| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Mar 2012 20:20:30 -0400
From: Paul Gortmaker <paul.gortmaker@...driver.com>
To: stable@...nel.org, linux-kernel@...r.kernel.org
Cc: stable-review@...nel.org,
Florian Schilhabel <florian.c.schilhabel@...glemail.com>,
Greg Kroah-Hartman <gregkh@...e.de>,
Paul Gortmaker <paul.gortmaker@...driver.com>
Subject: [34-longterm 117/196] Staging: rtl8192su: check for skb == NULL
From: Florian Schilhabel <florian.c.schilhabel@...glemail.com>
-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
If you see a problem with using this for longterm, please comment.
-------------------
commit 199ef62a287b429a8fa3b7dc5ae6b69f607bf324 upstream.
added 2 checks for skb == NULL.
plus cosmetics
Signed-off-by: Florian Schilhabel <florian.c.schilhabel@...glemail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de>
Signed-off-by: Paul Gortmaker <paul.gortmaker@...driver.com>
---
drivers/staging/rtl8192su/r8192S_firmware.c | 135 ++++++++++++---------------
drivers/staging/rtl8192su/r8192U_core.c | 2 -
drivers/staging/rtl8192su/r819xU_cmdpkt.c | 6 ++
3 files changed, 68 insertions(+), 75 deletions(-)
diff --git a/drivers/staging/rtl8192su/r8192S_firmware.c b/drivers/staging/rtl8192su/r8192S_firmware.c
index 752a3f1..f7dd7e7 100644
--- a/drivers/staging/rtl8192su/r8192S_firmware.c
+++ b/drivers/staging/rtl8192su/r8192S_firmware.c
@@ -31,44 +31,46 @@
// Code size
// Created by Roger, 2008.04.10.
//
-bool FirmwareDownloadCode(struct net_device *dev, u8 * code_virtual_address,u32 buffer_len)
+bool FirmwareDownloadCode(struct net_device *dev,
+ u8 *code_virtual_address,
+ u32 buffer_len)
{
- struct r8192_priv *priv = ieee80211_priv(dev);
- bool rt_status = true;
- u16 frag_threshold = MAX_FIRMWARE_CODE_SIZE; //Fragmentation might be required in 90/92 but not in 92S
- u16 frag_length, frag_offset = 0;
- struct sk_buff *skb;
- unsigned char *seg_ptr;
- cb_desc *tcb_desc;
- u8 bLastIniPkt = 0;
- u16 ExtraDescOffset = 0;
-
-
- RT_TRACE(COMP_FIRMWARE, "--->FirmwareDownloadCode()\n" );
-
- //MAX_TRANSMIT_BUFFER_SIZE
- if(buffer_len >= MAX_FIRMWARE_CODE_SIZE-USB_HWDESC_HEADER_LEN)
- {
- RT_TRACE(COMP_ERR, "Size over MAX_FIRMWARE_CODE_SIZE! \n");
+ struct r8192_priv *priv = ieee80211_priv(dev);
+ bool rt_status = true;
+ /* Fragmentation might be required in 90/92 but not in 92S */
+ u16 frag_threshold = MAX_FIRMWARE_CODE_SIZE;
+ u16 frag_length, frag_offset = 0;
+ struct sk_buff *skb;
+ unsigned char *seg_ptr;
+ cb_desc *tcb_desc;
+ u8 bLastIniPkt = 0;
+ u16 ExtraDescOffset = 0;
+
+ if (buffer_len >= MAX_FIRMWARE_CODE_SIZE - USB_HWDESC_HEADER_LEN) {
+ RT_TRACE(COMP_ERR, "(%s): Firmware exceeds"
+ " MAX_FIRMWARE_CODE_SIZE\n", __func__);
goto cmdsend_downloadcode_fail;
}
-
ExtraDescOffset = USB_HWDESC_HEADER_LEN;
-
do {
if((buffer_len-frag_offset) > frag_threshold)
- {
frag_length = frag_threshold + ExtraDescOffset;
+ else {
+ frag_length = (u16)(buffer_len -
+ frag_offset + ExtraDescOffset);
+ bLastIniPkt = 1;
}
- else
- {
- frag_length = (u16)(buffer_len - frag_offset + ExtraDescOffset);
- bLastIniPkt = 1;
- }
-
- /* Allocate skb buffer to contain firmware info and tx descriptor info. */
+ /*
+ * Allocate skb buffer to contain firmware info
+ * and tx descriptor info.
+ */
skb = dev_alloc_skb(frag_length);
- memcpy((unsigned char *)(skb->cb),&dev,sizeof(dev));
+ if (skb == NULL) {
+ RT_TRACE(COMP_ERR, "(%s): unable to alloc skb buffer\n",
+ __func__);
+ goto cmdsend_downloadcode_fail;
+ }
+ memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev));
tcb_desc = (cb_desc*)(skb->cb + MAX_DEV_ADDR_SIZE);
tcb_desc->queue_index = TXCMD_QUEUE;
@@ -76,73 +78,60 @@ bool FirmwareDownloadCode(struct net_device *dev, u8 * code_virtual_address,u32
tcb_desc->bLastIniPkt = bLastIniPkt;
skb_reserve(skb, ExtraDescOffset);
- seg_ptr = (u8 *)skb_put(skb, (u32)(frag_length-ExtraDescOffset));
- memcpy(seg_ptr, code_virtual_address+frag_offset, (u32)(frag_length-ExtraDescOffset));
- tcb_desc->txbuf_size= frag_length;
+ seg_ptr = (u8 *)skb_put(skb,
+ (u32)(frag_length - ExtraDescOffset));
- if(!priv->ieee80211->check_nic_enough_desc(dev,tcb_desc->queue_index)||
- (!skb_queue_empty(&priv->ieee80211->skb_waitQ[tcb_desc->queue_index]))||\
- (priv->ieee80211->queue_stop) )
- {
+ memcpy(seg_ptr, code_virtual_address + frag_offset,
+ (u32)(frag_length-ExtraDescOffset));
+
+ tcb_desc->txbuf_size = frag_length;
+
+ if (!priv->ieee80211->check_nic_enough_desc(dev, tcb_desc->queue_index) ||
+ (!skb_queue_empty(&priv->ieee80211->skb_waitQ[tcb_desc->queue_index])) ||
+ (priv->ieee80211->queue_stop)) {
RT_TRACE(COMP_FIRMWARE,"=====================================================> tx full!\n");
skb_queue_tail(&priv->ieee80211->skb_waitQ[tcb_desc->queue_index], skb);
- }
- else
- {
- priv->ieee80211->softmac_hard_start_xmit(skb,dev);
- }
+ } else
+ priv->ieee80211->softmac_hard_start_xmit(skb, dev);
frag_offset += (frag_length - ExtraDescOffset);
- }while(frag_offset < buffer_len);
-
+ } while (frag_offset < buffer_len);
return rt_status ;
-
cmdsend_downloadcode_fail:
rt_status = false;
- RT_TRACE(COMP_ERR, "CmdSendDownloadCode fail !!\n");
+ RT_TRACE(COMP_ERR, "(%s): failed\n", __func__);
return rt_status;
-
}
-RT_STATUS
-FirmwareEnableCPU(struct net_device *dev)
+RT_STATUS FirmwareEnableCPU(struct net_device *dev)
{
+ RT_STATUS rtStatus = RT_STATUS_SUCCESS;
+ u8 tmpU1b, CPUStatus = 0;
+ u16 tmpU2b;
+ u32 iCheckTime = 200;
- RT_STATUS rtStatus = RT_STATUS_SUCCESS;
- u8 tmpU1b, CPUStatus = 0;
- u16 tmpU2b;
- u32 iCheckTime = 200;
-
- RT_TRACE(COMP_FIRMWARE, "-->FirmwareEnableCPU()\n" );
- // Enable CPU.
