Fix error "doing DMA on the stack" by using kzalloc for buffer
allocation.
Issue found by smatch.
Signed-off-by: Ksenija Stanojevic <ksenija.stanojevic@gmail.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
+ u8 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);
+
+ if (!usbdata)
+ return;
+ *usbdata = data;
status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
- indx | 0xfe00, 0, &data, 1, HZ / 2);
+ indx | 0xfe00, 0, usbdata, 1, HZ / 2);
+ kfree(usbdata);
if (status < 0)
netdev_err(dev, "write_nic_byte_E TimeOut! status: %d\n",
if (status < 0)
netdev_err(dev, "write_nic_byte_E TimeOut! status: %d\n",
int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
+ u8 *usbdata = kzalloc(sizeof(u8), GFP_KERNEL);
+
+ if (!usbdata)
+ return -ENOMEM;
status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
- indx | 0xfe00, 0, data, 1, HZ / 2);
+ indx | 0xfe00, 0, usbdata, 1, HZ / 2);
+ *data = *usbdata;
+ kfree(usbdata);
if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status);
if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status);
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
+ u8 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);
+
+ if (!usbdata)
+ return;
+ *usbdata = data;
status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
+ usbdata, 1, HZ / 2);
+ kfree(usbdata);
if (status < 0)
netdev_err(dev, "write_nic_byte TimeOut! status: %d\n", status);
if (status < 0)
netdev_err(dev, "write_nic_byte TimeOut! status: %d\n", status);
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
+ u16 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);
+
+ if (!usbdata)
+ return;
+ *usbdata = data;
status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
+ usbdata, 2, HZ / 2);
+ kfree(usbdata);
if (status < 0)
netdev_err(dev, "write_nic_word TimeOut! status: %d\n", status);
if (status < 0)
netdev_err(dev, "write_nic_word TimeOut! status: %d\n", status);
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
+ u32 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);
+
+ if (!usbdata)
+ return;
+ *usbdata = data;
status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
+ usbdata, 4, HZ / 2);
+ kfree(usbdata);
int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
+ u8 *usbdata = kzalloc(sizeof(u8), GFP_KERNEL);
+
+ if (!usbdata)
+ return -ENOMEM;
status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
+ usbdata, 1, HZ / 2);
+ *data = *usbdata;
+ kfree(usbdata);
if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status);
if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status);
int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
+ u16 *usbdata = kzalloc(sizeof(u16), GFP_KERNEL);
+
+ if (!usbdata)
+ return -ENOMEM;
status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
+ usbdata, 2, HZ / 2);
+ *data = *usbdata;
+ kfree(usbdata);
if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status);
if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status);
int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
int status;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
+ u16 *usbdata = kzalloc(sizeof(u16), GFP_KERNEL);
+
+ if (!usbdata)
+ return -ENOMEM;
status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
- indx | 0xfe00, 0, data, 2, HZ / 2);
+ indx | 0xfe00, 0, usbdata, 2, HZ / 2);
+ *data = *usbdata;
+ kfree(usbdata);
if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status);
if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status);
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
struct usb_device *udev = priv->udev;
+ u32 *usbdata = kzalloc(sizeof(u32), GFP_KERNEL);
+
+ if (!usbdata)
+ return -ENOMEM;
status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
(indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
+ usbdata, 4, HZ / 2);
+ *data = *usbdata;
+ kfree(usbdata);
if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status);
if (status < 0) {
netdev_err(dev, "%s failure status: %d\n", __func__, status);