Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759505AbYFFOZi (ORCPT ); Fri, 6 Jun 2008 10:25:38 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1757405AbYFFOZF (ORCPT ); Fri, 6 Jun 2008 10:25:05 -0400 Received: from an-out-0708.google.com ([209.85.132.240]:26153 "EHLO an-out-0708.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753038AbYFFOZB (ORCPT ); Fri, 6 Jun 2008 10:25:01 -0400 DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=e6NOo1VZwKuneFM1VVRhY3kc6jDVvS7ELE6goV5K5qpW1F8NmQio6/fn1SlQT8sJSL XUUyrr0VHAOv+kZNPnLj+xnrSGQP8R3UF+RjInOt/CQXCERQyMtHJfby4fuxhYg1Pyq6 WrvtY3CI+NLvLJpQsW+NvekXY/dksKphAG0Cc= Message-ID: Date: Fri, 6 Jun 2008 14:24:59 +0000 From: "Justin Mattock" To: "Matthew Garrett" Subject: Re: [ 88.628451] BUG: unable to handle kernel paging request at f8dbf000 "isight_firmware" Cc: "Andrew Morton" , "Linux Kernel Mailing List" , linux-usb@vger.kernel.org In-Reply-To: <20080606121136.GA9087@srcf.ucam.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080606002601.a0f6c47c.akpm@linux-foundation.org> <20080606121136.GA9087@srcf.ucam.org> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3257 Lines: 86 On Fri, Jun 6, 2008 at 12:11 PM, Matthew Garrett wrote: > Argh. My firmware image contained the 0x8001 token that indicates end of > firmware - the ones generated by Etienne's tool don't, so the driver > reads straight off the end of the buffer. Can you try this patch? It > also incorporates the cleanups Andrew suggested, and should be resistant > to malformed data. > > diff --git a/drivers/usb/misc/isight_firmware.c b/drivers/usb/misc/isight_firmware.c > index 390e048..cc5943c 100644 > --- a/drivers/usb/misc/isight_firmware.c > +++ b/drivers/usb/misc/isight_firmware.c > @@ -39,9 +39,9 @@ static int isight_firmware_load(struct usb_interface *intf, > struct usb_device *dev = interface_to_usbdev(intf); > int llen, len, req, ret = 0; > const struct firmware *firmware; > - unsigned char *buf; > + unsigned char *buf = kmalloc(50, GFP_KERNEL); > unsigned char data[4]; > - char *ptr; > + u8 *ptr; > > if (request_firmware(&firmware, "isight.fw", &dev->dev) != 0) { > printk(KERN_ERR "Unable to load isight firmware\n"); > @@ -59,7 +59,7 @@ static int isight_firmware_load(struct usb_interface *intf, > goto out; > } > > - while (1) { > + while (ptr+4 <= firmware->data+firmware->size) { > memcpy(data, ptr, 4); > len = (data[0] << 8 | data[1]); > req = (data[2] << 8 | data[3]); > @@ -71,10 +71,14 @@ static int isight_firmware_load(struct usb_interface *intf, > continue; > > for (; len > 0; req += 50) { > - llen = len > 50 ? 50 : len; > + llen = min (len, 50); > len -= llen; > - > - buf = kmalloc(llen, GFP_KERNEL); > + if (ptr+llen > firmware->data+firmware->size) { > + printk (KERN_ERR > + "Malformed isight firmware"); > + ret = -ENODEV; > + goto out; > + } > memcpy(buf, ptr, llen); > > ptr += llen; > @@ -89,16 +93,18 @@ static int isight_firmware_load(struct usb_interface *intf, > goto out; > } > > - kfree(buf); > } > } > + > if (usb_control_msg > (dev, usb_sndctrlpipe(dev, 0), 0xa0, 0x40, 0xe600, 0, "\0", 1, > 300) != 1) { > printk(KERN_ERR "isight firmware loading completion failed\n"); > ret = -ENODEV; > } > + > out: > + kfree(buf); > release_firmware(firmware); > return ret; > } > > -- > Matthew Garrett | mjg59@srcf.ucam.org > Sure, I'll give the patch a try, first Give me some time to take care of some extra curricular activities. (running) regards; -- Justin P. Mattock -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/