aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2013-11-18 18:10:05 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2013-11-18 18:10:05 -0500
commit3ea369eea07eb64adf36a6fb7fddb5d082c84143 (patch)
tree976e44b7baf67bc1f9837ebed447e4b686ad4187
parenta310410f616c78f24490de1274487a7b7b137d97 (diff)
parent3cdcf7369cdb3406c61090e453b78cb8d4882ef8 (diff)
Merge branch 'topic/kbuild-fixes-for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
Pull media build fixes from Mauro Carvalho Chehab: "A series of patches that fix compilation on non-x86 archs. While most of them are just build fixes, there are some fixes for real bugs, as there are a number of drivers using dynamic stack allocation. A few of those might be considered a security risk, if the i2c-dev module is loaded, as someone could be sending very long I2C data that could potentially overflow the Kernel stack. Ok, as using /dev/i2c-* devnodes usually requires root on usual distros, and exploiting it would require a DVB board or USB stick, the risk is not high" * 'topic/kbuild-fixes-for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (28 commits) [media] platform drivers: Fix build on frv arch [media] lirc_zilog: Don't use dynamic static allocation [media] mxl111sf: Don't use dynamic static allocation [media] af9035: Don't use dynamic static allocation [media] af9015: Don't use dynamic static allocation [media] dw2102: Don't use dynamic static allocation [media] dibusb-common: Don't use dynamic static allocation [media] cxusb: Don't use dynamic static allocation [media] v4l2-async: Don't use dynamic static allocation [media] cimax2: Don't use dynamic static allocation [media] tuner-xc2028: Don't use dynamic static allocation [media] tuners: Don't use dynamic static allocation [media] av7110_hw: Don't use dynamic static allocation [media] stv090x: Don't use dynamic static allocation [media] stv0367: Don't use dynamic static allocation [media] stb0899_drv: Don't use dynamic static allocation [media] dvb-frontends: Don't use dynamic static allocation [media] dvb-frontends: Don't use dynamic static allocation [media] s5h1420: Don't use dynamic static allocation [media] uvc/lirc_serial: Fix some warnings on parisc arch ...
Diffstat
-rw-r--r--drivers/media/dvb-frontends/af9013.c14
-rw-r--r--drivers/media/dvb-frontends/af9033.c23
-rw-r--r--drivers/media/dvb-frontends/bcm3510.c15
-rw-r--r--drivers/media/dvb-frontends/cxd2820r_core.c21
-rw-r--r--drivers/media/dvb-frontends/itd1000.c13
-rw-r--r--drivers/media/dvb-frontends/mt312.c10
-rw-r--r--drivers/media/dvb-frontends/nxt200x.c11
-rw-r--r--drivers/media/dvb-frontends/rtl2830.c14
-rw-r--r--drivers/media/dvb-frontends/rtl2832.c14
-rw-r--r--drivers/media/dvb-frontends/s5h1420.c11
-rw-r--r--drivers/media/dvb-frontends/stb0899_drv.c12
-rw-r--r--drivers/media/dvb-frontends/stb6100.c11
-rw-r--r--drivers/media/dvb-frontends/stv0367.c13
-rw-r--r--drivers/media/dvb-frontends/stv090x.c12
-rw-r--r--drivers/media/dvb-frontends/stv6110.c12
-rw-r--r--drivers/media/dvb-frontends/stv6110x.c13
-rw-r--r--drivers/media/dvb-frontends/tda10071.c25
-rw-r--r--drivers/media/dvb-frontends/tda18271c2dd.c14
-rw-r--r--drivers/media/dvb-frontends/zl10039.c12
-rw-r--r--drivers/media/pci/cx18/cx18-driver.c20
-rw-r--r--drivers/media/pci/cx23885/cimax2.c13
-rw-r--r--drivers/media/pci/ttpci/av7110_hw.c19
-rw-r--r--drivers/media/pci/zoran/Kconfig1
-rw-r--r--drivers/media/platform/soc_camera/rcar_vin.c1
-rw-r--r--drivers/media/radio/radio-shark.c2
-rw-r--r--drivers/media/radio/radio-shark2.c2
-rw-r--r--drivers/media/radio/si470x/radio-si470x-i2c.c4
-rw-r--r--drivers/media/radio/tef6862.c20
-rw-r--r--drivers/media/rc/fintek-cir.h4
-rw-r--r--drivers/media/rc/iguanair.c22
-rw-r--r--drivers/media/rc/nuvoton-cir.h4
-rw-r--r--drivers/media/tuners/e4000.c25
-rw-r--r--drivers/media/tuners/fc2580.c25
-rw-r--r--drivers/media/tuners/tda18212.c25
-rw-r--r--drivers/media/tuners/tda18218.c23
-rw-r--r--drivers/media/tuners/tda9887.c4
-rw-r--r--drivers/media/tuners/tuner-xc2028.c8
-rw-r--r--drivers/media/usb/dvb-usb-v2/af9015.c3
-rw-r--r--drivers/media/usb/dvb-usb-v2/af9035.c29
-rw-r--r--drivers/media/usb/dvb-usb-v2/mxl111sf.c10
-rw-r--r--drivers/media/usb/dvb-usb/cxusb.c41
-rw-r--r--drivers/media/usb/dvb-usb/dibusb-common.c10
-rw-r--r--drivers/media/usb/dvb-usb/dw2102.c90
-rw-r--r--drivers/media/usb/uvc/uvc_video.c3
-rw-r--r--drivers/media/v4l2-core/v4l2-async.c30
-rw-r--r--drivers/staging/media/lirc/lirc_serial.c9
-rw-r--r--drivers/staging/media/lirc/lirc_zilog.c12
47 files changed, 610 insertions, 119 deletions
diff --git a/drivers/media/dvb-frontends/af9013.c b/drivers/media/dvb-frontends/af9013.c
index a204f2828820..fb504f1e9125 100644
--- a/drivers/media/dvb-frontends/af9013.c
+++ b/drivers/media/dvb-frontends/af9013.c
@@ -24,6 +24,9 @@
24 24
25#include "af9013_priv.h" 25#include "af9013_priv.h"
26 26
27/* Max transfer size done by I2C transfer functions */
28#define MAX_XFER_SIZE 64
29
27struct af9013_state { 30struct af9013_state {
28 struct i2c_adapter *i2c; 31 struct i2c_adapter *i2c;
29 struct dvb_frontend fe; 32 struct dvb_frontend fe;
@@ -50,16 +53,23 @@ static int af9013_wr_regs_i2c(struct af9013_state *priv, u8 mbox, u16 reg,
50 const u8 *val, int len) 53 const u8 *val, int len)
51{ 54{
52 int ret; 55 int ret;
53 u8 buf[3+len]; 56 u8 buf[MAX_XFER_SIZE];
54 struct i2c_msg msg[1] = { 57 struct i2c_msg msg[1] = {
55 { 58 {
56 .addr = priv->config.i2c_addr, 59 .addr = priv->config.i2c_addr,
57 .flags = 0, 60 .flags = 0,
58 .len = sizeof(buf), 61 .len = 3 + len,
59 .buf = buf, 62 .buf = buf,
60 } 63 }
61 }; 64 };
62 65
66 if (3 + len > sizeof(buf)) {
67 dev_warn(&priv->i2c->dev,
68 "%s: i2c wr reg=%04x: len=%d is too big!\n",
69 KBUILD_MODNAME, reg, len);
70 return -EINVAL;
71 }
72
63 buf[0] = (reg >> 8) & 0xff; 73 buf[0] = (reg >> 8) & 0xff;
64 buf[1] = (reg >> 0) & 0xff; 74 buf[1] = (reg >> 0) & 0xff;
65 buf[2] = mbox; 75 buf[2] = mbox;
diff --git a/drivers/media/dvb-frontends/af9033.c b/drivers/media/dvb-frontends/af9033.c
index a777b4b944eb..30ee59052157 100644
--- a/drivers/media/dvb-frontends/af9033.c
+++ b/drivers/media/dvb-frontends/af9033.c
@@ -21,6 +21,9 @@
21 21
22#include "af9033_priv.h" 22#include "af9033_priv.h"
23 23
24/* Max transfer size done by I2C transfer functions */
25#define MAX_XFER_SIZE 64
26
24struct af9033_state { 27struct af9033_state {
25 struct i2c_adapter *i2c; 28 struct i2c_adapter *i2c;
26 struct dvb_frontend fe; 29 struct dvb_frontend fe;
@@ -40,16 +43,23 @@ static int af9033_wr_regs(struct af9033_state *state, u32 reg, const u8 *val,
40 int len) 43 int len)
41{ 44{
42 int ret; 45 int ret;
43 u8 buf[3 + len]; 46 u8 buf[MAX_XFER_SIZE];
44 struct i2c_msg msg[1] = { 47 struct i2c_msg msg[1] = {
45 { 48 {
46 .addr = state->cfg.i2c_addr, 49 .addr = state->cfg.i2c_addr,
47 .flags = 0, 50 .flags = 0,
48 .len = sizeof(buf), 51 .len = 3 + len,
49 .buf = buf, 52 .buf = buf,
50 } 53 }
51 }; 54 };
52 55
56 if (3 + len > sizeof(buf)) {
57 dev_warn(&state->i2c->dev,
58 "%s: i2c wr reg=%04x: len=%d is too big!\n",
59 KBUILD_MODNAME, reg, len);
60 return -EINVAL;
61 }
62
53 buf[0] = (reg >> 16) & 0xff; 63 buf[0] = (reg >> 16) & 0xff;
54 buf[1] = (reg >> 8) & 0xff; 64 buf[1] = (reg >> 8) & 0xff;
55 buf[2] = (reg >> 0) & 0xff; 65 buf[2] = (reg >> 0) & 0xff;
@@ -161,7 +171,14 @@ static int af9033_wr_reg_val_tab(struct af9033_state *state,
161 const struct reg_val *tab, int tab_len) 171 const struct reg_val *tab, int tab_len)
162{ 172{
163 int ret, i, j; 173 int ret, i, j;
164 u8 buf[tab_len]; 174 u8 buf[MAX_XFER_SIZE];
175
176 if (tab_len > sizeof(buf)) {
177 dev_warn(&state->i2c->dev,
178 "%s: i2c wr len=%d is too big!\n",
179 KBUILD_MODNAME, tab_len);
180 return -EINVAL;
181 }
165 182
166 dev_dbg(&state->i2c->dev, "%s: tab_len=%d\n", __func__, tab_len); 183 dev_dbg(&state->i2c->dev, "%s: tab_len=%d\n", __func__, tab_len);
167 184
diff --git a/drivers/media/dvb-frontends/bcm3510.c b/drivers/media/dvb-frontends/bcm3510.c
index 1b77909c0c71..39a29dd29519 100644
--- a/drivers/media/dvb-frontends/bcm3510.c
+++ b/drivers/media/dvb-frontends/bcm3510.c
@@ -44,6 +44,9 @@
44#include "bcm3510.h" 44#include "bcm3510.h"
45#include "bcm3510_priv.h" 45#include "bcm3510_priv.h"
46 46
47/* Max transfer size done by bcm3510_do_hab_cmd() function */
48#define MAX_XFER_SIZE 128
49
47struct bcm3510_state { 50struct bcm3510_state {
48 51
49 struct i2c_adapter* i2c; 52 struct i2c_adapter* i2c;
@@ -201,9 +204,19 @@ static int bcm3510_hab_send_request(struct bcm3510_state *st, u8 *buf, int len)
201 204
202static int bcm3510_do_hab_cmd(struct bcm3510_state *st, u8 cmd, u8 msgid, u8 *obuf, u8 olen, u8 *ibuf, u8 ilen) 205static int bcm3510_do_hab_cmd(struct bcm3510_state *st, u8 cmd, u8 msgid, u8 *obuf, u8 olen, u8 *ibuf, u8 ilen)
203{ 206{
204 u8 ob[olen+2],ib[ilen+2]; 207 u8 ob[MAX_XFER_SIZE], ib[MAX_XFER_SIZE];
205 int ret = 0; 208 int ret = 0;
206 209
210 if (ilen + 2 > sizeof(ib)) {
211 deb_hab("do_hab_cmd: ilen=%d is too big!\n", ilen);
212 return -EINVAL;
213 }
214
215 if (olen + 2 > sizeof(ob)) {
216 deb_hab("do_hab_cmd: olen=%d is too big!\n", olen);
217 return -EINVAL;
218 }
219
207 ob[0] = cmd; 220 ob[0] = cmd;
208 ob[1] = msgid; 221 ob[1] = msgid;
209 memcpy(&ob[2],obuf,olen); 222 memcpy(&ob[2],obuf,olen);
diff --git a/drivers/media/dvb-frontends/cxd2820r_core.c b/drivers/media/dvb-frontends/cxd2820r_core.c
index d9eeeb1dfa96..03930d5e9fea 100644
--- a/drivers/media/dvb-frontends/cxd2820r_core.c
+++ b/drivers/media/dvb-frontends/cxd2820r_core.c
@@ -21,12 +21,15 @@
21 21
22#include "cxd2820r_priv.h" 22#include "cxd2820r_priv.h"
23 23
24/* Max transfer size done by I2C transfer functions */
25#define MAX_XFER_SIZE 64
26
24/* write multiple registers */ 27/* write multiple registers */
25static int cxd2820r_wr_regs_i2c(struct cxd2820r_priv *priv, u8 i2c, u8 reg, 28static int cxd2820r_wr_regs_i2c(struct cxd2820r_priv *priv, u8 i2c, u8 reg,
26 u8 *val, int len) 29 u8 *val, int len)
27{ 30{
28 int ret; 31 int ret;
29 u8 buf[len+1]; 32 u8 buf[MAX_XFER_SIZE];
30 struct i2c_msg msg[1] = { 33 struct i2c_msg msg[1] = {
31 { 34 {
32 .addr = i2c, 35 .addr = i2c,
@@ -36,6 +39,13 @@ static int cxd2820r_wr_regs_i2c(struct cxd2820r_priv *priv, u8 i2c, u8 reg,
36 } 39 }
37 }; 40 };
38 41
42 if (1 + len > sizeof(buf)) {
43 dev_warn(&priv->i2c->dev,
44 "%s: i2c wr reg=%04x: len=%d is too big!\n",
45 KBUILD_MODNAME, reg, len);
46 return -EINVAL;
47 }
48
39 buf[0] = reg; 49 buf[0] = reg;
40 memcpy(&buf[1], val, len); 50 memcpy(&buf[1], val, len);
41 51
@@ -55,7 +65,7 @@ static int cxd2820r_rd_regs_i2c(struct cxd2820r_priv *priv, u8 i2c, u8 reg,
55 u8 *val, int len) 65 u8 *val, int len)
56{ 66{
57 int ret; 67 int ret;
58 u8 buf[len]; 68 u8 buf[MAX_XFER_SIZE];
59 struct i2c_msg msg[2] = { 69 struct i2c_msg msg[2] = {
60 { 70 {
61 .addr = i2c, 71 .addr = i2c,
@@ -70,6 +80,13 @@ static int cxd2820r_rd_regs_i2c(struct cxd2820r_priv *priv, u8 i2c, u8 reg,
70 } 80 }
71 }; 81 };
72 82
83 if (len > sizeof(buf)) {
84 dev_warn(&priv->i2c->dev,
85 "%s: i2c wr reg=%04x: len=%d is too big!\n",
86 KBUILD_MODNAME, reg, len);
87 return -EINVAL;
88 }
89
73 ret = i2c_transfer(priv->i2c, msg, 2); 90 ret = i2c_transfer(priv->i2c, msg, 2);
74 if (ret == 2) { 91 if (ret == 2) {
75 memcpy(val, buf, len); 92 memcpy(val, buf, len);
diff --git a/drivers/media/dvb-frontends/itd1000.c b/drivers/media/dvb-frontends/itd1000.c
index c1c3400b2173..cadcae4cff89 100644
--- a/drivers/media/dvb-frontends/itd1000.c
+++ b/drivers/media/dvb-frontends/itd1000.c
@@ -31,6 +31,9 @@
31#include "itd1000.h" 31#include "itd1000.h"
32#include "itd1000_priv.h" 32#include "itd1000_priv.h"
33 33
34/* Max transfer size done by I2C transfer functions */
35#define MAX_XFER_SIZE 64
36
34static int debug; 37static int debug;
35module_param(debug, int, 0644); 38module_param(debug, int, 0644);
36MODULE_PARM_DESC(debug, "Turn on/off debugging (default:off)."); 39MODULE_PARM_DESC(debug, "Turn on/off debugging (default:off).");
@@ -52,10 +55,18 @@ MODULE_PARM_DESC(debug, "Turn on/off debugging (default:off).");
52/* don't write more than one byte with flexcop behind */ 55/* don't write more than one byte with flexcop behind */
53static int itd1000_write_regs(struct itd1000_state *state, u8 reg, u8 v[], u8 len) 56static int itd1000_write_regs(struct itd1000_state *state, u8 reg, u8 v[], u8 len)
54{ 57{
55 u8 buf[1+len]; 58 u8 buf[MAX_XFER_SIZE];
56 struct i2c_msg msg = { 59 struct i2c_msg msg = {
57 .addr = state->cfg->i2c_address, .flags = 0, .buf = buf, .len = len+1 60 .addr = state->cfg->i2c_address, .flags = 0, .buf = buf, .len = len+1
58 }; 61 };
62
63 if (1 + len > sizeof(buf)) {
64 printk(KERN_WARNING
65 "itd1000: i2c wr reg=%04x: len=%d is too big!\n",
66 reg, len);
67 return -EINVAL;
68 }
69
59 buf[0] = reg; 70 buf[0] = reg;
60 memcpy(&buf[1], v, len); 71 memcpy(&buf[1], v, len);
61 72
diff --git a/drivers/media/dvb-frontends/mt312.c b/drivers/media/dvb-frontends/mt312.c
index ec388c1d6913..a74ac0ddb833 100644
--- a/drivers/media/dvb-frontends/mt312.c
+++ b/drivers/media/dvb-frontends/mt312.c
@@ -36,6 +36,8 @@
36#include "mt312_priv.h" 36#include "mt312_priv.h"
37#include "mt312.h" 37#include "mt312.h"
38 38
39/* Max transfer size done by I2C transfer functions */
40#define MAX_XFER_SIZE 64
39 41
40struct mt312_state { 42struct mt312_state {
41 struct i2c_adapter *i2c; 43 struct i2c_adapter *i2c;
@@ -96,9 +98,15 @@ static int mt312_write(struct mt312_state *state, const enum mt312_reg_addr reg,
96 const u8 *src, const size_t count) 98 const u8 *src, const size_t count)
97{ 99{
98 int ret; 100 int ret;
99 u8 buf[count + 1]; 101 u8 buf[MAX_XFER_SIZE];
100 struct i2c_msg msg; 102 struct i2c_msg msg;
101 103
104 if (1 + count > sizeof(buf)) {
105 printk(KERN_WARNING
106 "mt312: write: len=%zd is too big!\n", count);
107 return -EINVAL;
108 }
109
102 if (debug) { 110 if (debug) {
103 int i; 111 int i;
104 dprintk("W(%d):", reg & 0x7f); 112 dprintk("W(%d):", reg & 0x7f);
diff --git a/drivers/media/dvb-frontends/nxt200x.c b/drivers/media/dvb-frontends/nxt200x.c
index 8e288940a61f..fbca9856313a 100644
--- a/drivers/media/dvb-frontends/nxt200x.c
+++ b/drivers/media/dvb-frontends/nxt200x.c
@@ -39,6 +39,9 @@
39 */ 39 */
40#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 40#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
41 41
42/* Max transfer size done by I2C transfer functions */
43#define MAX_XFER_SIZE 64
44
42#define NXT2002_DEFAULT_FIRMWARE "dvb-fe-nxt2002.fw" 45#define NXT2002_DEFAULT_FIRMWARE "dvb-fe-nxt2002.fw"
43#define NXT2004_DEFAULT_FIRMWARE "dvb-fe-nxt2004.fw" 46#define NXT2004_DEFAULT_FIRMWARE "dvb-fe-nxt2004.fw"
44#define CRC_CCIT_MASK 0x1021 47#define CRC_CCIT_MASK 0x1021
@@ -95,10 +98,16 @@ static int i2c_readbytes(struct nxt200x_state *state, u8 addr, u8 *buf, u8 len)
95static int nxt200x_writebytes (struct nxt200x_state* state, u8 reg, 98static int nxt200x_writebytes (struct nxt200x_state* state, u8 reg,
96 const u8 *buf, u8 len) 99 const u8 *buf, u8 len)
97{ 100{
98 u8 buf2 [len+1]; 101 u8 buf2[MAX_XFER_SIZE];
99 int err; 102 int err;
100 struct i2c_msg msg = { .addr = state->config->demod_address, .flags = 0, .buf = buf2, .len = len + 1 }; 103 struct i2c_msg msg = { .addr = state->config->demod_address, .flags = 0, .buf = buf2, .len = len + 1 };
101 104
105 if (1 + len > sizeof(buf2)) {
106 pr_warn("%s: i2c wr reg=%04x: len=%d is too big!\n",
107 __func__, reg, len);
108 return -EINVAL;
109 }
110
102 buf2[0] = reg; 111 buf2[0] = reg;
103 memcpy(&buf2[1], buf, len); 112 memcpy(&buf2[1], buf, len);
104 113
diff --git a/drivers/media/dvb-frontends/rtl2830.c b/drivers/media/dvb-frontends/rtl2830.c
index 362d26d11e82..7efb796c472c 100644
--- a/drivers/media/dvb-frontends/rtl2830.c
+++ b/drivers/media/dvb-frontends/rtl2830.c
@@ -27,20 +27,30 @@
27 27
28#include "rtl2830_priv.h" 28#include "rtl2830_priv.h"
29 29
30/* Max transfer size done by I2C transfer functions */
31#define MAX_XFER_SIZE 64
32
30/* write multiple hardware registers */ 33/* write multiple hardware registers */
31static int rtl2830_wr(struct rtl2830_priv *priv, u8 reg, const u8 *val, int len) 34static int rtl2830_wr(struct rtl2830_priv *priv, u8 reg, const u8 *val, int len)
32{ 35{
33 int ret; 36 int ret;
34 u8 buf[1+len]; 37 u8 buf[MAX_XFER_SIZE];
35 struct i2c_msg msg[1] = { 38 struct i2c_msg msg[1] = {
36 { 39 {
37 .addr = priv->cfg.i2c_addr, 40 .addr = priv->cfg.i2c_addr,
38 .flags = 0, 41 .flags = 0,
39 .len = 1+len, 42 .len = 1 + len,
40 .buf = buf, 43 .buf = buf,
41 } 44 }
42 }; 45 };
43 46
47 if (1 + len > sizeof(buf)) {
48 dev_warn(&priv->i2c->dev,
49 "%s: i2c wr reg=%04x: len=%d is too big!\n",
50 KBUILD_MODNAME, reg, len);
51 return -EINVAL;
52 }
53
44 buf[0] = reg; 54 buf[0] = reg;
45 memcpy(&buf[1], val, len); 55 memcpy(&buf[1], val, len);
46 56
diff --git a/drivers/media/dvb-frontends/rtl2832.c b/drivers/media/dvb-frontends/rtl2832.c
index a95dfe0a5ce3..ff73da9365e3 100644
--- a/drivers/media/dvb-frontends/rtl2832.c
+++ b/drivers/media/dvb-frontends/rtl2832.c
@@ -22,6 +22,9 @@
22#include "dvb_math.h" 22#include "dvb_math.h"
23#include <linux/bitops.h> 23#include <linux/bitops.h>
24 24
25/* Max transfer size done by I2C transfer functions */
26#define MAX_XFER_SIZE 64
27
25int rtl2832_debug; 28int rtl2832_debug;
26module_param_named(debug, rtl2832_debug, int, 0644); 29module_param_named(debug, rtl2832_debug, int, 0644);
27MODULE_PARM_DESC(debug, "Turn on/off frontend debugging (default:off)."); 30MODULE_PARM_DESC(debug, "Turn on/off frontend debugging (default:off).");
@@ -162,16 +165,23 @@ static const struct rtl2832_reg_entry registers[] = {
162static int rtl2832_wr(struct rtl2832_priv *priv, u8 reg, u8 *val, int len) 165static int rtl2832_wr(struct rtl2832_priv *priv, u8 reg, u8 *val, int len)
163{ 166{
164 int ret; 167 int ret;
165 u8 buf[1+len]; 168 u8 buf[MAX_XFER_SIZE];
166 struct i2c_msg msg[1] = { 169 struct i2c_msg msg[1] = {
167 { 170 {
168 .addr = priv->cfg.i2c_addr, 171 .addr = priv->cfg.i2c_addr,
169 .flags = 0, 172 .flags = 0,
170 .len = 1+len, 173 .len = 1 + len,
171 .buf = buf, 174 .buf = buf,
172 } 175 }
173 }; 176 };
174 177
178 if (1 + len > sizeof(buf)) {
179 dev_warn(&priv->i2c->dev,
180 "%s: i2c wr reg=%04x: len=%d is too big!\n",
181 KBUILD_MODNAME, reg, len);
182 return -EINVAL;
183 }
184
175 buf[0] = reg; 185 buf[0] = reg;
176 memcpy(&buf[1], val, len); 186 memcpy(&buf[1], val, len);
177 187
diff --git a/drivers/media/dvb-frontends/s5h1420.c b/drivers/media/dvb-frontends/s5h1420.c
index e2fec9ebf947..93eeaf7118fd 100644
--- a/drivers/media/dvb-frontends/s5h1420.c
+++ b/drivers/media/dvb-frontends/s5h1420.c
@@ -836,9 +836,16 @@ static u32 s5h1420_tuner_i2c_func(struct i2c_adapter *adapter)
836static int s5h1420_tuner_i2c_tuner_xfer(struct i2c_adapter *i2c_adap, struct i2c_msg msg[], int num) 836static int s5h1420_tuner_i2c_tuner_xfer(struct i2c_adapter *i2c_adap, struct i2c_msg msg[], int num)
837{ 837{
838 struct s5h1420_state *state = i2c_get_adapdata(i2c_adap); 838 struct s5h1420_state *state = i2c_get_adapdata(i2c_adap);
839 struct i2c_msg m[1 + num]; 839 struct i2c_msg m[3];
840 u8 tx_open[2] = { CON_1, state->CON_1_val | 1 }; /* repeater stops once there was a stop condition */ 840 u8 tx_open[2] = { CON_1, state->CON_1_val | 1 }; /* repeater stops once there was a stop condition */
841 841
842 if (1 + num > ARRAY_SIZE(m)) {
843 printk(KERN_WARNING
844 "%s: i2c xfer: num=%d is too big!\n",
845 KBUILD_MODNAME, num);
846 return -EOPNOTSUPP;
847 }
848
842 memset(m, 0, sizeof(struct i2c_msg) * (1 + num)); 849 memset(m, 0, sizeof(struct i2c_msg) * (1 + num));
843 850
844 m[0].addr = state->config->demod_address; 851 m[0].addr = state->config->demod_address;
@@ -847,7 +854,7 @@ static int s5h1420_tuner_i2c_tuner_xfer(struct i2c_adapter *i2c_adap, struct i2c
847 854
848 memcpy(&m[1], msg, sizeof(struct i2c_msg) * num); 855 memcpy(&m[1], msg, sizeof(struct i2c_msg) * num);
849 856
850 return i2c_transfer(state->i2c, m, 1+num) == 1 + num ? num : -EIO; 857 return i2c_transfer(state->i2c, m, 1 + num) == 1 + num ? num : -EIO;
851} 858}
852 859
853static struct i2c_algorithm s5h1420_tuner_i2c_algo = { 860static struct i2c_algorithm s5h1420_tuner_i2c_algo = {
diff --git a/drivers/media/dvb-frontends/stb0899_drv.c b/drivers/media/dvb-frontends/stb0899_drv.c
index 3dd5714eadba..07cd5ea7a038 100644
--- a/drivers/media/dvb-frontends/stb0899_drv.c
+++ b/drivers/media/dvb-frontends/stb0899_drv.c
@@ -32,6 +32,9 @@
32#include "stb0899_priv.h" 32#include "stb0899_priv.h"
33#include "stb0899_reg.h" 33#include "stb0899_reg.h"
34 34
35/* Max transfer size done by I2C transfer functions */
36#define MAX_XFER_SIZE 64
37
35static unsigned int verbose = 0;//1; 38static unsigned int verbose = 0;//1;
36module_param(verbose, int, 0644); 39module_param(verbose, int, 0644);
37 40
@@ -499,7 +502,7 @@ err:
499int stb0899_write_regs(struct stb0899_state *state, unsigned int reg, u8 *data, u32 count) 502int stb0899_write_regs(struct stb0899_state *state, unsigned int reg, u8 *data, u32 count)
500{ 503{
501 int ret; 504 int ret;
502 u8 buf[2 + count]; 505 u8 buf[MAX_XFER_SIZE];
503 struct i2c_msg i2c_msg = { 506 struct i2c_msg i2c_msg = {
504 .addr = state->config->demod_address, 507 .addr = state->config->demod_address,
505 .flags = 0, 508 .flags = 0,
@@ -507,6 +510,13 @@ int stb0899_write_regs(struct stb0899_state *state, unsigned int reg, u8 *data,
507 .len = 2 + count 510 .len = 2 + count
508 }; 511 };
509 512
513 if (2 + count > sizeof(buf)) {
514 printk(KERN_WARNING
515 "%s: i2c wr reg=%04x: len=%d is too big!\n",
516 KBUILD_MODNAME, reg, count);
517 return -EINVAL;
518 }
519
510 buf[0] = reg >> 8; 520 buf[0] = reg >> 8;
511 buf[1] = reg & 0xff; 521 buf[1] = reg & 0xff;
512 memcpy(&buf[2], data, count); 522 memcpy(&buf[2], data, count);
diff --git a/drivers/media/dvb-frontends/stb6100.c b/drivers/media/dvb-frontends/stb6100.c
index 45f9523f968f..cea175d19890 100644
--- a/drivers/media/dvb-frontends/stb6100.c
+++ b/drivers/media/dvb-frontends/stb6100.c
@@ -31,6 +31,8 @@
31static unsigned int verbose; 31static unsigned int verbose;
32module_param(verbose, int, 0644); 32module_param(verbose, int, 0644);
33 33
34/* Max transfer size done by I2C transfer functions */
35#define MAX_XFER_SIZE 64
34 36
35#define FE_ERROR 0 37#define FE_ERROR 0
36#define FE_NOTICE 1 38#define FE_NOTICE 1
@@ -183,7 +185,7 @@ static int stb6100_read_reg(struct stb6100_state *state, u8 reg)
183static int stb6100_write_reg_range(struct stb6100_state *state, u8 buf[], int start, int len) 185static int stb6100_write_reg_range(struct stb6100_state *state, u8 buf[], int start, int len)
184{ 186{
185 int rc; 187 int rc;
186 u8 cmdbuf[len + 1]; 188 u8 cmdbuf[MAX_XFER_SIZE];
187 struct i2c_msg msg = { 189 struct i2c_msg msg = {
188 .addr = state->config->tuner_address, 190 .addr = state->config->tuner_address,
189 .flags = 0, 191 .flags = 0,
@@ -191,6 +193,13 @@ static int stb6100_write_reg_range(struct stb6100_state *state, u8 buf[], int st
191 .len = len + 1 193 .len = len + 1
192 }; 194 };
193 195
196 if (1 + len > sizeof(buf)) {
197 printk(KERN_WARNING
198 "%s: i2c wr: len=%d is too big!\n",
199 KBUILD_MODNAME, len);
200 return -EINVAL;
201 }
202
194 if (unlikely(start < 1 || start + len > STB6100_NUMREGS)) { 203 if (unlikely(start < 1 || start + len > STB6100_NUMREGS)) {
195 dprintk(verbose, FE_ERROR, 1, "Invalid register range %d:%d", 204 dprintk(verbose, FE_ERROR, 1, "Invalid register range %d:%d",
196 start, len); 205 start, len);
diff --git a/drivers/media/dvb-frontends/stv0367.c b/drivers/media/dvb-frontends/stv0367.c
index 7b6dba3ce55e..458772739423 100644
--- a/drivers/media/dvb-frontends/stv0367.c
+++ b/drivers/media/dvb-frontends/stv0367.c
@@ -33,6 +33,9 @@
33#include "stv0367_regs.h" 33#include "stv0367_regs.h"
34#include "stv0367_priv.h" 34#include "stv0367_priv.h"
35 35
36/* Max transfer size done by I2C transfer functions */
37#define MAX_XFER_SIZE 64
38
36static int stvdebug; 39static int stvdebug;
37module_param_named(debug, stvdebug, int, 0644); 40module_param_named(debug, stvdebug, int, 0644);
38 41
@@ -767,7 +770,7 @@ static struct st_register def0367cab[STV0367CAB_NBREGS] = {
767static 770static
768int stv0367_writeregs(struct stv0367_state *state, u16 reg, u8 *data, int len) 771int stv0367_writeregs(struct stv0367_state *state, u16 reg, u8 *data, int len)
769{ 772{
770 u8 buf[len + 2]; 773 u8 buf[MAX_XFER_SIZE];
771 struct i2c_msg msg = { 774 struct i2c_msg msg = {
772 .addr = state->config->demod_address, 775 .addr = state->config->demod_address,
773 .flags = 0, 776 .flags = 0,
@@ -776,6 +779,14 @@ int stv0367_writeregs(struct stv0367_state *state, u16 reg, u8 *data, int len)
776 }; 779 };
777 int ret; 780 int ret;
778 781
782 if (2 + len > sizeof(buf)) {
783 printk(KERN_WARNING
784 "%s: i2c wr reg=%04x: len=%d is too big!\n",
785 KBUILD_MODNAME, reg, len);
786 return -EINVAL;
787 }
788
789
779 buf[0] = MSB(reg); 790 buf[0] = MSB(reg);
780 buf[1] = LSB(reg); 791 buf[1] = LSB(reg);
781 memcpy(buf + 2, data, len); 792 memcpy(buf + 2, data, len);
diff --git a/drivers/media/dvb-frontends/stv090x.c b/drivers/media/dvb-frontends/stv090x.c
index 56d470ad5a82..23e872f84742 100644
--- a/drivers/media/dvb-frontends/stv090x.c
+++ b/drivers/media/dvb-frontends/stv090x.c
@@ -35,6 +35,9 @@
35#include "stv090x.h" 35#include "stv090x.h"
36#include "stv090x_priv.h" 36#include "stv090x_priv.h"
37 37
38/* Max transfer size done by I2C transfer functions */
39#define MAX_XFER_SIZE 64
40
38static unsigned int verbose; 41static unsigned int verbose;
39module_param(verbose, int, 0644); 42module_param(verbose, int, 0644);
40 43
@@ -722,9 +725,16 @@ static int stv090x_write_regs(struct stv090x_state *state, unsigned int reg, u8
722{ 725{
723 const struct stv090x_config *config = state->config; 726 const struct stv090x_config *config = state->config;
724 int ret; 727 int ret;
725 u8 buf[2 + count]; 728 u8 buf[MAX_XFER_SIZE];
726 struct i2c_msg i2c_msg = { .addr = config->address, .flags = 0, .buf = buf, .len = 2 + count }; 729 struct i2c_msg i2c_msg = { .addr = config->address, .flags = 0, .buf = buf, .len = 2 + count };
727 730
731 if (2 + count > sizeof(buf)) {
732 printk(KERN_WARNING
733 "%s: i2c wr reg=%04x: len=%d is too big!\n",
734 KBUILD_MODNAME, reg, count);
735 return -EINVAL;
736 }
737
728 buf[0] = reg >> 8; 738 buf[0] = reg >> 8;
729 buf[1] = reg & 0xff; 739 buf[1] = reg & 0xff;
730 memcpy(&buf[2], data, count); 740 memcpy(&buf[2], data, count);
diff --git a/drivers/media/dvb-frontends/stv6110.c b/drivers/media/dvb-frontends/stv6110.c
index 20b5fa92c53e..b1425830a24e 100644
--- a/drivers/media/dvb-frontends/stv6110.c
+++ b/drivers/media/dvb-frontends/stv6110.c
@@ -30,6 +30,9 @@
30 30
31#include "stv6110.h" 31#include "stv6110.h"
32 32
33/* Max transfer size done by I2C transfer functions */
34#define MAX_XFER_SIZE 64
35
33static int debug; 36static int debug;
34 37
35struct stv6110_priv { 38struct stv6110_priv {
@@ -68,7 +71,7 @@ static int stv6110_write_regs(struct dvb_frontend *fe, u8 buf[],
68{ 71{
69 struct stv6110_priv *priv = fe->tuner_priv; 72 struct stv6110_priv *priv = fe->tuner_priv;
70 int rc; 73 int rc;
71 u8 cmdbuf[len + 1]; 74 u8 cmdbuf[MAX_XFER_SIZE];
72 struct i2c_msg msg = { 75 struct i2c_msg msg = {
73 .addr = priv->i2c_address, 76 .addr = priv->i2c_address,
74 .flags = 0, 77 .flags = 0,
@@ -78,6 +81,13 @@ static int stv6110_write_regs(struct dvb_frontend *fe, u8 buf[],
78 81
79 dprintk("%s\n", __func__); 82 dprintk("%s\n", __func__);
80 83
84 if (1 + len > sizeof(cmdbuf)) {
85 printk(KERN_WARNING
86 "%s: i2c wr: len=%d is too big!\n",
87 KBUILD_MODNAME, len);
88 return -EINVAL;
89 }
90
81 if (start + len > 8) 91 if (start + len > 8)
82 return -EINVAL; 92 return -EINVAL;
83 93
diff --git a/drivers/media/dvb-frontends/stv6110x.c b/drivers/media/dvb-frontends/stv6110x.c
index f36cab12bdc7..e66154e5c1d7 100644
--- a/drivers/media/dvb-frontends/stv6110x.c
+++ b/drivers/media/dvb-frontends/stv6110x.c
@@ -32,6 +32,9 @@
32#include "stv6110x.h" 32#include "stv6110x.h"
33#include "stv6110x_priv.h" 33#include "stv6110x_priv.h"
34 34
35/* Max transfer size done by I2C transfer functions */
36#define MAX_XFER_SIZE 64
37
35static unsigned int verbose; 38static unsigned int verbose;
36module_param(verbose, int, 0644); 39module_param(verbose, int, 0644);
37MODULE_PARM_DESC(verbose, "Set Verbosity level"); 40MODULE_PARM_DESC(verbose, "Set Verbosity level");
@@ -61,7 +64,8 @@ static int stv6110x_write_regs(struct stv6110x_state *stv6110x, int start, u8 da
61{ 64{
62 int ret; 65 int ret;
63 const struct stv6110x_config *config = stv6110x->config; 66 const struct stv6110x_config *config = stv6110x->config;
64 u8 buf[len + 1]; 67 u8 buf[MAX_XFER_SIZE];
68
65 struct i2c_msg msg = { 69 struct i2c_msg msg = {
66 .addr = config->addr, 70 .addr = config->addr,
67 .flags = 0, 71 .flags = 0,
@@ -69,6 +73,13 @@ static int stv6110x_write_regs(struct stv6110x_state *stv6110x, int start, u8 da
69 .len = len + 1 73 .len = len + 1
70 }; 74 };
71 75
76 if (1 + len > sizeof(buf)) {
77 printk(KERN_WARNING
78 "%s: i2c wr: len=%d is too big!\n",
79 KBUILD_MODNAME, len);
80 return -EINVAL;
81 }
82
72 if (start + len > 8) 83 if (start + len > 8)
73 return -EINVAL; 84 return -EINVAL;
74 85
diff --git a/drivers/media/dvb-frontends/tda10071.c b/drivers/media/dvb-frontends/tda10071.c
index e79749cfec81..8ad3a57cf640 100644
--- a/drivers/media/dvb-frontends/tda10071.c
+++ b/drivers/media/dvb-frontends/tda10071.c
@@ -20,6 +20,9 @@
20 20
21#include "tda10071_priv.h" 21#include "tda10071_priv.h"
22 22
23/* Max transfer size done by I2C transfer functions */
24#define MAX_XFER_SIZE 64
