synclink fix ldisc buffer argument · tjh.dev/kernel@a6b68a6

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

synclink fix ldisc buffer argument

Fix call to line discipline receive_buf by synclink drivers.
Dummy flag buffer argument is ignored by N_HDLC line discipline but might
be of insufficient size if accessed by a different line discipline
selected by mistake. flag buffer allocation now matches max size of data
buffer. Unused char_buf buffers are removed.

Signed-off-by: Paul Fulghum <paulkf@microgate.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Paul Fulghum and committed by

Greg Kroah-Hartman 13 years ago a6b68a69 55c7c0fd

+47 -8

4 changed files

expand all

drivers

char

pcmcia

synclink_cs.c

tty

synclink.c

synclink_gt.c

synclinkmp.c

+11 -1

drivers/char/pcmcia/synclink_cs.c

··· 210 210 char testing_irq; 211 211 unsigned int init_error; /* startup error (DIAGS) */ 212 212 213 - char flag_buf[MAX_ASYNC_BUFFER_SIZE]; 213 + char *flag_buf; 214 214 bool drop_rts_on_tx_done; 215 215 216 216 struct _input_signal_events input_signal_events; ··· 2674 2674 if (info->rx_buf == NULL) 2675 2675 return -ENOMEM; 2676 2676 2677 + /* unused flag buffer to satisfy receive_buf calling interface */ 2678 + info->flag_buf = kzalloc(info->max_frame_size, GFP_KERNEL); 2679 + if (!info->flag_buf) { 2680 + kfree(info->rx_buf); 2681 + info->rx_buf = NULL; 2682 + return -ENOMEM; 2683 + } 2684 + 2677 2685 rx_reset_buffers(info); 2678 2686 return 0; 2679 2687 } ··· 2690 2682 { 2691 2683 kfree(info->rx_buf); 2692 2684 info->rx_buf = NULL; 2685 + kfree(info->flag_buf); 2686 + info->flag_buf = NULL; 2693 2687 } 2694 2688 2695 2689 static int claim_resources(MGSLPC_INFO *info)

+10 -3

drivers/tty/synclink.c

··· 291 291 bool lcr_mem_requested; 292 292 293 293 u32 misc_ctrl_value; 294 - char flag_buf[MAX_ASYNC_BUFFER_SIZE]; 295 - char char_buf[MAX_ASYNC_BUFFER_SIZE]; 294 + char *flag_buf; 296 295 bool drop_rts_on_tx_done; 297 296 298 297 bool loopmode_insert_requested; ··· 3897 3898 info->intermediate_rxbuffer = kmalloc(info->max_frame_size, GFP_KERNEL | GFP_DMA); 3898 3899 if ( info->intermediate_rxbuffer == NULL ) 3899 3900 return -ENOMEM; 3900 - 3901 + /* unused flag buffer to satisfy receive_buf calling interface */ 3902 + info->flag_buf = kzalloc(info->max_frame_size, GFP_KERNEL); 3903 + if (!info->flag_buf) { 3904 + kfree(info->intermediate_rxbuffer); 3905 + info->intermediate_rxbuffer = NULL; 3906 + return -ENOMEM; 3907 + } 3901 3908 return 0; 3902 3909 3903 3910 } /* end of mgsl_alloc_intermediate_rxbuffer_memory() */ ··· 3922 3917 { 3923 3918 kfree(info->intermediate_rxbuffer); 3924 3919 info->intermediate_rxbuffer = NULL; 3920 + kfree(info->flag_buf); 3921 + info->flag_buf = NULL; 3925 3922 3926 3923 } /* end of mgsl_free_intermediate_rxbuffer_memory() */ 3927 3924

+16 -2

drivers/tty/synclink_gt.c

··· 317 317 unsigned char *tx_buf; 318 318 int tx_count; 319 319 320 - char flag_buf[MAX_ASYNC_BUFFER_SIZE]; 321 - char char_buf[MAX_ASYNC_BUFFER_SIZE]; 320 + char *flag_buf; 322 321 bool drop_rts_on_tx_done; 323 322 struct _input_signal_events input_signal_events; 324 323 ··· 3354 3355 return retval; 3355 3356 } 3356 3357 3358 + /* 3359 + * allocate buffers used for calling line discipline receive_buf 3360 + * directly in synchronous mode 3361 + * note: add 5 bytes to max frame size to allow appending 3362 + * 32-bit CRC and status byte when configured to do so 3363 + */ 3357 3364 static int alloc_tmp_rbuf(struct slgt_info *info) 3358 3365 { 3359 3366 info->tmp_rbuf = kmalloc(info->max_frame_size + 5, GFP_KERNEL); 3360 3367 if (info->tmp_rbuf == NULL) 3361 3368 return -ENOMEM; 3369 + /* unused flag buffer to satisfy receive_buf calling interface */ 3370 + info->flag_buf = kzalloc(info->max_frame_size + 5, GFP_KERNEL); 3371 + if (!info->flag_buf) { 3372 + kfree(info->tmp_rbuf); 3373 + info->tmp_rbuf = NULL; 3374 + return -ENOMEM; 3375 + } 3362 3376 return 0; 3363 3377 } 3364 3378 ··· 3379 3367 { 3380 3368 kfree(info->tmp_rbuf); 3381 3369 info->tmp_rbuf = NULL; 3370 + kfree(info->flag_buf); 3371 + info->flag_buf = NULL; 3382 3372 } 3383 3373 3384 3374 /*

+10 -2

drivers/tty/synclinkmp.c

··· 262 262 bool sca_statctrl_requested; 263 263 264 264 u32 misc_ctrl_value; 265 - char flag_buf[MAX_ASYNC_BUFFER_SIZE]; 266 - char char_buf[MAX_ASYNC_BUFFER_SIZE]; 265 + char *flag_buf; 267 266 bool drop_rts_on_tx_done; 268 267 269 268 struct _input_signal_events input_signal_events; ··· 3552 3553 info->tmp_rx_buf = kmalloc(info->max_frame_size, GFP_KERNEL); 3553 3554 if (info->tmp_rx_buf == NULL) 3554 3555 return -ENOMEM; 3556 + /* unused flag buffer to satisfy receive_buf calling interface */ 3557 + info->flag_buf = kzalloc(info->max_frame_size, GFP_KERNEL); 3558 + if (!info->flag_buf) { 3559 + kfree(info->tmp_rx_buf); 3560 + info->tmp_rx_buf = NULL; 3561 + return -ENOMEM; 3562 + } 3555 3563 return 0; 3556 3564 } 3557 3565 ··· 3566 3560 { 3567 3561 kfree(info->tmp_rx_buf); 3568 3562 info->tmp_rx_buf = NULL; 3563 + kfree(info->flag_buf); 3564 + info->flag_buf = NULL; 3569 3565 } 3570 3566 3571 3567 static int claim_resources(SLMP_INFO *info)