Commit 3484d37a authored by Antti Palosaari's avatar Antti Palosaari Committed by Mauro Carvalho Chehab

[media] af9035: do not use buffers from stack for usb_bulk_msg()

Signed-off-by: default avatarAntti Palosaari <crope@iki.fi>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@redhat.com>
parent aff8c2d4
...@@ -41,43 +41,45 @@ static u16 af9035_checksum(const u8 *buf, size_t len) ...@@ -41,43 +41,45 @@ static u16 af9035_checksum(const u8 *buf, size_t len)
static int af9035_ctrl_msg(struct dvb_usb_device *d, struct usb_req *req) static int af9035_ctrl_msg(struct dvb_usb_device *d, struct usb_req *req)
{ {
#define BUF_LEN 64
#define REQ_HDR_LEN 4 /* send header size */ #define REQ_HDR_LEN 4 /* send header size */
#define ACK_HDR_LEN 3 /* rece header size */ #define ACK_HDR_LEN 3 /* rece header size */
#define CHECKSUM_LEN 2 #define CHECKSUM_LEN 2
#define USB_TIMEOUT 2000 #define USB_TIMEOUT 2000
struct state *state = d_to_priv(d); struct state *state = d_to_priv(d);
int ret, wlen, rlen; int ret, wlen, rlen;
u8 buf[BUF_LEN];
u16 checksum, tmp_checksum; u16 checksum, tmp_checksum;
mutex_lock(&d->usb_mutex);
/* buffer overflow check */ /* buffer overflow check */
if (req->wlen > (BUF_LEN - REQ_HDR_LEN - CHECKSUM_LEN) || if (req->wlen > (BUF_LEN - REQ_HDR_LEN - CHECKSUM_LEN) ||
req->rlen > (BUF_LEN - ACK_HDR_LEN - CHECKSUM_LEN)) { req->rlen > (BUF_LEN - ACK_HDR_LEN - CHECKSUM_LEN)) {
dev_err(&d->udev->dev, "%s: too much data wlen=%d rlen=%d\n", dev_err(&d->udev->dev, "%s: too much data wlen=%d rlen=%d\n",
__func__, req->wlen, req->rlen); __func__, req->wlen, req->rlen);
return -EINVAL; ret = -EINVAL;
goto err;
} }
buf[0] = REQ_HDR_LEN + req->wlen + CHECKSUM_LEN - 1; state->buf[0] = REQ_HDR_LEN + req->wlen + CHECKSUM_LEN - 1;
buf[1] = req->mbox; state->buf[1] = req->mbox;
buf[2] = req->cmd; state->buf[2] = req->cmd;
buf[3] = state->seq++; state->buf[3] = state->seq++;
memcpy(&buf[REQ_HDR_LEN], req->wbuf, req->wlen); memcpy(&state->buf[REQ_HDR_LEN], req->wbuf, req->wlen);
wlen = REQ_HDR_LEN + req->wlen + CHECKSUM_LEN; wlen = REQ_HDR_LEN + req->wlen + CHECKSUM_LEN;
rlen = ACK_HDR_LEN + req->rlen + CHECKSUM_LEN; rlen = ACK_HDR_LEN + req->rlen + CHECKSUM_LEN;
/* calc and add checksum */ /* calc and add checksum */
checksum = af9035_checksum(buf, buf[0] - 1); checksum = af9035_checksum(state->buf, state->buf[0] - 1);
buf[buf[0] - 1] = (checksum >> 8); state->buf[state->buf[0] - 1] = (checksum >> 8);
buf[buf[0] - 0] = (checksum & 0xff); state->buf[state->buf[0] - 0] = (checksum & 0xff);
/* no ack for these packets */ /* no ack for these packets */
if (req->cmd == CMD_FW_DL) if (req->cmd == CMD_FW_DL)
rlen = 0; rlen = 0;
ret = dvb_usbv2_generic_rw(d, buf, wlen, buf, rlen); ret = dvb_usbv2_generic_rw_locked(d,
state->buf, wlen, state->buf, rlen);
if (ret) if (ret)
goto err; goto err;
...@@ -86,8 +88,8 @@ static int af9035_ctrl_msg(struct dvb_usb_device *d, struct usb_req *req) ...@@ -86,8 +88,8 @@ static int af9035_ctrl_msg(struct dvb_usb_device *d, struct usb_req *req)
goto exit; goto exit;
/* verify checksum */ /* verify checksum */
checksum = af9035_checksum(buf, rlen - 2); checksum = af9035_checksum(state->buf, rlen - 2);
tmp_checksum = (buf[rlen - 2] << 8) | buf[rlen - 1]; tmp_checksum = (state->buf[rlen - 2] << 8) | state->buf[rlen - 1];
if (tmp_checksum != checksum) { if (tmp_checksum != checksum) {
dev_err(&d->udev->dev, "%s: command=%02x checksum mismatch " \ dev_err(&d->udev->dev, "%s: command=%02x checksum mismatch " \
"(%04x != %04x)\n", KBUILD_MODNAME, req->cmd, "(%04x != %04x)\n", KBUILD_MODNAME, req->cmd,
...@@ -97,23 +99,21 @@ static int af9035_ctrl_msg(struct dvb_usb_device *d, struct usb_req *req) ...@@ -97,23 +99,21 @@ static int af9035_ctrl_msg(struct dvb_usb_device *d, struct usb_req *req)
} }
/* check status */ /* check status */
if (buf[2]) { if (state->buf[2]) {
dev_dbg(&d->udev->dev, "%s: command=%02x failed fw error=%d\n", dev_dbg(&d->udev->dev, "%s: command=%02x failed fw error=%d\n",
__func__, req->cmd, buf[2]); __func__, req->cmd, state->buf[2]);
ret = -EIO; ret = -EIO;
goto err; goto err;
} }
/* read request, copy returned data to return buf */ /* read request, copy returned data to return buf */
if (req->rlen) if (req->rlen)
memcpy(req->rbuf, &buf[ACK_HDR_LEN], req->rlen); memcpy(req->rbuf, &state->buf[ACK_HDR_LEN], req->rlen);
exit: exit:
return 0;
err: err:
dev_dbg(&d->udev->dev, "%s: failed=%d\n", __func__, ret); mutex_unlock(&d->usb_mutex);
if (ret)
dev_dbg(&d->udev->dev, "%s: failed=%d\n", __func__, ret);
return ret; return ret;
} }
......
...@@ -52,6 +52,8 @@ struct usb_req { ...@@ -52,6 +52,8 @@ struct usb_req {
}; };
struct state { struct state {
#define BUF_LEN 64
u8 buf[BUF_LEN];
u8 seq; /* packet sequence number */ u8 seq; /* packet sequence number */
bool dual_mode; bool dual_mode;
struct af9033_config af9033_config[2]; struct af9033_config af9033_config[2];
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment