From c2c2825f0b7b20409c97add79fcbf7d6d15196b7 Mon Sep 17 00:00:00 2001 From: Ao Xu Date: Wed, 1 Aug 2018 19:30:04 +0800 Subject: [PATCH] board: fix stack overflow issue PD#169652: board: fix stack overflow issue it is better to use kmalloc to alloc buffer instead of in stack buffer. Change-Id: I6825d8acff19248f2f6c789ed2218af42ca4ffd3 Signed-off-by: Ao Xu --- drivers/amlogic/audioinfo/audio_data.c | 10 +++++++++- drivers/amlogic/irblaster/irblaster.c | 16 +++++++++++++--- drivers/amlogic/irblaster/meson-irblaster.c | 16 +++++++++++++--- drivers/amlogic/mmc/emmc_partitions.c | 10 ++++++++++ 4 files changed, 45 insertions(+), 7 deletions(-) mode change 100755 => 100644 drivers/amlogic/mmc/emmc_partitions.c diff --git a/drivers/amlogic/audioinfo/audio_data.c b/drivers/amlogic/audioinfo/audio_data.c index 4fd232c..c50076cd 100644 --- a/drivers/amlogic/audioinfo/audio_data.c +++ b/drivers/amlogic/audioinfo/audio_data.c @@ -156,7 +156,13 @@ static ssize_t audio_data_read(struct file *filp, char __user *buf, { int err = 0; loff_t pos = 0; - char buftmp[EFUSE_BUF_SIZE] = {0}; + char *buftmp; + + buftmp = kzalloc(EFUSE_BUF_SIZE, GFP_KERNEL); + if (!buftmp) { + MYPRT("kzalloc fail.\n"); + return -ENOMEM; + } MYPRT("[%s]\n", __func__); if (count > EFUSE_BUF_SIZE) { @@ -175,6 +181,8 @@ static ssize_t audio_data_read(struct file *filp, char __user *buf, } } } + + kfree(buftmp); if (!err) return count; else diff --git a/drivers/amlogic/irblaster/irblaster.c b/drivers/amlogic/irblaster/irblaster.c index 9d8485c..b922e50 100644 --- a/drivers/amlogic/irblaster/irblaster.c +++ b/drivers/amlogic/irblaster/irblaster.c @@ -368,15 +368,21 @@ static long aml_irblaster_ioctl(struct file *filp, unsigned int cmd, int consumerir_freqs = 0, duty_cycle = 0; s32 r = 0; - char sendcode[MAX_PLUSE]; + char *sendcode; void __user *argp = (void __user *)args; + sendcode = kzalloc(MAX_PLUSE, GFP_KERNEL); + if (!sendcode) + return -ENOMEM; + irblaster_dbg("aml_irblaster_ioctl() 0x%4x\n ", cmd); switch (cmd) { case CONSUMERIR_TRANSMIT: if (copy_from_user(sendcode, (char *)argp, - strlen((char *)argp))) + strlen((char *)argp))) { + kfree(sendcode); return -EFAULT; + } pr_info("send code is %s\n", sendcode); r = send(sendcode, strlen(argp)); break; @@ -384,6 +390,7 @@ static long aml_irblaster_ioctl(struct file *filp, unsigned int cmd, pr_info("in get freq\n"); consumerir_freqs = get_consumerir_freqs(irblaster); put_user(consumerir_freqs, (int *)argp); + kfree(sendcode); return consumerir_freqs; case SET_CARRIER: pr_info("in set freq\n"); @@ -392,8 +399,10 @@ static long aml_irblaster_ioctl(struct file *filp, unsigned int cmd, break; case SET_DUTYCYCLE: pr_info("in set duty_cycle\n"); - if (copy_from_user(&duty_cycle, argp, sizeof(int))) + if (copy_from_user(&duty_cycle, argp, sizeof(int))) { + kfree(sendcode); return -EFAULT; + } get_user(duty_cycle, (int *)argp); r = set_duty_cycle(duty_cycle); break; @@ -403,6 +412,7 @@ static long aml_irblaster_ioctl(struct file *filp, unsigned int cmd, break; } + kfree(sendcode); return r; } static int aml_irblaster_release(struct inode *inode, struct file *file) diff --git a/drivers/amlogic/irblaster/meson-irblaster.c b/drivers/amlogic/irblaster/meson-irblaster.c index b109baf..3459ba5 100644 --- a/drivers/amlogic/irblaster/meson-irblaster.c +++ b/drivers/amlogic/irblaster/meson-irblaster.c @@ -377,15 +377,21 @@ static long aml_ir_blaster_ioctl(struct file *filp, unsigned int cmd, int consumerir_freqs = 0, duty_cycle = 0; s32 r = 0; - char sendcode[MAX_PLUSE]; + char *sendcode; void __user *argp = (void __user *)args; + sendcode = kzalloc(MAX_PLUSE, GFP_KERNEL); + if (!sendcode) + return -ENOMEM; + irblaster_dbg("aml_ir_blaster_ioctl() 0x%4x\n ", cmd); switch (cmd) { case CONSUMERIR_TRANSMIT: if (copy_from_user(sendcode, (char *)argp, - strlen((char *)argp))) + strlen((char *)argp))) { + kfree(sendcode); return -EFAULT; + } pr_info("send code is %s\n", sendcode); r = irblaster_send(sendcode, strlen(argp)); break; @@ -394,6 +400,7 @@ static long aml_ir_blaster_ioctl(struct file *filp, unsigned int cmd, consumerir_freqs = get_irblaster_consumerir_freqs(irblaster_win); put_user(consumerir_freqs, (int *)argp); + kfree(sendcode); return consumerir_freqs; case SET_CARRIER: pr_info("in set freq\n"); @@ -403,8 +410,10 @@ static long aml_ir_blaster_ioctl(struct file *filp, unsigned int cmd, break; case SET_DUTYCYCLE: pr_info("in set duty_cycle\n"); - if (copy_from_user(&duty_cycle, argp, sizeof(int))) + if (copy_from_user(&duty_cycle, argp, sizeof(int))) { + kfree(sendcode); return -EFAULT; + } get_user(duty_cycle, (int *)argp); r = set_irblaster_duty_cycle(duty_cycle); break; @@ -414,6 +423,7 @@ static long aml_ir_blaster_ioctl(struct file *filp, unsigned int cmd, break; } + kfree(sendcode); return r; } static int aml_ir_blaster_release(struct inode *inode, struct file *file) diff --git a/drivers/amlogic/mmc/emmc_partitions.c b/drivers/amlogic/mmc/emmc_partitions.c old mode 100755 new mode 100644 index a19c3cb..00c4962 --- a/drivers/amlogic/mmc/emmc_partitions.c +++ b/drivers/amlogic/mmc/emmc_partitions.c @@ -158,6 +158,7 @@ static int _dtb_init(struct mmc_card *mmc) int cpy = 1, valid = 0; int bit = mmc->csd.read_blkbits; int blk; +#ifdef CONFIG_ARM64 unsigned int pgcnt; struct page *page = NULL; @@ -168,6 +169,11 @@ static int _dtb_init(struct mmc_card *mmc) if (!page) return -ENOMEM; dtb = page_address(page); +#else + dtb = kmalloc(CONFIG_DTB_SIZE, GFP_KERNEL); + if (!dtb) + return -ENOMEM; +#endif /* read dtb2 1st, for compatibility without checksum. */ while (cpy >= 0) { @@ -190,7 +196,11 @@ static int _dtb_init(struct mmc_card *mmc) } pr_info("total valid %d\n", valid); +#ifdef CONFIG_ARM64 dma_release_from_contiguous(NULL, page, pgcnt); +#else + kfree(dtb); +#endif return ret; } -- 2.7.4