can: gs_usb: Don't use stack memory for USB transfers
authorEthan Zonca <e@ethanzonca.com>
Fri, 24 Feb 2017 16:27:36 +0000 (11:27 -0500)
committerMarc Kleine-Budde <mkl@pengutronix.de>
Fri, 3 Mar 2017 12:00:07 +0000 (13:00 +0100)
Fixes: 05ca5270005c can: gs_usb: add ethtool set_phys_id callback to locate physical device

The gs_usb driver is performing USB transfers using buffers allocated on
the stack. This causes the driver to not function with vmapped stacks.
Instead, allocate memory for the transfer buffers.

Signed-off-by: Ethan Zonca <e@ethanzonca.com>
Cc: linux-stable <stable@vger.kernel.org> # >= v4.8
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
drivers/net/can/usb/gs_usb.c

index 77e3cc06a30c8cb970b6afef41352a15716c9331..a0dabd4038ba350c6b26f2a53834cb342c17da46 100644 (file)
@@ -908,10 +908,14 @@ static int gs_usb_probe(struct usb_interface *intf,
        struct gs_usb *dev;
        int rc = -ENOMEM;
        unsigned int icount, i;
-       struct gs_host_config hconf = {
-               .byte_order = 0x0000beef,
-       };
-       struct gs_device_config dconf;
+       struct gs_host_config *hconf;
+       struct gs_device_config *dconf;
+
+       hconf = kmalloc(sizeof(*hconf), GFP_KERNEL);
+       if (!hconf)
+               return -ENOMEM;
+
+       hconf->byte_order = 0x0000beef;
 
        /* send host config */
        rc = usb_control_msg(interface_to_usbdev(intf),
@@ -920,16 +924,22 @@ static int gs_usb_probe(struct usb_interface *intf,
                             USB_DIR_OUT|USB_TYPE_VENDOR|USB_RECIP_INTERFACE,
                             1,
                             intf->altsetting[0].desc.bInterfaceNumber,
-                            &hconf,
-                            sizeof(hconf),
+                            hconf,
+                            sizeof(*hconf),
                             1000);
 
+       kfree(hconf);
+
        if (rc < 0) {
                dev_err(&intf->dev, "Couldn't send data format (err=%d)\n",
                        rc);
                return rc;
        }
 
+       dconf = kmalloc(sizeof(*dconf), GFP_KERNEL);
+       if (!dconf)
+               return -ENOMEM;
+
        /* read device config */
        rc = usb_control_msg(interface_to_usbdev(intf),
                             usb_rcvctrlpipe(interface_to_usbdev(intf), 0),
@@ -937,28 +947,33 @@ static int gs_usb_probe(struct usb_interface *intf,
                             USB_DIR_IN|USB_TYPE_VENDOR|USB_RECIP_INTERFACE,
                             1,
                             intf->altsetting[0].desc.bInterfaceNumber,
-                            &dconf,
-                            sizeof(dconf),
+                            dconf,
+                            sizeof(*dconf),
                             1000);
        if (rc < 0) {
                dev_err(&intf->dev, "Couldn't get device config: (err=%d)\n",
                        rc);
+               kfree(dconf);
                return rc;
        }
 
-       icount = dconf.icount + 1;
+       icount = dconf->icount + 1;
        dev_info(&intf->dev, "Configuring for %d interfaces\n", icount);
 
        if (icount > GS_MAX_INTF) {
                dev_err(&intf->dev,
                        "Driver cannot handle more that %d CAN interfaces\n",
                        GS_MAX_INTF);
+               kfree(dconf);
                return -EINVAL;
        }
 
        dev = kzalloc(sizeof(*dev), GFP_KERNEL);
-       if (!dev)
+       if (!dev) {
+               kfree(dconf);
                return -ENOMEM;
+       }
+
        init_usb_anchor(&dev->rx_submitted);
 
        atomic_set(&dev->active_channels, 0);
@@ -967,7 +982,7 @@ static int gs_usb_probe(struct usb_interface *intf,
        dev->udev = interface_to_usbdev(intf);
 
        for (i = 0; i < icount; i++) {
-               dev->canch[i] = gs_make_candev(i, intf, &dconf);
+               dev->canch[i] = gs_make_candev(i, intf, dconf);
                if (IS_ERR_OR_NULL(dev->canch[i])) {
                        /* save error code to return later */
                        rc = PTR_ERR(dev->canch[i]);
@@ -978,12 +993,15 @@ static int gs_usb_probe(struct usb_interface *intf,
                                gs_destroy_candev(dev->canch[i]);
 
                        usb_kill_anchored_urbs(&dev->rx_submitted);
+                       kfree(dconf);
                        kfree(dev);
                        return rc;
                }
                dev->canch[i]->parent = dev;
        }
 
+       kfree(dconf);
+
        return 0;
 }