = kmalloc(16, GFP_KERNEL);
+	if (!local_transfer_buffer)
+		return -ENOMEM;
 
 	// 7f92 to zero
 	local_transfer_buffer[0] = 0;
@@ -473,18 +477,22 @@ static int usbduxfastsub_start(usbduxfastsub_t * usbduxfastsub)
 				  1,
 				  // Timeout
 				  BULK_TIMEOUT);
-	if (errcode < 0) {
+	if (errcode < 0)
 		printk("comedi_: usbduxfast_: control msg failed (start)\n");
-		return errcode;
-	}
-	return 0;
+
+	kfree(local_transfer_buffer);
+	return errcode;
 }
 
 static int usbduxfastsub_stop(usbduxfastsub_t * usbduxfastsub)
 {
 	int errcode = 0;
+	unsigned char *local_transfer_buffer;
+
+	local_transfer_buffer = kmalloc(16, GFP_KERNEL);
+	if (!local_transfer_buffer)
+		return -ENOMEM;
 
-	unsigned char local_transfer_buffer[16];
 	// 7f92 to one
 	local_transfer_buffer[0] = 1;
 	errcode = USB_CONTROL_MSG
@@ -502,11 +510,11 @@ static int usbduxfastsub_stop(usbduxfastsub_t * usbduxfastsub)
 		 1,
 		 // Timeout
 		 BULK_TIMEOUT);
-	if (errcode < 0) {
+	if (errcode < 0)
 		printk("comedi_: usbduxfast: control msg failed (stop)\n");
-		return errcode;
-	}
-	return 0;
+
+	kfree(local_transfer_buffer);
+	return errcode;
 }
 
 static int usbduxfastsub_upload(usbduxfastsub_t * usbduxfastsub,
diff --git a/comedi/drivers/usbduxsigma.c b/comedi/drivers/usbduxsigma.c
index 8242713a..dfdd595d 100644
--- a/comedi/drivers/usbduxsigma.c
+++ b/comedi/drivers/usbduxsigma.c
@@ -733,7 +733,11 @@ static void usbduxsub_ao_IsocIrq(struct urb *urb)
 static int usbduxsub_start(struct usbduxsub *usbduxsub)
 {
 	int errcode = 0;
-	uint8_t local_transfer_buffer[16];
+	uint8_t *local_transfer_buffer;
+
+	local_transfer_buffer = kmalloc(16, GFP_KERNEL);
+	if (!local_transfer_buffer)
+		return -ENOMEM;
 
 	/* 7f92 to zero */
 	local_transfer_buffer[0] = 0;
@@ -754,19 +758,22 @@ static int usbduxsub_start(struct usbduxsub *usbduxsub)
 				  1,
 				  /* Timeout */
 				  BULK_TIMEOUT);
-	if (errcode < 0) {
+	if (errcode < 0)
 		dev_err(&usbduxsub->interface->dev,
 			"comedi_: control msg failed (start)\n");
-		return errcode;
-	}
-	return 0;
+
+	kfree(local_transfer_buffer);
+	return errcode;
 }
 
 static int usbduxsub_stop(struct usbduxsub *usbduxsub)
 {
 	int errcode = 0;
+	uint8_t *local_transfer_buffer;
 
-	uint8_t local_transfer_buffer[16];
+	local_transfer_buffer = kmalloc(16, GFP_KERNEL);
+	if (!local_transfer_buffer)
+		return -ENOMEM;
 
 	/* 7f92 to one */
 	local_transfer_buffer[0] = 1;
@@ -784,12 +791,12 @@ static int usbduxsub_stop(struct usbduxsub *usbduxsub)
 				  1,
 				  /* Timeout */
 				  BULK_TIMEOUT);
-	if (errcode < 0) {
+	if (errcode < 0)
 		dev_err(&usbduxsub->interface->dev,
 			"comedi_: control msg failed (stop)\n");
-		return errcode;
-	}
-	return 0;
+
+	kfree(local_transfer_buffer);
+	return errcode;
 }
 
 static int usbduxsub_upload(struct usbduxsub *usbduxsub,