HID: battery: don't do DMA from stack
authorJiri Kosina <jkosina@suse.cz>
Mon, 2 Sep 2013 11:43:00 +0000 (13:43 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 27 Sep 2013 00:18:16 +0000 (17:18 -0700)
commit 6c2794a2984f4c17a58117a68703cc7640f01c5a upstream.

Instead of using data from stack for DMA in hidinput_get_battery_property(),
allocate the buffer dynamically.

Reported-by: Richard Ryniker <ryniker@alum.mit.edu>
Reported-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/hid/hid-input.c

index 945b8158ec4c7f556d6c9db8753762ac958276c1..ac5e93528dfaec1ab8a5193de65dd59ae5f9e357 100644 (file)
@@ -340,7 +340,7 @@ static int hidinput_get_battery_property(struct power_supply *psy,
 {
        struct hid_device *dev = container_of(psy, struct hid_device, battery);
        int ret = 0;
-       __u8 buf[2] = {};
+       __u8 *buf;
 
        switch (prop) {
        case POWER_SUPPLY_PROP_PRESENT:
@@ -349,13 +349,20 @@ static int hidinput_get_battery_property(struct power_supply *psy,
                break;
 
        case POWER_SUPPLY_PROP_CAPACITY:
+
+               buf = kmalloc(2 * sizeof(__u8), GFP_KERNEL);
+               if (!buf) {
+                       ret = -ENOMEM;
+                       break;
+               }
                ret = dev->hid_get_raw_report(dev, dev->battery_report_id,
-                                             buf, sizeof(buf),
+                                             buf, 2,
                                              dev->battery_report_type);
 
                if (ret != 2) {
                        if (ret >= 0)
                                ret = -EINVAL;
+                       kfree(buf);
                        break;
                }
 
@@ -364,6 +371,7 @@ static int hidinput_get_battery_property(struct power_supply *psy,
                    buf[1] <= dev->battery_max)
                        val->intval = (100 * (buf[1] - dev->battery_min)) /
                                (dev->battery_max - dev->battery_min);
+               kfree(buf);
                break;
 
        case POWER_SUPPLY_PROP_MODEL_NAME: