HID: battery: don't do DMA from stack
Jiri Kosina [Mon, 2 Sep 2013 11:43:00 +0000 (13:43 +0200)]
commit 6c2794a2984f4c17a58117a68703cc7640f01c5a upstream.

Instead of using data from stack for DMA in hidinput_get_battery_property(),
allocate the buffer dynamically.

Reported-by: Richard Ryniker <ryniker@alum.mit.edu>
Reported-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/hid/hid-input.c

index 945b815..ac5e935 100644 (file)
@@ -340,7 +340,7 @@ static int hidinput_get_battery_property(struct power_supply *psy,
 {
        struct hid_device *dev = container_of(psy, struct hid_device, battery);
        int ret = 0;
-       __u8 buf[2] = {};
+       __u8 *buf;
 
        switch (prop) {
        case POWER_SUPPLY_PROP_PRESENT:
@@ -349,13 +349,20 @@ static int hidinput_get_battery_property(struct power_supply *psy,
                break;
 
        case POWER_SUPPLY_PROP_CAPACITY:
+
+               buf = kmalloc(2 * sizeof(__u8), GFP_KERNEL);
+               if (!buf) {
+                       ret = -ENOMEM;
+                       break;
+               }
                ret = dev->hid_get_raw_report(dev, dev->battery_report_id,
-                                             buf, sizeof(buf),
+                                             buf, 2,
                                              dev->battery_report_type);
 
                if (ret != 2) {
                        if (ret >= 0)
                                ret = -EINVAL;
+                       kfree(buf);
                        break;
                }
 
@@ -364,6 +371,7 @@ static int hidinput_get_battery_property(struct power_supply *psy,
                    buf[1] <= dev->battery_max)
                        val->intval = (100 * (buf[1] - dev->battery_min)) /
                                (dev->battery_max - dev->battery_min);
+               kfree(buf);
                break;
 
        case POWER_SUPPLY_PROP_MODEL_NAME: