[media] dib0700: be sure that dib0700_ctrl_rd() users can do DMA

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

dib0700_ctrl_rd() takes a RX and a TX pointer. Be sure that
both will point to a memory allocated via kmalloc().

Reviewed-by: Patrick Boettcher <patrick.boettcher@posteo.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

Mauro Carvalho Chehab 9 years ago bd1f976c 17ce039b

+16 -13

2 changed files

expand all

drivers

media

usb

dvb-usb

dib0700_core.c

dib0700_devices.c

+3 -1

drivers/media/usb/dvb-usb/dib0700_core.c

··· 292 292 293 293 /* special thing in the current firmware: when length is zero the read-failed */ 294 294 len = dib0700_ctrl_rd(d, st->buf, msg[i].len + 2, 295 - msg[i+1].buf, msg[i+1].len); 295 + st->buf, msg[i + 1].len); 296 296 if (len <= 0) { 297 297 deb_info("I2C read failed on address 0x%02x\n", 298 298 msg[i].addr); 299 299 break; 300 300 } 301 + 302 + memcpy(msg[i + 1].buf, st->buf, msg[i + 1].len); 301 303 302 304 msg[i+1].len = len; 303 305

+13 -12

drivers/media/usb/dvb-usb/dib0700_devices.c

··· 508 508 509 509 #define DEFAULT_RC_INTERVAL 50 510 510 511 - static u8 rc_request[] = { REQUEST_POLL_RC, 0 }; 512 - 513 511 /* 514 512 * This function is used only when firmware is < 1.20 version. Newer 515 513 * firmwares use bulk mode, with functions implemented at dib0700_core, ··· 515 517 */ 516 518 static int dib0700_rc_query_old_firmware(struct dvb_usb_device *d) 517 519 { 518 - u8 key[4]; 519 520 enum rc_type protocol; 520 521 u32 scancode; 521 522 u8 toggle; ··· 529 532 return 0; 530 533 } 531 534 532 - i = dib0700_ctrl_rd(d, rc_request, 2, key, 4); 535 + st->buf[0] = REQUEST_POLL_RC; 536 + st->buf[1] = 0; 537 + 538 + i = dib0700_ctrl_rd(d, st->buf, 2, st->buf, 4); 533 539 if (i <= 0) { 534 540 err("RC Query Failed"); 535 - return -1; 541 + return -EIO; 536 542 } 537 543 538 544 /* losing half of KEY_0 events from Philipps rc5 remotes.. */ 539 - if (key[0] == 0 && key[1] == 0 && key[2] == 0 && key[3] == 0) 545 + if (st->buf[0] == 0 && st->buf[1] == 0 546 + && st->buf[2] == 0 && st->buf[3] == 0) 540 547 return 0; 541 548 542 - /* info("%d: %2X %2X %2X %2X",dvb_usb_dib0700_ir_proto,(int)key[3-2],(int)key[3-3],(int)key[3-1],(int)key[3]); */ 549 + /* info("%d: %2X %2X %2X %2X",dvb_usb_dib0700_ir_proto,(int)st->buf[3 - 2],(int)st->buf[3 - 3],(int)st->buf[3 - 1],(int)st->buf[3]); */ 543 550 544 551 dib0700_rc_setup(d, NULL); /* reset ir sensor data to prevent false events */ 545 552 546 553 switch (d->props.rc.core.protocol) { 547 554 case RC_BIT_NEC: 548 555 /* NEC protocol sends repeat code as 0 0 0 FF */ 549 - if ((key[3-2] == 0x00) && (key[3-3] == 0x00) && 550 - (key[3] == 0xff)) { 556 + if ((st->buf[3 - 2] == 0x00) && (st->buf[3 - 3] == 0x00) && 557 + (st->buf[3] == 0xff)) { 551 558 rc_repeat(d->rc_dev); 552 559 return 0; 553 560 } 554 561 555 562 protocol = RC_TYPE_NEC; 556 - scancode = RC_SCANCODE_NEC(key[3-2], key[3-3]); 563 + scancode = RC_SCANCODE_NEC(st->buf[3 - 2], st->buf[3 - 3]); 557 564 toggle = 0; 558 565 break; 559 566 560 567 default: 561 568 /* RC-5 protocol changes toggle bit on new keypress */ 562 569 protocol = RC_TYPE_RC5; 563 - scancode = RC_SCANCODE_RC5(key[3-2], key[3-3]); 564 - toggle = key[3-1]; 570 + scancode = RC_SCANCODE_RC5(st->buf[3 - 2], st->buf[3 - 3]); 571 + toggle = st->buf[3 - 1]; 565 572 break; 566 573 } 567 574