[media] cxusb: Don't use dynamic static allocation

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Dynamic static allocation is evil, as Kernel stack is too low, and
compilation complains about it on some archs:
drivers/media/usb/dvb-usb/cxusb.c:209:1: warning: 'cxusb_i2c_xfer' uses dynamic stack allocation [enabled by default]
drivers/media/usb/dvb-usb/cxusb.c:69:1: warning: 'cxusb_ctrl_msg' uses dynamic stack allocation [enabled by default]
Instead, let's enforce a limit for the buffer to be the max size of
a control URB payload data (64 bytes).

Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>

Mauro Carvalho Chehab 12 years ago 64f7ef8a 24e9a47e

+37 -4

1 changed file

expand all

drivers

media

usb

dvb-usb

cxusb.c

+37 -4

drivers/media/usb/dvb-usb/cxusb.c

··· 43 43 #include "lgs8gxx.h" 44 44 #include "atbm8830.h" 45 45 46 + /* Max transfer size done by I2C transfer functions */ 47 + #define MAX_XFER_SIZE 64 48 + 46 49 /* debug */ 47 50 static int dvb_usb_cxusb_debug; 48 51 module_param_named(debug, dvb_usb_cxusb_debug, int, 0644); ··· 60 57 u8 cmd, u8 *wbuf, int wlen, u8 *rbuf, int rlen) 61 58 { 62 59 int wo = (rbuf == NULL || rlen == 0); /* write-only */ 63 - u8 sndbuf[1+wlen]; 60 + u8 sndbuf[MAX_XFER_SIZE]; 61 + 62 + if (1 + wlen > sizeof(sndbuf)) { 63 + warn("i2c wr: len=%d is too big!\n", 64 + wlen); 65 + return -EOPNOTSUPP; 66 + } 67 + 64 68 memset(sndbuf, 0, 1+wlen); 65 69 66 70 sndbuf[0] = cmd; ··· 168 158 169 159 if (msg[i].flags & I2C_M_RD) { 170 160 /* read only */ 171 - u8 obuf[3], ibuf[1+msg[i].len]; 161 + u8 obuf[3], ibuf[MAX_XFER_SIZE]; 162 + 163 + if (1 + msg[i].len > sizeof(ibuf)) { 164 + warn("i2c rd: len=%d is too big!\n", 165 + msg[i].len); 166 + return -EOPNOTSUPP; 167 + } 172 168 obuf[0] = 0; 173 169 obuf[1] = msg[i].len; 174 170 obuf[2] = msg[i].addr; ··· 188 172 } else if (i+1 < num && (msg[i+1].flags & I2C_M_RD) && 189 173 msg[i].addr == msg[i+1].addr) { 190 174 /* write to then read from same address */ 191 - u8 obuf[3+msg[i].len], ibuf[1+msg[i+1].len]; 175 + u8 obuf[MAX_XFER_SIZE], ibuf[MAX_XFER_SIZE]; 176 + 177 + if (3 + msg[i].len > sizeof(obuf)) { 178 + warn("i2c wr: len=%d is too big!\n", 179 + msg[i].len); 180 + return -EOPNOTSUPP; 181 + } 182 + if (1 + msg[i + 1].len > sizeof(ibuf)) { 183 + warn("i2c rd: len=%d is too big!\n", 184 + msg[i + 1].len); 185 + return -EOPNOTSUPP; 186 + } 192 187 obuf[0] = msg[i].len; 193 188 obuf[1] = msg[i+1].len; 194 189 obuf[2] = msg[i].addr; ··· 218 191 i++; 219 192 } else { 220 193 /* write only */ 221 - u8 obuf[2+msg[i].len], ibuf; 194 + u8 obuf[MAX_XFER_SIZE], ibuf; 195 + 196 + if (2 + msg[i].len > sizeof(obuf)) { 197 + warn("i2c wr: len=%d is too big!\n", 198 + msg[i].len); 199 + return -EOPNOTSUPP; 200 + } 222 201 obuf[0] = msg[i].addr; 223 202 obuf[1] = msg[i].len; 224 203 memcpy(&obuf[2], msg[i].buf, msg[i].len);