25
23static struct dvb_frontend_ops tda10071_ops; 26static struct dvb_frontend_ops tda10071_ops;
24 27
25/* write multiple registers */ 28/* write multiple registers */
@@ -27,16 +30,23 @@ static int tda10071_wr_regs(struct tda10071_priv *priv, u8 reg, u8 *val,
27 int len) 30 int len)
28{ 31{
29 int ret; 32 int ret;
30 u8 buf[len+1]; 33 u8 buf[MAX_XFER_SIZE];
31 struct i2c_msg msg[1] = { 34 struct i2c_msg msg[1] = {
32 { 35 {
33 .addr = priv->cfg.demod_i2c_addr, 36 .addr = priv->cfg.demod_i2c_addr,
34 .flags = 0, 37 .flags = 0,
35 .len = sizeof(buf), 38 .len = 1 + len,
36 .buf = buf, 39 .buf = buf,
37 } 40 }
38 }; 41 };
39 42
43 if (1 + len > sizeof(buf)) {
44 dev_warn(&priv->i2c->dev,
45 "%s: i2c wr reg=%04x: len=%d is too big!\n",
46 KBUILD_MODNAME, reg, len);
47 return -EINVAL;
48 }
49
40 buf[0] = reg; 50 buf[0] = reg;
41 memcpy(&buf[1], val, len); 51 memcpy(&buf[1], val, len);
42 52
@@ -56,7 +66,7 @@ static int tda10071_rd_regs(struct tda10071_priv *priv, u8 reg, u8 *val,
56 int len) 66 int len)
57{ 67{
58 int ret; 68 int ret;
59 u8 buf[len]; 69 u8 buf[MAX_XFER_SIZE];
60 struct i2c_msg msg[2] = { 70 struct i2c_msg msg[2] = {
61 { 71 {
62 .addr = priv->cfg.demod_i2c_addr, 72 .addr = priv->cfg.demod_i2c_addr,
@@ -66,11 +76,18 @@ static int tda10071_rd_regs(struct tda10071_priv *priv, u8 reg, u8 *val,
66 }, { 76 }, {
67 .addr = priv->cfg.demod_i2c_addr, 77 .addr = priv->cfg.demod_i2c_addr,
68 .flags = I2C_M_RD, 78 .flags = I2C_M_RD,
69 .len = sizeof(buf), 79 .len = len,
70 .buf = buf, 80 .buf = buf,
71 } 81 }
72 }; 82 };
73 83
84 if (len > sizeof(buf)) {
85 dev_warn(&priv->i2c->dev,
86 "%s: i2c wr reg=%04x: len=%d is too big!\n",
87 KBUILD_MODNAME, reg, len);
88 return -EINVAL;
89 }
90
74 ret = i2c_transfer(priv->i2c, msg, 2); 91 ret = i2c_transfer(priv->i2c, msg, 2);
75 if (ret == 2) { 92 if (ret == 2) {
76 memcpy(val, buf, len); 93 memcpy(val, buf, len);
diff --git a/drivers/media/dvb-frontends/tda18271c2dd.c b/drivers/media/dvb-frontends/tda18271c2dd.c
index d281f77d5c28..2c54586ac07f 100644
--- a/drivers/media/dvb-frontends/tda18271c2dd.c
+++ b/drivers/media/dvb-frontends/tda18271c2dd.c
@@ -34,6 +34,9 @@
34#include "dvb_frontend.h" 34#include "dvb_frontend.h"
35#include "tda18271c2dd.h" 35#include "tda18271c2dd.h"
36 36
37/* Max transfer size done by I2C transfer functions */
38#define MAX_XFER_SIZE 64
39
37struct SStandardParam { 40struct SStandardParam {
38 s32 m_IFFrequency; 41 s32 m_IFFrequency;
39 u32 m_BandWidth; 42 u32 m_BandWidth;
@@ -139,11 +142,18 @@ static int i2c_write(struct i2c_adapter *adap, u8 adr, u8 *data, int len)
139static int WriteRegs(struct tda_state *state, 142static int WriteRegs(struct tda_state *state,
140 u8 SubAddr, u8 *Regs, u16 nRegs) 143 u8 SubAddr, u8 *Regs, u16 nRegs)
141{ 144{
142 u8 data[nRegs+1]; 145 u8 data[MAX_XFER_SIZE];
146
147 if (1 + nRegs > sizeof(data)) {
148 printk(KERN_WARNING
149 "%s: i2c wr: len=%d is too big!\n",
150 KBUILD_MODNAME, nRegs);
151 return -EINVAL;
152 }
143 153
144 data[0] = SubAddr; 154 data[0] = SubAddr;
145 memcpy(data + 1, Regs, nRegs); 155 memcpy(data + 1, Regs, nRegs);
146 return i2c_write(state->i2c, state->adr, data, nRegs+1); 156 return i2c_write(state->i2c, state->adr, data, nRegs + 1);
147} 157}
148 158
149static int WriteReg(struct tda_state *state, u8 SubAddr, u8 Reg) 159static int WriteReg(struct tda_state *state, u8 SubAddr, u8 Reg)
diff --git a/drivers/media/dvb-frontends/zl10039.c b/drivers/media/dvb-frontends/zl10039.c
index eff9c5fde50a..91b6b2e9b792 100644
--- a/drivers/media/dvb-frontends/zl10039.c
+++ b/drivers/media/dvb-frontends/zl10039.c
@@ -30,6 +30,9 @@
30 30
31static int debug; 31static int debug;
32 32
33/* Max transfer size done by I2C transfer functions */
34#define MAX_XFER_SIZE 64
35
33#define dprintk(args...) \ 36#define dprintk(args...) \
34 do { \ 37 do { \
35 if (debug) \ 38 if (debug) \
@@ -98,7 +101,7 @@ static int zl10039_write(struct zl10039_state *state,
98 const enum zl10039_reg_addr reg, const u8 *src, 101 const enum zl10039_reg_addr reg, const u8 *src,
99 const size_t count) 102 const size_t count)
100{ 103{
101 u8 buf[count + 1]; 104 u8 buf[MAX_XFER_SIZE];
102 struct i2c_msg msg = { 105 struct i2c_msg msg = {
103 .addr = state->i2c_addr, 106 .addr = state->i2c_addr,
104 .flags = 0, 107 .flags = 0,
@@ -106,6 +109,13 @@ static int zl10039_write(struct zl10039_state *state,
106 .len = count + 1, 109 .len = count + 1,
107 }; 110 };
108 111
112 if (1 + count > sizeof(buf)) {
113 printk(KERN_WARNING
114 "%s: i2c wr reg=%04x: len=%zd is too big!\n",
115 KBUILD_MODNAME, reg, count);
116 return -EINVAL;
117 }
118
109 dprintk("%s\n", __func__); 119 dprintk("%s\n", __func__);
110 /* Write register address and data in one go */ 120 /* Write register address and data in one go */
111 buf[0] = reg; 121 buf[0] = reg;
diff --git a/drivers/media/pci/cx18/cx18-driver.c b/drivers/media/pci/cx18/cx18-driver.c
index ff7232023f56..c1f8cc6f14b2 100644
--- a/drivers/media/pci/cx18/cx18-driver.c
+++ b/drivers/media/pci/cx18/cx18-driver.c
@@ -324,23 +324,24 @@ static void cx18_eeprom_dump(struct cx18 *cx, unsigned char *eedata, int len)
324/* Hauppauge card? get values from tveeprom */ 324/* Hauppauge card? get values from tveeprom */
325void cx18_read_eeprom(struct cx18 *cx, struct tveeprom *tv) 325void cx18_read_eeprom(struct cx18 *cx, struct tveeprom *tv)
326{ 326{
327 struct i2c_client c; 327 struct i2c_client *c;
328 u8 eedata[256]; 328 u8 eedata[256];
329 329
330 memset(&c, 0, sizeof(c)); 330 c = kzalloc(sizeof(*c), GFP_KERNEL);
331 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name)); 331
332 c.adapter = &cx->i2c_adap[0]; 332 strlcpy(c->name, "cx18 tveeprom tmp", sizeof(c->name));
333 c.addr = 0xA0 >> 1; 333 c->adapter = &cx->i2c_adap[0];
334 c->addr = 0xa0 >> 1;
334 335
335 memset(tv, 0, sizeof(*tv)); 336 memset(tv, 0, sizeof(*tv));
336 if (tveeprom_read(&c, eedata, sizeof(eedata))) 337 if (tveeprom_read(c, eedata, sizeof(eedata)))
337 return; 338 goto ret;
338 339
339 switch (cx->card->type) { 340 switch (cx->card->type) {
340 case CX18_CARD_HVR_1600_ESMT: 341 case CX18_CARD_HVR_1600_ESMT:
341 case CX18_CARD_HVR_1600_SAMSUNG: 342 case CX18_CARD_HVR_1600_SAMSUNG:
342 case CX18_CARD_HVR_1600_S5H1411: 343 case CX18_CARD_HVR_1600_S5H1411:
343 tveeprom_hauppauge_analog(&c, tv, eedata); 344 tveeprom_hauppauge_analog(c, tv, eedata);
344 break; 345 break;
345 case CX18_CARD_YUAN_MPC718: 346 case CX18_CARD_YUAN_MPC718:
346 case CX18_CARD_GOTVIEW_PCI_DVD3: 347 case CX18_CARD_GOTVIEW_PCI_DVD3:
@@ -354,6 +355,9 @@ void cx18_read_eeprom(struct cx18 *cx, struct tveeprom *tv)
354 cx18_eeprom_dump(cx, eedata, sizeof(eedata)); 355 cx18_eeprom_dump(cx, eedata, sizeof(eedata));
355 break; 356 break;
356 } 357 }
358
359ret:
360 kfree(c);
357} 361}
358 362
359static void cx18_process_eeprom(struct cx18 *cx) 363static void cx18_process_eeprom(struct cx18 *cx)
diff --git a/drivers/media/pci/cx23885/cimax2.c b/drivers/media/pci/cx23885/cimax2.c
index 7344849183a7..16fa7ea4d4aa 100644
--- a/drivers/media/pci/cx23885/cimax2.c
+++ b/drivers/media/pci/cx23885/cimax2.c
@@ -26,6 +26,10 @@
26#include "cx23885.h" 26#include "cx23885.h"
27#include "cimax2.h" 27#include "cimax2.h"
28#include "dvb_ca_en50221.h" 28#include "dvb_ca_en50221.h"
29
30/* Max transfer size done by I2C transfer functions */
31#define MAX_XFER_SIZE 64
32
29/**** Bit definitions for MC417_RWD and MC417_OEN registers *** 33/**** Bit definitions for MC417_RWD and MC417_OEN registers ***
30 bits 31-16 34 bits 31-16
31+-----------+ 35+-----------+
@@ -125,7 +129,7 @@ static int netup_write_i2c(struct i2c_adapter *i2c_adap, u8 addr, u8 reg,
125 u8 *buf, int len) 129 u8 *buf, int len)
126{ 130{
127 int ret; 131 int ret;
128 u8 buffer[len + 1]; 132 u8 buffer[MAX_XFER_SIZE];
129 133
130 struct i2c_msg msg = { 134 struct i2c_msg msg = {
131 .addr = addr, 135 .addr = addr,
@@ -134,6 +138,13 @@ static int netup_write_i2c(struct i2c_adapter *i2c_adap, u8 addr, u8 reg,
134 .len = len + 1 138 .len = len + 1
135 }; 139 };
136 140
141 if (1 + len > sizeof(buffer)) {
142 printk(KERN_WARNING
143 "%s: i2c wr reg=%04x: len=%d is too big!\n",
144 KBUILD_MODNAME, reg, len);
145 return -EINVAL;
146 }
147
137 buffer[0] = reg; 148 buffer[0] = reg;
138 memcpy(&buffer[1], buf, len); 149 memcpy(&buffer[1], buf, len);
139 150
diff --git a/drivers/media/pci/ttpci/av7110_hw.c b/drivers/media/pci/ttpci/av7110_hw.c
index f1cbfe526989..6299d5dadb82 100644
--- a/drivers/media/pci/ttpci/av7110_hw.c
+++ b/drivers/media/pci/ttpci/av7110_hw.c
@@ -22,7 +22,7 @@
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23 * Or, point your browser to http://www.gnu.org/copyleft/gpl.html 23 * Or, point your browser to http://www.gnu.org/copyleft/gpl.html
24 * 24 *
25 * the project's page is at http://www.linuxtv.org/ 25 * the project's page is at http://www.linuxtv.org/
26 */ 26 */
27 27
28/* for debugging ARM communication: */ 28/* for debugging ARM communication: */
@@ -40,6 +40,14 @@
40 40
41#define _NOHANDSHAKE 41#define _NOHANDSHAKE
42 42
43/*
44 * Max transfer size done by av7110_fw_cmd()
45 *
46 * The maximum size passed to this function is 6 bytes. The buffer also
47 * uses two additional ones for type and size. So, 8 bytes is enough.
48 */
49#define MAX_XFER_SIZE 8
50
43/**************************************************************************** 51/****************************************************************************
44 * DEBI functions 52 * DEBI functions
45 ****************************************************************************/ 53 ****************************************************************************/
@@ -488,11 +496,18 @@ static int av7110_send_fw_cmd(struct av7110 *av7110, u16* buf, int length)
488int av7110_fw_cmd(struct av7110 *av7110, int type, int com, int num, ...) 496int av7110_fw_cmd(struct av7110 *av7110, int type, int com, int num, ...)
489{ 497{
490 va_list args; 498 va_list args;
491 u16 buf[num + 2]; 499 u16 buf[MAX_XFER_SIZE];
492 int i, ret; 500 int i, ret;
493 501
494// dprintk(4, "%p\n", av7110); 502// dprintk(4, "%p\n", av7110);
495 503
504 if (2 + num > sizeof(buf)) {
505 printk(KERN_WARNING
506 "%s: %s len=%d is too big!\n",
507 KBUILD_MODNAME, __func__, num);
508 return -EINVAL;
509 }
510
496 buf[0] = ((type << 8) | com); 511 buf[0] = ((type << 8) | com);
497 buf[1] = num; 512 buf[1] = num;
498 513
diff --git a/drivers/media/pci/zoran/Kconfig b/drivers/media/pci/zoran/Kconfig
index 26ca8702e33f..39ec35bd21a5 100644
--- a/drivers/media/pci/zoran/Kconfig
+++ b/drivers/media/pci/zoran/Kconfig
@@ -1,6 +1,7 @@
1config VIDEO_ZORAN 1config VIDEO_ZORAN
2 tristate "Zoran ZR36057/36067 Video For Linux" 2 tristate "Zoran ZR36057/36067 Video For Linux"
3 depends on PCI && I2C_ALGOBIT && VIDEO_V4L2 && VIRT_TO_BUS 3 depends on PCI && I2C_ALGOBIT && VIDEO_V4L2 && VIRT_TO_BUS
4 depends on !ALPHA
4 help 5 help
5 Say Y for support for MJPEG capture cards based on the Zoran 6 Say Y for support for MJPEG capture cards based on the Zoran
6 36057/36067 PCI controller chipset. This includes the Iomega 7 36057/36067 PCI controller chipset. This includes the Iomega
diff --git a/drivers/media/platform/soc_camera/rcar_vin.c b/drivers/media/platform/soc_camera/rcar_vin.c
index b21f777f55e7..6866bb4fbebc 100644
--- a/drivers/media/platform/soc_camera/rcar_vin.c
+++ b/drivers/media/platform/soc_camera/rcar_vin.c
@@ -16,6 +16,7 @@
16 16
17#include <linux/delay.h> 17#include <linux/delay.h>
18#include <linux/interrupt.h> 18#include <linux/interrupt.h>
19#include <linux/io.h>
19#include <linux/kernel.h> 20#include <linux/kernel.h>
20#include <linux/module.h> 21#include <linux/module.h>
21#include <linux/platform_data/camera-rcar.h> 22#include <linux/platform_data/camera-rcar.h>
diff --git a/drivers/media/radio/radio-shark.c b/drivers/media/radio/radio-shark.c
index b91477212413..3db8a8cfe1a8 100644
--- a/drivers/media/radio/radio-shark.c
+++ b/drivers/media/radio/radio-shark.c
@@ -271,6 +271,7 @@ static void shark_unregister_leds(struct shark_device *shark)
271 cancel_work_sync(&shark->led_work); 271 cancel_work_sync(&shark->led_work);
272} 272}
273 273
274#ifdef CONFIG_PM
274static void shark_resume_leds(struct shark_device *shark) 275static void shark_resume_leds(struct shark_device *shark)
275{ 276{
276 if (test_bit(BLUE_IS_PULSE, &shark->brightness_new)) 277 if (test_bit(BLUE_IS_PULSE, &shark->brightness_new))
@@ -280,6 +281,7 @@ static void shark_resume_leds(struct shark_device *shark)
280 set_bit(RED_LED, &shark->brightness_new); 281 set_bit(RED_LED, &shark->brightness_new);
281 schedule_work(&shark->led_work); 282 schedule_work(&shark->led_work);
282} 283}
284#endif
283#else 285#else
284static int shark_register_leds(struct shark_device *shark, struct device *dev) 286static int shark_register_leds(struct shark_device *shark, struct device *dev)
285{ 287{
diff --git a/drivers/media/radio/radio-shark2.c b/drivers/media/radio/radio-shark2.c
index 9fb669721e66..d86d90dab8bf 100644
--- a/drivers/media/radio/radio-shark2.c
+++ b/drivers/media/radio/radio-shark2.c
@@ -237,6 +237,7 @@ static void shark_unregister_leds(struct shark_device *shark)
237 cancel_work_sync(&shark->led_work); 237 cancel_work_sync(&shark->led_work);
238} 238}
239 239
240#ifdef CONFIG_PM
240static void shark_resume_leds(struct shark_device *shark) 241static void shark_resume_leds(struct shark_device *shark)
241{ 242{
242 int i; 243 int i;
@@ -246,6 +247,7 @@ static void shark_resume_leds(struct shark_device *shark)
246 247
247 schedule_work(&shark->led_work); 248 schedule_work(&shark->led_work);
248} 249}
250#endif
249#else 251#else
250static int shark_register_leds(struct shark_device *shark, struct device *dev) 252static int shark_register_leds(struct shark_device *shark, struct device *dev)
251{ 253{
diff --git a/drivers/media/radio/si470x/radio-si470x-i2c.c b/drivers/media/radio/si470x/radio-si470x-i2c.c
index e5fc9acd0c4f..2a497c80c77f 100644
--- a/drivers/media/radio/si470x/radio-si470x-i2c.c
+++ b/drivers/media/radio/si470x/radio-si470x-i2c.c
@@ -463,7 +463,7 @@ static int si470x_i2c_remove(struct i2c_client *client)
463} 463}
464 464
465 465
466#ifdef CONFIG_PM 466#ifdef CONFIG_PM_SLEEP
467/* 467/*
468 * si470x_i2c_suspend - suspend the device 468 * si470x_i2c_suspend - suspend the device
469 */ 469 */
@@ -509,7 +509,7 @@ static struct i2c_driver si470x_i2c_driver = {
509 .driver = { 509 .driver = {
510 .name = "si470x", 510 .name = "si470x",
511 .owner = THIS_MODULE, 511 .owner = THIS_MODULE,
512#ifdef CONFIG_PM 512#ifdef CONFIG_PM_SLEEP
513 .pm = &si470x_i2c_pm, 513 .pm = &si470x_i2c_pm,
514#endif 514#endif
515 }, 515 },
diff --git a/drivers/media/radio/tef6862.c b/drivers/media/radio/tef6862.c
index 06ac69245ca1..69e3245a58a0 100644
--- a/drivers/media/radio/tef6862.c
+++ b/drivers/media/radio/tef6862.c
@@ -48,15 +48,15 @@
48#define WM_SUB_TEST 0xF 48#define WM_SUB_TEST 0xF
49 49
50/* Different modes of the MSA register */ 50/* Different modes of the MSA register */
51#define MODE_BUFFER 0x0 51#define MSA_MODE_BUFFER 0x0
52#define MODE_PRESET 0x1 52#define MSA_MODE_PRESET 0x1
53#define MODE_SEARCH 0x2 53#define MSA_MODE_SEARCH 0x2
54#define MODE_AF_UPDATE 0x3 54#define MSA_MODE_AF_UPDATE 0x3
55#define MODE_JUMP 0x4 55#define MSA_MODE_JUMP 0x4
56#define MODE_CHECK 0x5 56#define MSA_MODE_CHECK 0x5
57#define MODE_LOAD 0x6 57#define MSA_MODE_LOAD 0x6
58#define MODE_END 0x7 58#define MSA_MODE_END 0x7
59#define MODE_SHIFT 5 59#define MSA_MODE_SHIFT 5
60 60
61struct tef6862_state { 61struct tef6862_state {
62 struct v4l2_subdev sd; 62 struct v4l2_subdev sd;
@@ -114,7 +114,7 @@ static int tef6862_s_frequency(struct v4l2_subdev *sd, const struct v4l2_frequen
114 114
115 clamp(freq, TEF6862_LO_FREQ, TEF6862_HI_FREQ); 115 clamp(freq, TEF6862_LO_FREQ, TEF6862_HI_FREQ);
116 pll = 1964 + ((freq - TEF6862_LO_FREQ) * 20) / FREQ_MUL; 116 pll = 1964 + ((freq - TEF6862_LO_FREQ) * 20) / FREQ_MUL;
117 i2cmsg[0] = (MODE_PRESET << MODE_SHIFT) | WM_SUB_PLLM; 117 i2cmsg[0] = (MSA_MODE_PRESET << MSA_MODE_SHIFT) | WM_SUB_PLLM;
118 i2cmsg[1] = (pll >> 8) & 0xff; 118 i2cmsg[1] = (pll >> 8) & 0xff;
119 i2cmsg[2] = pll & 0xff; 119 i2cmsg[2] = pll & 0xff;
120 120
diff --git a/drivers/media/rc/fintek-cir.h b/drivers/media/rc/fintek-cir.h
index 82516a1d39b0..b698f3d2ced9 100644
--- a/drivers/media/rc/fintek-cir.h
+++ b/drivers/media/rc/fintek-cir.h
@@ -76,8 +76,8 @@ struct fintek_dev {
76 } tx; 76 } tx;
77 77
78 /* Config register index/data port pair */ 78 /* Config register index/data port pair */
79 u8 cr_ip; 79 u32 cr_ip;
80 u8 cr_dp; 80 u32 cr_dp;
81 81
82 /* hardware I/O settings */ 82 /* hardware I/O settings */
83 unsigned long cir_addr; 83 unsigned long cir_addr;
diff --git a/drivers/media/rc/iguanair.c b/drivers/media/rc/iguanair.c
index b53626ba6f49..fdae05c4f377 100644
--- a/drivers/media/rc/iguanair.c
+++ b/drivers/media/rc/iguanair.c
@@ -308,22 +308,12 @@ static int iguanair_set_tx_carrier(struct rc_dev *dev, uint32_t carrier)
308 cycles = DIV_ROUND_CLOSEST(24000000, carrier * 2) - 308 cycles = DIV_ROUND_CLOSEST(24000000, carrier * 2) -
309 ir->cycle_overhead; 309 ir->cycle_overhead;
310 310
311 /* make up the the remainer of 4-cycle blocks */ 311 /*
312 switch (cycles & 3) { 312 * Calculate minimum number of 7 cycles needed so
313 case 0: 313 * we are left with a multiple of 4; so we want to have
314 sevens = 0; 314 * (sevens * 7) & 3 == cycles & 3
315 break; 315 */
316 case 1: 316 sevens = (4 - cycles) & 3;
317 sevens = 3;
318 break;
319 case 2:
320 sevens = 2;
321 break;
322 case 3:
323 sevens = 1;
324 break;
325 }
326
327 fours = (cycles - sevens * 7) / 4; 317 fours = (cycles - sevens * 7) / 4;
328 318
329 /* magic happens here */ 319 /* magic happens here */
diff --git a/drivers/media/rc/nuvoton-cir.h b/drivers/media/rc/nuvoton-cir.h
index 7c3674ff5ea2..07e83108df0f 100644
--- a/drivers/media/rc/nuvoton-cir.h
+++ b/drivers/media/rc/nuvoton-cir.h
@@ -84,8 +84,8 @@ struct nvt_dev {
84 } tx; 84 } tx;
85 85
86 /* EFER Config register index/data pair */ 86 /* EFER Config register index/data pair */
87 u8 cr_efir; 87 u32 cr_efir;
88 u8 cr_efdr; 88 u32 cr_efdr;
89 89
90 /* hardware I/O settings */ 90 /* hardware I/O settings */
91 unsigned long cir_addr; 91 unsigned long cir_addr;
diff --git a/drivers/media/tuners/e4000.c b/drivers/media/tuners/e4000.c
index 6c96e4898777..72971a8d3c37 100644
--- a/drivers/media/tuners/e4000.c
+++ b/drivers/media/tuners/e4000.c
@@ -21,20 +21,30 @@
21#include "e4000_priv.h" 21#include "e4000_priv.h"
22#include <linux/math64.h> 22#include <linux/math64.h>
23 23
24/* Max transfer size done by I2C transfer functions */
25#define MAX_XFER_SIZE 64
26
24/* write multiple registers */ 27/* write multiple registers */
25static int e4000_wr_regs(struct e4000_priv *priv, u8 reg, u8 *val, int len) 28static int e4000_wr_regs(struct e4000_priv *priv, u8 reg, u8 *val, int len)
26{ 29{
27 int ret; 30 int ret;
28 u8 buf[1 + len]; 31 u8 buf[MAX_XFER_SIZE];
29 struct i2c_msg msg[1] = { 32 struct i2c_msg msg[1] = {
30 { 33 {
31 .addr = priv->cfg->i2c_addr, 34 .addr = priv->cfg->i2c_addr,
32 .flags = 0, 35 .flags = 0,
33 .len = sizeof(buf), 36 .len = 1 + len,
34 .buf = buf, 37 .buf = buf,
35 } 38 }
36 }; 39 };
37 40
41 if (1 + len > sizeof(buf)) {
42 dev_warn(&priv->i2c->dev,
43 "%s: i2c wr reg=%04x: len=%d is too big!\n",
44 KBUILD_MODNAME, reg, len);
45 return -EINVAL;
46 }
47
38 buf[0] = reg; 48 buf[0] = reg;
39 memcpy(&buf[1], val, len); 49 memcpy(&buf[1], val, len);
40 50
@@ -54,7 +64,7 @@ static int e4000_wr_regs(struct e4000_priv *priv, u8 reg, u8 *val, int len)
54static int e4000_rd_regs(struct e4000_priv *priv, u8 reg, u8 *val, int len) 64static int e4000_rd_regs(struct e4000_priv *priv, u8 reg, u8 *val, int len)
55{ 65{
56 int ret; 66 int ret;
57 u8 buf[len]; 67 u8 buf[MAX_XFER_SIZE];
58 struct i2c_msg msg[2] = { 68 struct i2c_msg msg[2] = {
59 { 69 {
60 .addr = priv->cfg->i2c_addr, 70 .addr = priv->cfg->i2c_addr,
@@ -64,11 +74,18 @@ static int e4000_rd_regs(struct e4000_priv *priv, u8 reg, u8 *val, int len)
64 }, { 74 }, {
65 .addr = priv->cfg->i2c_addr, 75 .addr = priv->cfg->i2c_addr,
66 .flags = I2C_M_RD, 76 .flags = I2C_M_RD,
67 .len = sizeof(buf), 77 .len = len,
68 .buf = buf, 78 .buf = buf,
69 } 79 }
70 }; 80 };
71 81
82 if (len > sizeof(buf)) {
83 dev_warn(&priv->i2c->dev,
84 "%s: i2c rd reg=%04x: len=%d is too big!\n",
85 KBUILD_MODNAME, reg, len);
86 return -EINVAL;
87 }
88
72 ret = i2c_transfer(priv->i2c, msg, 2); 89 ret = i2c_transfer(priv->i2c, msg, 2);
73 if (ret == 2) { 90 if (ret == 2) {
74 memcpy(val, buf, len); 91 memcpy(val, buf, len);
diff --git a/drivers/media/tuners/fc2580.c b/drivers/media/tuners/fc2580.c
index 81f38aae9c66..3aecaf465094 100644
--- a/drivers/media/tuners/fc2580.c
+++ b/drivers/media/tuners/fc2580.c
@@ -20,6 +20,9 @@
20 20
21#include "fc2580_priv.h" 21#include "fc2580_priv.h"
22 22
23/* Max transfer size done by I2C transfer functions */
24#define MAX_XFER_SIZE 64
25
23/* 26/*
24 * TODO: 27 * TODO:
25 * I2C write and read works only for one single register. Multiple registers 28 * I2C write and read works only for one single register. Multiple registers
@@ -41,16 +44,23 @@
41static int fc2580_wr_regs(struct fc2580_priv *priv, u8 reg, u8 *val, int len) 44static int fc2580_wr_regs(struct fc2580_priv *priv, u8 reg, u8 *val, int len)
42{ 45{
43 int ret; 46 int ret;
44 u8 buf[1 + len]; 47 u8 buf[MAX_XFER_SIZE];
45 struct i2c_msg msg[1] = { 48 struct i2c_msg msg[1] = {
46 { 49 {
47 .addr = priv->cfg->i2c_addr, 50 .addr = priv->cfg->i2c_addr,
48 .flags = 0, 51 .flags = 0,
49 .len = sizeof(buf), 52 .len = 1 + len,
50 .buf = buf, 53 .buf = buf,
51 } 54 }
52 }; 55 };
53 56
57 if (1 + len > sizeof(buf)) {
58 dev_warn(&priv->i2c->dev,
59 "%s: i2c wr reg=%04x: len=%d is too big!\n",
60 KBUILD_MODNAME, reg, len);
61 return -EINVAL;
62 }
63
54 buf[0] = reg; 64 buf[0] = reg;
55 memcpy(&buf[1], val, len); 65 memcpy(&buf[1], val, len);
56 66
@@ -69,7 +79,7 @@ static int fc2580_wr_regs(struct fc2580_priv *priv, u8 reg, u8 *val, int len)
69static int fc2580_rd_regs(struct fc2580_priv *priv, u8 reg, u8 *val, int len) 79static int fc2580_rd_regs(struct fc2580_priv *priv, u8 reg, u8 *val, int len)
70{ 80{
71 int ret; 81 int ret;
72 u8 buf[len]; 82 u8 buf[MAX_XFER_SIZE];
73 struct i2c_msg msg[2] = { 83 struct i2c_msg msg[2] = {
74 { 84 {
75 .addr = priv->cfg->i2c_addr, 85 .addr = priv->cfg->i2c_addr,
@@ -79,11 +89,18 @@ static int fc2580_rd_regs(struct fc2580_priv *priv, u8 reg, u8 *val, int len)
79 }, { 89 }, {
80 .addr = priv->cfg->i2c_addr, 90 .addr = priv->cfg->i2c_addr,
81 .flags = I2C_M_RD, 91 .flags = I2C_M_RD,
82 .len = sizeof(buf), 92 .len = len,
83 .buf = buf, 93 .buf = buf,
84 } 94 }
85 }; 95 };
86 96
97 if (len > sizeof(buf)) {
98 dev_warn(&priv->i2c->dev,
99 "%s: i2c rd reg=%04x: len=%d is too big!\n",
100 KBUILD_MODNAME, reg, len);
101 return -EINVAL;
102 }
103
87 ret = i2c_transfer(priv->i2c, msg, 2); 104 ret = i2c_transfer(priv->i2c, msg, 2);
88 if (ret == 2) { 105 if (ret == 2) {
89 memcpy(val, buf, len); 106 memcpy(val, buf, len);
diff --git a/drivers/media/tuners/tda18212.c b/drivers/media/tuners/tda18212.c
index e4a84ee231cf..abe256e1f843 100644
--- a/drivers/media/tuners/tda18212.c
+++ b/drivers/media/tuners/tda18212.c
@@ -20,6 +20,9 @@
20 20
21#include "tda18212.h" 21#include "tda18212.h"
22 22
23/* Max transfer size done by I2C transfer functions */
24#define MAX_XFER_SIZE 64
25
23struct tda18212_priv { 26struct tda18212_priv {
24 struct tda18212_config *cfg; 27 struct tda18212_config *cfg;
25 struct i2c_adapter *i2c; 28 struct i2c_adapter *i2c;
@@ -32,16 +35,23 @@ static int tda18212_wr_regs(struct tda18212_priv *priv, u8 reg, u8 *val,
32 int len) 35 int len)
33{ 36{
34 int ret; 37 int ret;
35 u8 buf[len+1]; 38 u8 buf[MAX_XFER_SIZE];
36 struct i2c_msg msg[1] = { 39 struct i2c_msg msg[1] = {
37 { 40 {
38 .addr = priv->cfg->i2c_address, 41 .addr = priv->cfg->i2c_address,
39 .flags = 0, 42 .flags = 0,
40 .len = sizeof(buf), 43 .len = 1 + len,
41 .buf = buf, 44 .buf = buf,
42 } 45 }
43 }; 46 };
44 47
48 if (1 + len > sizeof(buf)) {
49 dev_warn(&priv->i2c->dev,
50 "%s: i2c wr reg=%04x: len=%d is too big!\n",
51 KBUILD_MODNAME, reg, len);
52 return -EINVAL;
53 }
54
45 buf[0] = reg; 55 buf[0] = reg;
46 memcpy(&buf[1], val, len); 56 memcpy(&buf[1], val, len);
47 57
@@ -61,7 +71,7 @@ static int tda18212_rd_regs(struct tda18212_priv *priv, u8 reg, u8 *val,
61 int len) 71 int len)
62{ 72{
63 int ret; 73 int ret;
64 u8 buf[len]; 74 u8 buf[MAX_XFER_SIZE];
65 struct i2c_msg msg[2] = { 75 struct i2c_msg msg[2] = {
66 { 76 {
67 .addr = priv->cfg->i2c_address, 77 .addr = priv->cfg->i2c_address,
@@ -71,11 +81,18 @@ static int tda18212_rd_regs(struct tda18212_priv *priv, u8 reg, u8 *val,
71 }, { 81 }, {
72 .addr = priv->cfg->i2c_address, 82 .addr = priv->cfg->i2c_address,
73 .flags = I2C_M_RD, 83 .flags = I2C_M_RD,
74 .len = sizeof(buf), 84 .len = len,
75 .buf = buf, 85 .buf = buf,
76 } 86 }
77 }; 87 };
78 88
89 if (len > sizeof(buf)) {
90 dev_warn(&priv->i2c->dev,
91 "%s: i2c rd reg=%04x: len=%d is too big!\n",
92 KBUILD_MODNAME, reg, len);
93 return -EINVAL;
94 }
95
79 ret = i2c_transfer(priv->i2c, msg, 2); 96 ret = i2c_transfer(priv->i2c, msg, 2);
80 if (ret == 2) { 97 if (ret == 2) {
81 memcpy(val, buf, len); 98 memcpy(val, buf, len);
diff --git a/drivers/media/tuners/tda18218.c b/drivers/media/tuners/tda18218.c
index 2d31aeb6b088..9300e9361e3b 100644
--- a/drivers/media/tuners/tda18218.c
+++ b/drivers/media/tuners/tda18218.c
@@ -20,11 +20,14 @@
20 20
21#include "tda18218_priv.h" 21#include "tda18218_priv.h"
22 22
23/* Max transfer size done by I2C transfer functions */
24#define MAX_XFER_SIZE 64
25
23/* write multiple registers */ 26/* write multiple registers */
24static int tda18218_wr_regs(struct tda18218_priv *priv, u8 reg, u8 *val, u8 len) 27static int tda18218_wr_regs(struct tda18218_priv *priv, u8 reg, u8 *val, u8 len)
25{ 28{
26 int ret = 0, len2, remaining; 29 int ret = 0, len2, remaining;
27 u8 buf[1 + len]; 30 u8 buf[MAX_XFER_SIZE];
28 struct i2c_msg msg[1] = { 31 struct i2c_msg msg[1] = {
29 { 32 {
30 .addr = priv->cfg->i2c_address, 33 .addr = priv->cfg->i2c_address,
@@ -33,6 +36,13 @@ static int tda18218_wr_regs(struct tda18218_priv *priv, u8 reg, u8 *val, u8 len)
33 } 36 }
34 }; 37 };
35 38
39 if (1 + len > sizeof(buf)) {
40 dev_warn(&priv->i2c->dev,
41 "%s: i2c wr reg=%04x: len=%d is too big!\n",
42 KBUILD_MODNAME, reg, len);
43 return -EINVAL;
44 }
45
36 for (remaining = len; remaining > 0; 46 for (remaining = len; remaining > 0;
37 remaining -= (priv->cfg->i2c_wr_max - 1)) { 47 remaining -= (priv->cfg->i2c_wr_max - 1)) {
38 len2 = remaining; 48 len2 = remaining;
@@ -63,7 +73,7 @@ static int tda18218_wr_regs(struct tda18218_priv *priv, u8 reg, u8 *val, u8 len)
63static int tda18218_rd_regs(struct tda18218_priv *priv, u8 reg, u8 *val, u8 len) 73static int tda18218_rd_regs(struct tda18218_priv *priv, u8 reg, u8 *val, u8 len)
64{ 74{
65 int ret; 75 int ret;
66 u8 buf[reg+len]; /* we must start read always from reg 0x00 */ 76 u8 buf[MAX_XFER_SIZE]; /* we must start read always from reg 0x00 */
67 struct i2c_msg msg[2] = { 77 struct i2c_msg msg[2] = {
68 { 78 {
69 .addr = priv->cfg->i2c_address, 79 .addr = priv->cfg->i2c_address,
@@ -73,11 +83,18 @@ static int tda18218_rd_regs(struct tda18218_priv *priv, u8 reg, u8 *val, u8 len)
73 }, { 83 }, {
74 .addr = priv->cfg->i2c_address, 84 .addr = priv->cfg->i2c_address,
75 .flags = I2C_M_RD, 85 .flags = I2C_M_RD,
76 .len = sizeof(buf), 86 .len = reg + len,
77 .buf = buf, 87 .buf = buf,
78 } 88 }
79 }; 89 };
80 90
91 if (reg + len > sizeof(buf)) {
92 dev_warn(&priv->i2c->dev,
93 "%s: i2c wr reg=%04x: len=%d is too big!\n",
94 KBUILD_MODNAME, reg, len);
95 return -EINVAL;
96 }
97
81 ret = i2c_transfer(priv->i2c, msg, 2); 98 ret = i2c_transfer(priv->i2c, msg, 2);
82 if (ret == 2) { 99 if (ret == 2) {
83 memcpy(val, &buf[reg], len); 100 memcpy(val, &buf[reg], len);
diff --git a/drivers/media/tuners/tda9887.c b/drivers/media/tuners/tda9887.c
index 300005c535ba..9823248d743f 100644
--- a/drivers/media/tuners/tda9887.c
+++ b/drivers/media/tuners/tda9887.c
@@ -536,8 +536,8 @@ static int tda9887_status(struct dvb_frontend *fe)
536 unsigned char buf[1]; 536 unsigned char buf[1];
537 int rc; 537 int rc;
538 538
539 memset(buf,0,sizeof(buf)); 539 rc = tuner_i2c_xfer_recv(&priv->i2c_props, buf, 1);
540 if (1 != (rc = tuner_i2c_xfer_recv(&priv->i2c_props,buf,1))) 540 if (rc != 1)
541 tuner_info("i2c i/o error: rc == %d (should be 1)\n", rc); 541 tuner_info("i2c i/o error: rc == %d (should be 1)\n", rc);
542 dump_read_message(fe, buf); 542 dump_read_message(fe, buf);
543 return 0; 543 return 0;
diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c
index e287a7417319..4be5cf808a40 100644
--- a/drivers/media/tuners/tuner-xc2028.c
+++ b/drivers/media/tuners/tuner-xc2028.c
@@ -24,6 +24,9 @@
24#include <linux/dvb/frontend.h> 24#include <linux/dvb/frontend.h>
25#include "dvb_frontend.h" 25#include "dvb_frontend.h"
26 26
27/* Max transfer size done by I2C transfer functions */
28#define MAX_XFER_SIZE 80
29
27/* Registers (Write-only) */ 30/* Registers (Write-only) */
28#define XREG_INIT 0x00 31#define XREG_INIT 0x00
29#define XREG_RF_FREQ 0x02 32#define XREG_RF_FREQ 0x02
@@ -547,7 +550,10 @@ static int load_firmware(struct dvb_frontend *fe, unsigned int type,
547{ 550{
548 struct xc2028_data *priv = fe->tuner_priv; 551 struct xc2028_data *priv = fe->tuner_priv;
549 int pos, rc; 552 int pos, rc;
550 unsigned char *p, *endp, buf[priv->ctrl.max_len]; 553 unsigned char *p, *endp, buf[MAX_XFER_SIZE];
554
555 if (priv->ctrl.max_len > sizeof(buf))
556 priv->ctrl.max_len = sizeof(buf);
551 557
552 tuner_dbg("%s called\n", __func__); 558 tuner_dbg("%s called\n", __func__);
553 559
diff --git a/drivers/media/usb/dvb-usb-v2/af9015.c b/drivers/media/usb/dvb-usb-v2/af9015.c
index d556042cf312..da47d2392f2a 100644
--- a/drivers/media/usb/dvb-usb-v2/af9015.c
+++ b/drivers/media/usb/dvb-usb-v2/af9015.c
@@ -397,12 +397,13 @@ error:
397 return ret; 397 return ret;
398} 398}
399 399
400#define AF9015_EEPROM_SIZE 256
401
400/* hash (and dump) eeprom */ 402/* hash (and dump) eeprom */
401static int af9015_eeprom_hash(struct dvb_usb_device *d) 403static int af9015_eeprom_hash(struct dvb_usb_device *d)
402{ 404{
403 struct af9015_state *state = d_to_priv(d); 405 struct af9015_state *state = d_to_priv(d);
404 int ret, i; 406 int ret, i;
405 static const unsigned int AF9015_EEPROM_SIZE = 256;
406 u8 buf[AF9015_EEPROM_SIZE]; 407 u8 buf[AF9015_EEPROM_SIZE];
407 struct req_t req = {READ_I2C, AF9015_I2C_EEPROM, 0, 0, 1, 1, NULL}; 408 struct req_t req = {READ_I2C, AF9015_I2C_EEPROM, 0, 0, 1, 1, NULL};
408 409
diff --git a/drivers/media/usb/dvb-usb-v2/af9035.c b/drivers/media/usb/dvb-usb-v2/af9035.c
index 1ea17dc2a76e..c8fcd78425bd 100644
--- a/drivers/media/usb/dvb-usb-v2/af9035.c
+++ b/drivers/media/usb/dvb-usb-v2/af9035.c
@@ -21,6 +21,9 @@
21 21
22#include "af9035.h" 22#include "af9035.h"
23 23
24/* Max transfer size done by I2C transfer functions */
25#define MAX_XFER_SIZE 64
26
24DVB_DEFINE_MOD_OPT_ADAPTER_NR(adapter_nr); 27DVB_DEFINE_MOD_OPT_ADAPTER_NR(adapter_nr);
25 28
26static u16 af9035_checksum(const u8 *buf, size_t len) 29static u16 af9035_checksum(const u8 *buf, size_t len)
@@ -126,10 +129,16 @@ exit:
126/* write multiple registers */ 129/* write multiple registers */
127static int af9035_wr_regs(struct dvb_usb_device *d, u32 reg, u8 *val, int len) 130static int af9035_wr_regs(struct dvb_usb_device *d, u32 reg, u8 *val, int len)
128{ 131{
129 u8 wbuf[6 + len]; 132 u8 wbuf[MAX_XFER_SIZE];
130 u8 mbox = (reg >> 16) & 0xff; 133 u8 mbox = (reg >> 16) & 0xff;
131 struct usb_req req = { CMD_MEM_WR, mbox, sizeof(wbuf), wbuf, 0, NULL }; 134 struct usb_req req = { CMD_MEM_WR, mbox, sizeof(wbuf), wbuf, 0, NULL };
132 135
136 if (6 + len > sizeof(wbuf)) {
137 dev_warn(&d->udev->dev, "%s: i2c wr: len=%d is too big!\n",
138 KBUILD_MODNAME, len);
139 return -EOPNOTSUPP;
140 }
141
133 wbuf[0] = len; 142 wbuf[0] = len;
134 wbuf[1] = 2; 143 wbuf[1] = 2;
135 wbuf[2] = 0; 144 wbuf[2] = 0;
@@ -228,9 +237,16 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap,
228 msg[1].len); 237 msg[1].len);
229 } else { 238 } else {
230 /* I2C */ 239 /* I2C */
231 u8 buf[5 + msg[0].len]; 240 u8 buf[MAX_XFER_SIZE];
232 struct usb_req req = { CMD_I2C_RD, 0, sizeof(buf), 241 struct usb_req req = { CMD_I2C_RD, 0, sizeof(buf),
233 buf, msg[1].len, msg[1].buf }; 242 buf, msg[1].len, msg[1].buf };
243
244 if (5 + msg[0].len > sizeof(buf)) {
245 dev_warn(&d->udev->dev,
246 "%s: i2c xfer: len=%d is too big!\n",
247 KBUILD_MODNAME, msg[0].len);
248 return -EOPNOTSUPP;
249 }
234 req.mbox |= ((msg[0].addr & 0x80) >> 3); 250 req.mbox |= ((msg[0].addr & 0x80) >> 3);
235 buf[0] = msg[1].len; 251 buf[0] = msg[1].len;
236 buf[1] = msg[0].addr << 1; 252 buf[1] = msg[0].addr << 1;
@@ -257,9 +273,16 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap,
257 msg[0].len - 3); 273 msg[0].len - 3);
258 } else { 274 } else {
259 /* I2C */ 275 /* I2C */
260 u8 buf[5 + msg[0].len]; 276 u8 buf[MAX_XFER_SIZE];
261 struct usb_req req = { CMD_I2C_WR, 0, sizeof(buf), buf, 277 struct usb_req req = { CMD_I2C_WR, 0, sizeof(buf), buf,
262 0, NULL }; 278 0, NULL };
279
280 if (5 + msg[0].len > sizeof(buf)) {
281 dev_warn(&d->udev->dev,
282 "%s: i2c xfer: len=%d is too big!\n",
283 KBUILD_MODNAME, msg[0].len);
284 return -EOPNOTSUPP;
285 }
263 req.mbox |= ((msg[0].addr & 0x80) >> 3); 286 req.mbox |= ((msg[0].addr & 0x80) >> 3);
264 buf[0] = msg[0].len; 287 buf[0] = msg[0].len;
265 buf[1] = msg[0].addr << 1; 288 buf[1] = msg[0].addr << 1;
diff --git a/drivers/media/usb/dvb-usb-v2/mxl111sf.c b/drivers/media/usb/dvb-usb-v2/mxl111sf.c
index e97964ef7f56..2627553f7de1 100644
--- a/drivers/media/usb/dvb-usb-v2/mxl111sf.c
+++ b/drivers/media/usb/dvb-usb-v2/mxl111sf.c
@@ -23,6 +23,9 @@
23#include "lgdt3305.h" 23#include "lgdt3305.h"
24#include "lg2160.h" 24#include "lg2160.h"
25 25
26/* Max transfer size done by I2C transfer functions */
27#define MAX_XFER_SIZE 64
28
26int dvb_usb_mxl111sf_debug; 29int dvb_usb_mxl111sf_debug;
27module_param_named(debug, dvb_usb_mxl111sf_debug, int, 0644); 30module_param_named(debug, dvb_usb_mxl111sf_debug, int, 0644);
28MODULE_PARM_DESC(debug, "set debugging level " 31MODULE_PARM_DESC(debug, "set debugging level "
@@ -57,7 +60,12 @@ int mxl111sf_ctrl_msg(struct dvb_usb_device *d,
57{ 60{
58 int wo = (rbuf == NULL || rlen == 0); /* write-only */ 61 int wo = (rbuf == NULL || rlen == 0); /* write-only */
59 int ret; 62 int ret;
60 u8 sndbuf[1+wlen]; 63 u8 sndbuf[MAX_XFER_SIZE];
64
65 if (1 + wlen > sizeof(sndbuf)) {
66 pr_warn("%s: len=%d is too big!\n", __func__, wlen);
67 return -EOPNOTSUPP;
68 }
61 69
62 pr_debug("%s(wlen = %d, rlen = %d)\n", __func__, wlen, rlen); 70 pr_debug("%s(wlen = %d, rlen = %d)\n", __func__, wlen, rlen);
63 71
diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c
index 3940bb0f9ef6..20e345d9fe8f 100644
--- a/drivers/media/usb/dvb-usb/cxusb.c
+++ b/drivers/media/usb/dvb-usb/cxusb.c
@@ -43,6 +43,9 @@
43#include "lgs8gxx.h" 43#include "lgs8gxx.h"
44#include "atbm8830.h" 44#include "atbm8830.h"
45 45
46/* Max transfer size done by I2C transfer functions */
47#define MAX_XFER_SIZE 64
48
46/* debug */ 49/* debug */
47static int dvb_usb_cxusb_debug; 50static int dvb_usb_cxusb_debug;
48module_param_named(debug, dvb_usb_cxusb_debug, int, 0644); 51module_param_named(debug, dvb_usb_cxusb_debug, int, 0644);
@@ -57,7 +60,14 @@ static int cxusb_ctrl_msg(struct dvb_usb_device *d,
57 u8 cmd, u8 *wbuf, int wlen, u8 *rbuf, int rlen) 60 u8 cmd, u8 *wbuf, int wlen, u8 *rbuf, int rlen)
58{ 61{
59 int wo = (rbuf == NULL || rlen == 0); /* write-only */ 62 int wo = (rbuf == NULL || rlen == 0); /* write-only */
60 u8 sndbuf[1+wlen]; 63 u8 sndbuf[MAX_XFER_SIZE];
64
65 if (1 + wlen > sizeof(sndbuf)) {
66 warn("i2c wr: len=%d is too big!\n",
67 wlen);
68 return -EOPNOTSUPP;
69 }
70
61 memset(sndbuf, 0, 1+wlen); 71 memset(sndbuf, 0, 1+wlen);
62 72
63 sndbuf[0] = cmd; 73 sndbuf[0] = cmd;
@@ -158,7 +168,13 @@ static int cxusb_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
158 168
159 if (msg[i].flags & I2C_M_RD) { 169 if (msg[i].flags & I2C_M_RD) {
160 /* read only */ 170 /* read only */
161 u8 obuf[3], ibuf[1+msg[i].len]; 171 u8 obuf[3], ibuf[MAX_XFER_SIZE];
172
173 if (1 + msg[i].len > sizeof(ibuf)) {
174 warn("i2c rd: len=%d is too big!\n",
175 msg[i].len);
176 return -EOPNOTSUPP;
177 }
162 obuf[0] = 0; 178 obuf[0] = 0;
163 obuf[1] = msg[i].len; 179 obuf[1] = msg[i].len;
164 obuf[2] = msg[i].addr; 180 obuf[2] = msg[i].addr;
@@ -172,7 +188,18 @@ static int cxusb_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
172 } else if (i+1 < num && (msg[i+1].flags & I2C_M_RD) && 188 } else if (i+1 < num && (msg[i+1].flags & I2C_M_RD) &&
173 msg[i].addr == msg[i+1].addr) { 189 msg[i].addr == msg[i+1].addr) {
174 /* write to then read from same address */ 190 /* write to then read from same address */
175 u8 obuf[3+msg[i].len], ibuf[1+msg[i+1].len]; 191 u8 obuf[MAX_XFER_SIZE], ibuf[MAX_XFER_SIZE];
192
193 if (3 + msg[i].len > sizeof(obuf)) {
194 warn("i2c wr: len=%d is too big!\n",
195 msg[i].len);
196 return -EOPNOTSUPP;
197 }
198 if (1 + msg[i + 1].len > sizeof(ibuf)) {
199 warn("i2c rd: len=%d is too big!\n",
200 msg[i + 1].len);
201 return -EOPNOTSUPP;
202 }
176 obuf[0] = msg[i].len; 203 obuf[0] = msg[i].len;
177 obuf[1] = msg[i+1].len; 204 obuf[1] = msg[i+1].len;
178 obuf[2] = msg[i].addr; 205 obuf[2] = msg[i].addr;
@@ -191,7 +218,13 @@ static int cxusb_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
191 i++; 218 i++;
192 } else { 219 } else {
193 /* write only */ 220 /* write only */
194 u8 obuf[2+msg[i].len], ibuf; 221 u8 obuf[MAX_XFER_SIZE], ibuf;
222
223 if (2 + msg[i].len > sizeof(obuf)) {
224 warn("i2c wr: len=%d is too big!\n",
225 msg[i].len);
226 return -EOPNOTSUPP;
227 }
195 obuf[0] = msg[i].addr; 228 obuf[0] = msg[i].addr;
196 obuf[1] = msg[i].len; 229 obuf[1] = msg[i].len;
197 memcpy(&obuf[2], msg[i].buf, msg[i].len); 230 memcpy(&obuf[2], msg[i].buf, msg[i].len);
diff --git a/drivers/media/usb/dvb-usb/dibusb-common.c b/drivers/media/usb/dvb-usb/dibusb-common.c
index c2dded92f1d3..6d68af0c49c8 100644
--- a/drivers/media/usb/dvb-usb/dibusb-common.c
+++ b/drivers/media/usb/dvb-usb/dibusb-common.c
@@ -12,6 +12,9 @@
12#include <linux/kconfig.h> 12#include <linux/kconfig.h>
13#include "dibusb.h" 13#include "dibusb.h"
14 14
15/* Max transfer size done by I2C transfer functions */
16#define MAX_XFER_SIZE 64
17
15static int debug; 18static int debug;
16module_param(debug, int, 0644); 19module_param(debug, int, 0644);
17MODULE_PARM_DESC(debug, "set debugging level (1=info (|-able))." DVB_USB_DEBUG_STATUS); 20MODULE_PARM_DESC(debug, "set debugging level (1=info (|-able))." DVB_USB_DEBUG_STATUS);
@@ -105,11 +108,16 @@ EXPORT_SYMBOL(dibusb2_0_power_ctrl);
105static int dibusb_i2c_msg(struct dvb_usb_device *d, u8 addr, 108static int dibusb_i2c_msg(struct dvb_usb_device *d, u8 addr,
106 u8 *wbuf, u16 wlen, u8 *rbuf, u16 rlen) 109 u8 *wbuf, u16 wlen, u8 *rbuf, u16 rlen)
107{ 110{
108 u8 sndbuf[wlen+4]; /* lead(1) devaddr,direction(1) addr(2) data(wlen) (len(2) (when reading)) */ 111 u8 sndbuf[MAX_XFER_SIZE]; /* lead(1) devaddr,direction(1) addr(2) data(wlen) (len(2) (when reading)) */
109 /* write only ? */ 112 /* write only ? */
110 int wo = (rbuf == NULL || rlen == 0), 113 int wo = (rbuf == NULL || rlen == 0),
111 len = 2 + wlen + (wo ? 0 : 2); 114 len = 2 + wlen + (wo ? 0 : 2);
112 115
116 if (4 + wlen > sizeof(sndbuf)) {
117 warn("i2c wr: len=%d is too big!\n", wlen);
118 return -EOPNOTSUPP;
119 }
120
113 sndbuf[0] = wo ? DIBUSB_REQ_I2C_WRITE : DIBUSB_REQ_I2C_READ; 121 sndbuf[0] = wo ? DIBUSB_REQ_I2C_WRITE : DIBUSB_REQ_I2C_READ;
114 sndbuf[1] = (addr << 1) | (wo ? 0 : 1); 122 sndbuf[1] = (addr << 1) | (wo ? 0 : 1);
115 123
diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c
index 6136a2c7dbfd..c1a63b2a6baa 100644
--- a/drivers/media/usb/dvb-usb/dw2102.c
+++ b/drivers/media/usb/dvb-usb/dw2102.c
@@ -30,6 +30,9 @@
30#include "stb6100_proc.h" 30#include "stb6100_proc.h"
31#include "m88rs2000.h" 31#include "m88rs2000.h"
32 32
33/* Max transfer size done by I2C transfer functions */
34#define MAX_XFER_SIZE 64
35
33#ifndef USB_PID_DW2102 36#ifndef USB_PID_DW2102
34#define USB_PID_DW2102 0x2102 37#define USB_PID_DW2102 0x2102
35#endif 38#endif
@@ -308,7 +311,14 @@ static int dw2102_earda_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg ms
308 case 2: { 311 case 2: {
309 /* read */ 312 /* read */
310 /* first write first register number */ 313 /* first write first register number */
