Staging: rtl8192u: Do not DMA on the stack

Fix error "doing DMA on the stack" by using kzalloc for buffer
allocation.
Issue found by smatch.

Signed-off-by: Ksenija Stanojevic <ksenija.stanojevic@gmail.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c
index 28b54babf498a844963f1d6eae800938e96f7a79..0bae93b1132f244b9c59e66f6b91475901764e91 100644 (file)
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -259,10 +259,16 @@ void write_nic_byte_E(struct net_device *dev, int indx, u8 data)
        int status;
        struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
        struct usb_device *udev = priv->udev;
+       u8 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);
+
+       if (!usbdata)
+               return;
+       *usbdata = data;
 
        status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
                                 RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
-                                indx | 0xfe00, 0, &data, 1, HZ / 2);
+                                indx | 0xfe00, 0, usbdata, 1, HZ / 2);
+       kfree(usbdata);
 
        if (status < 0)
                netdev_err(dev, "write_nic_byte_E TimeOut! status: %d\n",
@@ -274,10 +280,16 @@ int read_nic_byte_E(struct net_device *dev, int indx, u8 *data)
        int status;
        struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
        struct usb_device *udev = priv->udev;
+       u8 *usbdata = kzalloc(sizeof(u8), GFP_KERNEL);
+
+       if (!usbdata)
+               return -ENOMEM;
 
        status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
                                 RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
-                                indx | 0xfe00, 0, data, 1, HZ / 2);
+                                indx | 0xfe00, 0, usbdata, 1, HZ / 2);
+       *data = *usbdata;
+       kfree(usbdata);
 
        if (status < 0) {
                netdev_err(dev, "%s failure status: %d\n", __func__, status);
@@ -293,11 +305,17 @@ void write_nic_byte(struct net_device *dev, int indx, u8 data)
 
        struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
        struct usb_device *udev = priv->udev;
+       u8 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);
+
+       if (!usbdata)
+               return;
+       *usbdata = data;
 
        status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
                                 RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
                                 (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
-                                &data, 1, HZ / 2);
+                                usbdata, 1, HZ / 2);
+       kfree(usbdata);
 
        if (status < 0)
                netdev_err(dev, "write_nic_byte TimeOut! status: %d\n", status);
@@ -313,11 +331,17 @@ void write_nic_word(struct net_device *dev, int indx, u16 data)
 
        struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
        struct usb_device *udev = priv->udev;
+       u16 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);
+
+       if (!usbdata)
+               return;
+       *usbdata = data;
 
        status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
                                 RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
                                 (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
-                                &data, 2, HZ / 2);
+                                usbdata, 2, HZ / 2);
+       kfree(usbdata);
 
        if (status < 0)
                netdev_err(dev, "write_nic_word TimeOut! status: %d\n", status);
@@ -332,11 +356,17 @@ void write_nic_dword(struct net_device *dev, int indx, u32 data)
 
        struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
        struct usb_device *udev = priv->udev;
+       u32 *usbdata = kzalloc(sizeof(data), GFP_KERNEL);
+
+       if (!usbdata)
+               return;
+       *usbdata = data;
 
        status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
                                 RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE,
                                 (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
-                                &data, 4, HZ / 2);
+                                usbdata, 4, HZ / 2);
+       kfree(usbdata);
 
 
        if (status < 0)
@@ -352,11 +382,17 @@ int read_nic_byte(struct net_device *dev, int indx, u8 *data)
        int status;
        struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
        struct usb_device *udev = priv->udev;
+       u8 *usbdata = kzalloc(sizeof(u8), GFP_KERNEL);
+
+       if (!usbdata)
+               return -ENOMEM;
 
        status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
                                 RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
                                 (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
-                                data, 1, HZ / 2);
+                                usbdata, 1, HZ / 2);
+       *data = *usbdata;
+       kfree(usbdata);
 
        if (status < 0) {
                netdev_err(dev, "%s failure status: %d\n", __func__, status);
@@ -373,11 +409,17 @@ int read_nic_word(struct net_device *dev, int indx, u16 *data)
        int status;
        struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
        struct usb_device *udev = priv->udev;
+       u16 *usbdata = kzalloc(sizeof(u16), GFP_KERNEL);
+
+       if (!usbdata)
+               return -ENOMEM;
 
        status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
                                 RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
                                 (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
-                                data, 2, HZ / 2);
+                                usbdata, 2, HZ / 2);
+       *data = *usbdata;
+       kfree(usbdata);
 
        if (status < 0) {
                netdev_err(dev, "%s failure status: %d\n", __func__, status);
@@ -392,10 +434,16 @@ static int read_nic_word_E(struct net_device *dev, int indx, u16 *data)
        int status;
        struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
        struct usb_device *udev = priv->udev;
+       u16 *usbdata = kzalloc(sizeof(u16), GFP_KERNEL);
+
+       if (!usbdata)
+               return -ENOMEM;
 
        status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
                                 RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
-                                indx | 0xfe00, 0, data, 2, HZ / 2);
+                                indx | 0xfe00, 0, usbdata, 2, HZ / 2);
+       *data = *usbdata;
+       kfree(usbdata);
 
        if (status < 0) {
                netdev_err(dev, "%s failure status: %d\n", __func__, status);
@@ -411,11 +459,17 @@ int read_nic_dword(struct net_device *dev, int indx, u32 *data)
 
        struct r8192_priv *priv = (struct r8192_priv *)ieee80211_priv(dev);
        struct usb_device *udev = priv->udev;
+       u32 *usbdata = kzalloc(sizeof(u32), GFP_KERNEL);
+
+       if (!usbdata)
+               return -ENOMEM;
 
        status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
                                 RTL8187_REQ_GET_REGS, RTL8187_REQT_READ,
                                 (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f,
-                                data, 4, HZ / 2);
+                                usbdata, 4, HZ / 2);
+       *data = *usbdata;
+       kfree(usbdata);
 
        if (status < 0) {
                netdev_err(dev, "%s failure status: %d\n", __func__, status);