From: Benoit Goby <benoit@android.com>
Date: Tue, 10 Aug 2010 01:00:04 +0000 (-0700)
Subject: usb: serial: Fix memory corruption in moto-flashmdm
X-Git-Tag: firefly_0821_release~9834^2~719
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=1fa241ab56fc48acca8fdf165d4e7db49860bd49;p=firefly-linux-kernel-4.4.55.git

usb: serial: Fix memory corruption in moto-flashmdm

moto_flashmdm_attach should also override bulk_out_buffers as
usb-serial expects they have the same size as bulk_out_buffer

Change-Id: I97487fa833ed3dee40a15c485ba8565944d0f9e4
Signed-off-by: Benoit Goby <benoit@android.com>
---

diff --git a/drivers/usb/serial/moto_flashmdm.c b/drivers/usb/serial/moto_flashmdm.c
index ef60cce19b51..ff49925e83f9 100644
--- a/drivers/usb/serial/moto_flashmdm.c
+++ b/drivers/usb/serial/moto_flashmdm.c
@@ -50,6 +50,7 @@ static void omap_flashmdm_disable_uhh_smart_idle(void)
 static int moto_flashmdm_attach(struct usb_serial *serial)
 {
 	struct usb_serial_port *port = serial->port[0];
+	int i;
 
 	if (port->bulk_out_size >= MOTO_FLASHMDM_BULKOUT_SIZE) {
 		dev_info(&serial->dev->dev,
@@ -69,7 +70,23 @@ static int moto_flashmdm_attach(struct usb_serial *serial)
 			  usb_sndbulkpipe(serial->dev,
 					  port->bulk_out_endpointAddress),
 			  port->bulk_out_buffer, port->bulk_out_size,
-			  usb_serial_generic_write_bulk_callback, port);
+			  serial->type->write_bulk_callback, port);
+
+	for (i = 0; i < ARRAY_SIZE(port->write_urbs); ++i) {
+		kfree(port->bulk_out_buffers[i]);
+		port->bulk_out_buffers[i] = kmalloc(port->bulk_out_size,
+						    GFP_KERNEL);
+		if (!port->bulk_out_buffers[i]) {
+			dev_err(&serial->dev->dev,
+				"Couldn't allocate bulk_out_buffer\n");
+			return -ENOMEM;
+		}
+		usb_fill_bulk_urb(port->write_urbs[i], serial->dev,
+				  usb_sndbulkpipe(serial->dev,
+						  port->bulk_out_endpointAddress),
+				  port->bulk_out_buffers[i], port->bulk_out_size,
+				  serial->type->write_bulk_callback, port);
+	}
 
 #if defined(CONFIG_ARCH_OMAP34XX)
 	/* need to disable the AUTO IDLE for the usb iclk */