From: Akihiro Tsukada <tsk...@gmail.com>
i2c message buf might be on stack.
Signed-off-by: Akihiro Tsukada <tsk...@gmail.com>
---
Changes since v4:
- none
drivers/media/usb/dvb-usb-v2/gl861.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/drivers/media/usb/dvb-usb-v2/gl861.c
b/drivers/media/usb/dvb-usb-v2/gl861.c
index cdd7bfcb883..47b614da807 100644
--- a/drivers/media/usb/dvb-usb-v2/gl861.c
+++ b/drivers/media/usb/dvb-usb-v2/gl861.c
@@ -22,6 +22,8 @@ static int gl861_i2c_msg(struct dvb_usb_device *d, u8 addr,
u16 value = addr << (8 + 1);
int wo = (rbuf == NULL || rlen == 0); /* write-only */
u8 req, type;
+ u8 *buf;
+ int ret;
if (wo) {
req = GL861_REQ_I2C_WRITE;
@@ -44,11 +46,23 @@ static int gl861_i2c_msg(struct dvb_usb_device *d, u8 addr,
KBUILD_MODNAME, wlen);
return -EINVAL;
}
-
+ buf = NULL;
+ if (rlen > 0) {
+ buf = kmalloc(rlen, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+ }
usleep_range(1000, 2000); /* avoid I2C errors */
- return usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), req, type,
- value, index, rbuf, rlen, 2000);
+ ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), req, type,
+ value, index, buf, rlen, 2000);
+ if (rlen > 0) {
+ if (ret > 0)
+ memcpy(rbuf, buf, rlen);
+ kfree(buf);
+ }
+
+ return ret;
}
/* Friio specific I2C read/write */
--
2.17.0