+ /* Enable CPU. */
tmpU1b = read_nic_byte(dev, SYS_CLKR);
- write_nic_byte(dev, SYS_CLKR, (tmpU1b|SYS_CPU_CLKSEL)); //AFE source
-
+ /* AFE source */
+ write_nic_byte(dev, SYS_CLKR, (tmpU1b|SYS_CPU_CLKSEL));
tmpU2b = read_nic_word(dev, SYS_FUNC_EN);
write_nic_word(dev, SYS_FUNC_EN, (tmpU2b|FEN_CPUEN));
-
- //Polling IMEM Ready after CPU has refilled.
- do
- {
+ /* Poll IMEM Ready after CPU has refilled. */
+ do {
CPUStatus = read_nic_byte(dev, TCR);
- if(CPUStatus& IMEM_RDY)
- {
- RT_TRACE(COMP_FIRMWARE, "IMEM Ready after CPU has refilled.\n");
+ if (CPUStatus & IMEM_RDY)
+ /* success */
break;
- }
-
- //usleep(100);
udelay(100);
- }while(iCheckTime--);
-
- if(!(CPUStatus & IMEM_RDY))
- return RT_STATUS_FAILURE;
-
- RT_TRACE(COMP_FIRMWARE, "<--FirmwareEnableCPU(): rtStatus(%#x)\n", rtStatus);
+ } while (iCheckTime--);
+ if (!(CPUStatus & IMEM_RDY)) {
+ RT_TRACE(COMP_ERR, "(%s): failed to enable CPU\n", __func__);
+ rtStatus = RT_STATUS_FAILURE;
+ }
return rtStatus;
}
diff --git a/drivers/staging/rtl8192su/r8192U_core.c b/drivers/staging/rtl8192su/r8192U_core.c
index 04d9b85..04f8516 100644
--- a/drivers/staging/rtl8192su/r8192U_core.c
+++ b/drivers/staging/rtl8192su/r8192U_core.c
@@ -1278,7 +1278,6 @@ static int rtl8192_rx_initiate(struct net_device*dev)
kfree_skb(skb);
break;
}
-// printk("nomal packet IN request!\n");
usb_fill_bulk_urb(entry, priv->udev,
usb_rcvbulkpipe(priv->udev, 3), skb_tail_pointer(skb),
RX_URB_SIZE, rtl8192_rx_isr, skb);
@@ -1292,7 +1291,6 @@ static int rtl8192_rx_initiate(struct net_device*dev)
/* command packet rx procedure */
while (skb_queue_len(&priv->rx_queue) < MAX_RX_URB + 3) {
-// printk("command packet IN request!\n");
skb = __dev_alloc_skb(RX_URB_SIZE ,GFP_KERNEL);
if (!skb)
break;
diff --git a/drivers/staging/rtl8192su/r819xU_cmdpkt.c b/drivers/staging/rtl8192su/r819xU_cmdpkt.c
index 3ebfe79..e69c3b4 100644
--- a/drivers/staging/rtl8192su/r819xU_cmdpkt.c
+++ b/drivers/staging/rtl8192su/r819xU_cmdpkt.c
@@ -56,6 +56,12 @@ SendTxCommandPacket(
//Get TCB and local buffer from common pool. (It is shared by CmdQ, MgntQ, and USB coalesce DataQ)
skb = dev_alloc_skb(USB_HWDESC_HEADER_LEN + DataLen + 4);
+ if (skb == NULL) {
+ RT_TRACE(COMP_ERR, "(%s): unable to alloc skb buffer\n",
+ __func__);
+ rtStatus = false;
+ return rtStatus;
+ }
memcpy((unsigned char *)(skb->cb),&dev,sizeof(dev));
tcb_desc = (cb_desc*)(skb->cb + MAX_DEV_ADDR_SIZE);
tcb_desc->queue_index = TXCMD_QUEUE;
--
1.7.9.3
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists