Return-Path: <linux-kernel-owner+w=401wt.eu-S1758300AbYFFSH3@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1758300AbYFFSH3 (ORCPT <rfc822;w@1wt.eu>);
	Fri, 6 Jun 2008 14:07:29 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751882AbYFFSHU
	(ORCPT <rfc822;linux-kernel-outgoing>);
	Fri, 6 Jun 2008 14:07:20 -0400
Received: from smtp1.linux-foundation.org ([140.211.169.13]:48368 "EHLO
	smtp1.linux-foundation.org" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1754248AbYFFSHS (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 6 Jun 2008 14:07:18 -0400
Date: Fri, 6 Jun 2008 11:07:11 -0700
From: Andrew Morton <akpm@linux-foundation.org>
To: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Justin Mattock <justinmattock@gmail.com>,
       Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
       linux-usb@vger.kernel.org
Subject: Re: [ 88.628451] BUG: unable to handle kernel paging request at
 f8dbf000 "isight_firmware"
Message-Id: <20080606110711.a9a6a4f6.akpm@linux-foundation.org>
In-Reply-To: <20080606121136.GA9087@srcf.ucam.org>
References: <dd18b0c30806041213x45b7efdfo42de9b214a7ce9df@mail.gmail.com>
	<20080606002601.a0f6c47c.akpm@linux-foundation.org>
	<dd18b0c30806060137j7edc751se364ff21cfc8911b@mail.gmail.com>
	<20080606121136.GA9087@srcf.ucam.org>
X-Mailer: Sylpheed 2.4.8 (GTK+ 2.12.5; x86_64-redhat-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1627
Lines: 44

On Fri, 6 Jun 2008 13:11:36 +0100 Matthew Garrett <mjg59@srcf.ucam.org> wrote:

> Argh. My firmware image contained the 0x8001 token that indicates end of 
> firmware - the ones generated by Etienne's tool don't, so the driver 
> reads straight off the end of the buffer. Can you try this patch? It 
> also incorporates the cleanups Andrew suggested, and should be resistant 
> to malformed data.
> 
> diff --git a/drivers/usb/misc/isight_firmware.c b/drivers/usb/misc/isight_firmware.c
> index 390e048..cc5943c 100644
> --- a/drivers/usb/misc/isight_firmware.c
> +++ b/drivers/usb/misc/isight_firmware.c
> @@ -39,9 +39,9 @@ static int isight_firmware_load(struct usb_interface *intf,
>  	struct usb_device *dev = interface_to_usbdev(intf);
>  	int llen, len, req, ret = 0;
>  	const struct firmware *firmware;
> -	unsigned char *buf;
> +	unsigned char *buf = kmalloc(50, GFP_KERNEL);
>  	unsigned char data[4];
> -	char *ptr;
> +	u8 *ptr;

	if (!buf)
		return -ENOMEM;

please.

>  	if (request_firmware(&firmware, "isight.fw", &dev->dev) != 0) {
>  		printk(KERN_ERR "Unable to load isight firmware\n");
> @@ -59,7 +59,7 @@ static int isight_firmware_load(struct usb_interface *intf,
>  		goto out;
>  	}
>  
> -	while (1) {
> +	while (ptr+4 <= firmware->data+firmware->size) {
>  		memcpy(data, ptr, 4);
>  		len = (data[0] << 8 | data[1]);
>  		req = (data[2] << 8 | data[3]);

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/