311 u8 ibuf[msg[1].len + 2], obuf[3]; 314 u8 ibuf[MAX_XFER_SIZE], obuf[3];
315
316 if (2 + msg[1].len > sizeof(ibuf)) {
317 warn("i2c rd: len=%d is too big!\n",
318 msg[1].len);
319 return -EOPNOTSUPP;
320 }
321
312 obuf[0] = msg[0].addr << 1; 322 obuf[0] = msg[0].addr << 1;
313 obuf[1] = msg[0].len; 323 obuf[1] = msg[0].len;
314 obuf[2] = msg[0].buf[0]; 324 obuf[2] = msg[0].buf[0];
@@ -325,7 +335,14 @@ static int dw2102_earda_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg ms
325 switch (msg[0].addr) { 335 switch (msg[0].addr) {
326 case 0x68: { 336 case 0x68: {
327 /* write to register */ 337 /* write to register */
328 u8 obuf[msg[0].len + 2]; 338 u8 obuf[MAX_XFER_SIZE];
339
340 if (2 + msg[0].len > sizeof(obuf)) {
341 warn("i2c wr: len=%d is too big!\n",
342 msg[1].len);
343 return -EOPNOTSUPP;
344 }
345
329 obuf[0] = msg[0].addr << 1; 346 obuf[0] = msg[0].addr << 1;
330 obuf[1] = msg[0].len; 347 obuf[1] = msg[0].len;
331 memcpy(obuf + 2, msg[0].buf, msg[0].len); 348 memcpy(obuf + 2, msg[0].buf, msg[0].len);
@@ -335,7 +352,14 @@ static int dw2102_earda_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg ms
335 } 352 }
336 case 0x61: { 353 case 0x61: {
337 /* write to tuner */ 354 /* write to tuner */
338 u8 obuf[msg[0].len + 2]; 355 u8 obuf[MAX_XFER_SIZE];
356
357 if (2 + msg[0].len > sizeof(obuf)) {
358 warn("i2c wr: len=%d is too big!\n",
359 msg[1].len);
360 return -EOPNOTSUPP;
361 }
362
339 obuf[0] = msg[0].addr << 1; 363 obuf[0] = msg[0].addr << 1;
340 obuf[1] = msg[0].len; 364 obuf[1] = msg[0].len;
341 memcpy(obuf + 2, msg[0].buf, msg[0].len); 365 memcpy(obuf + 2, msg[0].buf, msg[0].len);
@@ -401,7 +425,14 @@ static int dw2104_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], i
401 default: { 425 default: {
402 if (msg[j].flags == I2C_M_RD) { 426 if (msg[j].flags == I2C_M_RD) {
403 /* read registers */ 427 /* read registers */
404 u8 ibuf[msg[j].len + 2]; 428 u8 ibuf[MAX_XFER_SIZE];
429
430 if (2 + msg[j].len > sizeof(ibuf)) {
431 warn("i2c rd: len=%d is too big!\n",
432 msg[j].len);
433 return -EOPNOTSUPP;
434 }
435
405 dw210x_op_rw(d->udev, 0xc3, 436 dw210x_op_rw(d->udev, 0xc3,
406 (msg[j].addr << 1) + 1, 0, 437 (msg[j].addr << 1) + 1, 0,
407 ibuf, msg[j].len + 2, 438 ibuf, msg[j].len + 2,
@@ -430,7 +461,14 @@ static int dw2104_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], i
430 } while (len > 0); 461 } while (len > 0);
431 } else { 462 } else {
432 /* write registers */ 463 /* write registers */
433 u8 obuf[msg[j].len + 2]; 464 u8 obuf[MAX_XFER_SIZE];
465
466 if (2 + msg[j].len > sizeof(obuf)) {
467 warn("i2c wr: len=%d is too big!\n",
468 msg[j].len);
469 return -EOPNOTSUPP;
470 }
471
434 obuf[0] = msg[j].addr << 1; 472 obuf[0] = msg[j].addr << 1;
435 obuf[1] = msg[j].len; 473 obuf[1] = msg[j].len;
436 memcpy(obuf + 2, msg[j].buf, msg[j].len); 474 memcpy(obuf + 2, msg[j].buf, msg[j].len);
@@ -463,7 +501,13 @@ static int dw3101_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
463 case 2: { 501 case 2: {
464 /* read */ 502 /* read */
465 /* first write first register number */ 503 /* first write first register number */
466 u8 ibuf[msg[1].len + 2], obuf[3]; 504 u8 ibuf[MAX_XFER_SIZE], obuf[3];
505
506 if (2 + msg[1].len > sizeof(ibuf)) {
507 warn("i2c rd: len=%d is too big!\n",
508 msg[1].len);
509 return -EOPNOTSUPP;
510 }
467 obuf[0] = msg[0].addr << 1; 511 obuf[0] = msg[0].addr << 1;
468 obuf[1] = msg[0].len; 512 obuf[1] = msg[0].len;
469 obuf[2] = msg[0].buf[0]; 513 obuf[2] = msg[0].buf[0];
@@ -481,7 +525,13 @@ static int dw3101_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
481 case 0x60: 525 case 0x60:
482 case 0x0c: { 526 case 0x0c: {
483 /* write to register */ 527 /* write to register */
484 u8 obuf[msg[0].len + 2]; 528 u8 obuf[MAX_XFER_SIZE];
529
530 if (2 + msg[0].len > sizeof(obuf)) {
531 warn("i2c wr: len=%d is too big!\n",
532 msg[0].len);
533 return -EOPNOTSUPP;
534 }
485 obuf[0] = msg[0].addr << 1; 535 obuf[0] = msg[0].addr << 1;
486 obuf[1] = msg[0].len; 536 obuf[1] = msg[0].len;
487 memcpy(obuf + 2, msg[0].buf, msg[0].len); 537 memcpy(obuf + 2, msg[0].buf, msg[0].len);
@@ -563,7 +613,14 @@ static int s6x0_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
563 default: { 613 default: {
564 if (msg[j].flags == I2C_M_RD) { 614 if (msg[j].flags == I2C_M_RD) {
565 /* read registers */ 615 /* read registers */
566 u8 ibuf[msg[j].len]; 616 u8 ibuf[MAX_XFER_SIZE];
617
618 if (msg[j].len > sizeof(ibuf)) {
619 warn("i2c rd: len=%d is too big!\n",
620 msg[j].len);
621 return -EOPNOTSUPP;
622 }
623
567 dw210x_op_rw(d->udev, 0x91, 0, 0, 624 dw210x_op_rw(d->udev, 0x91, 0, 0,
568 ibuf, msg[j].len, 625 ibuf, msg[j].len,
569 DW210X_READ_MSG); 626 DW210X_READ_MSG);
@@ -590,7 +647,14 @@ static int s6x0_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
590 } while (len > 0); 647 } while (len > 0);
591 } else if (j < (num - 1)) { 648 } else if (j < (num - 1)) {
592 /* write register addr before read */ 649 /* write register addr before read */
593 u8 obuf[msg[j].len + 2]; 650 u8 obuf[MAX_XFER_SIZE];
651
652 if (2 + msg[j].len > sizeof(obuf)) {
653 warn("i2c wr: len=%d is too big!\n",
654 msg[j].len);
655 return -EOPNOTSUPP;
656 }
657
594 obuf[0] = msg[j + 1].len; 658 obuf[0] = msg[j + 1].len;
595 obuf[1] = (msg[j].addr << 1); 659 obuf[1] = (msg[j].addr << 1);
596 memcpy(obuf + 2, msg[j].buf, msg[j].len); 660 memcpy(obuf + 2, msg[j].buf, msg[j].len);
@@ -602,7 +666,13 @@ static int s6x0_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
602 break; 666 break;
603 } else { 667 } else {
604 /* write registers */ 668 /* write registers */
605 u8 obuf[msg[j].len + 2]; 669 u8 obuf[MAX_XFER_SIZE];
670
671 if (2 + msg[j].len > sizeof(obuf)) {
672 warn("i2c wr: len=%d is too big!\n",
673 msg[j].len);
674 return -EOPNOTSUPP;
675 }
606 obuf[0] = msg[j].len + 1; 676 obuf[0] = msg[j].len + 1;
607 obuf[1] = (msg[j].addr << 1); 677 obuf[1] = (msg[j].addr << 1);
608 memcpy(obuf + 2, msg[j].buf, msg[j].len); 678 memcpy(obuf + 2, msg[j].buf, msg[j].len);
diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
index 3394c3432011..899cb6d1c4a4 100644
--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -680,7 +680,8 @@ void uvc_video_clock_update(struct uvc_streaming *stream,
680 stream->dev->name, 680 stream->dev->name,
681 sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536), 681 sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536),
682 y, ts.tv_sec, ts.tv_nsec / NSEC_PER_USEC, 682 y, ts.tv_sec, ts.tv_nsec / NSEC_PER_USEC,
683 v4l2_buf->timestamp.tv_sec, v4l2_buf->timestamp.tv_usec, 683 v4l2_buf->timestamp.tv_sec,
684 (unsigned long)v4l2_buf->timestamp.tv_usec,
684 x1, first->host_sof, first->dev_sof, 685 x1, first->host_sof, first->dev_sof,
685 x2, last->host_sof, last->dev_sof, y1, y2); 686 x2, last->host_sof, last->dev_sof, y1, y2);
686 687
diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c
index c85d69da35bd..85a6a34128a8 100644
--- a/drivers/media/v4l2-core/v4l2-async.c
+++ b/drivers/media/v4l2-core/v4l2-async.c
@@ -189,30 +189,53 @@ void v4l2_async_notifier_unregister(struct v4l2_async_notifier *notifier)
189 struct v4l2_subdev *sd, *tmp; 189 struct v4l2_subdev *sd, *tmp;
190 unsigned int notif_n_subdev = notifier->num_subdevs; 190 unsigned int notif_n_subdev = notifier->num_subdevs;
191 unsigned int n_subdev = min(notif_n_subdev, V4L2_MAX_SUBDEVS); 191 unsigned int n_subdev = min(notif_n_subdev, V4L2_MAX_SUBDEVS);
192 struct device *dev[n_subdev]; 192 struct device **dev;
193 int i = 0; 193 int i = 0;
194 194
195 if (!notifier->v4l2_dev) 195 if (!notifier->v4l2_dev)
196 return; 196 return;
197 197
198 dev = kmalloc(n_subdev * sizeof(*dev), GFP_KERNEL);
199 if (!dev) {
200 dev_err(notifier->v4l2_dev->dev,
201 "Failed to allocate device cache!\n");
202 }
203
198 mutex_lock(&list_lock); 204 mutex_lock(&list_lock);
199 205
200 list_del(&notifier->list); 206 list_del(&notifier->list);
201 207
202 list_for_each_entry_safe(sd, tmp, &notifier->done, async_list) { 208 list_for_each_entry_safe(sd, tmp, &notifier->done, async_list) {
203 dev[i] = get_device(sd->dev); 209 struct device *d;
210
211 d = get_device(sd->dev);
204 212
205 v4l2_async_cleanup(sd); 213 v4l2_async_cleanup(sd);
206 214
207 /* If we handled USB devices, we'd have to lock the parent too */ 215 /* If we handled USB devices, we'd have to lock the parent too */
208 device_release_driver(dev[i++]); 216 device_release_driver(d);
209 217
210 if (notifier->unbind) 218 if (notifier->unbind)
211 notifier->unbind(notifier, sd, sd->asd); 219 notifier->unbind(notifier, sd, sd->asd);
220
221 /*
222 * Store device at the device cache, in order to call
223 * put_device() on the final step
224 */
225 if (dev)
226 dev[i++] = d;
227 else
228 put_device(d);
212 } 229 }
213 230
214 mutex_unlock(&list_lock); 231 mutex_unlock(&list_lock);
215 232
233 /*
234 * Call device_attach() to reprobe devices
235 *
236 * NOTE: If dev allocation fails, i is 0, and the whole loop won't be
237 * executed.
238 */
216 while (i--) { 239 while (i--) {
217 struct device *d = dev[i]; 240 struct device *d = dev[i];
218 241
@@ -228,6 +251,7 @@ void v4l2_async_notifier_unregister(struct v4l2_async_notifier *notifier)
228 } 251 }
229 put_device(d); 252 put_device(d);
230 } 253 }
254 kfree(dev);
231 255
232 notifier->v4l2_dev = NULL; 256 notifier->v4l2_dev = NULL;
233 257
diff --git a/drivers/staging/media/lirc/lirc_serial.c b/drivers/staging/media/lirc/lirc_serial.c
index f6bc4c91ab35..2e3a98575d47 100644
--- a/drivers/staging/media/lirc/lirc_serial.c
+++ b/drivers/staging/media/lirc/lirc_serial.c
@@ -707,7 +707,8 @@ static irqreturn_t irq_handler(int i, void *blah)
707 pr_warn("ignoring spike: %d %d %lx %lx %lx %lx\n", 707 pr_warn("ignoring spike: %d %d %lx %lx %lx %lx\n",
708 dcd, sense, 708 dcd, sense,
709 tv.tv_sec, lasttv.tv_sec, 709 tv.tv_sec, lasttv.tv_sec,
710 tv.tv_usec, lasttv.tv_usec); 710 (unsigned long)tv.tv_usec,
711 (unsigned long)lasttv.tv_usec);
711 continue; 712 continue;
712 } 713 }
713 714
@@ -719,7 +720,8 @@ static irqreturn_t irq_handler(int i, void *blah)
719 pr_warn("%d %d %lx %lx %lx %lx\n", 720 pr_warn("%d %d %lx %lx %lx %lx\n",
720 dcd, sense, 721 dcd, sense,
721 tv.tv_sec, lasttv.tv_sec, 722 tv.tv_sec, lasttv.tv_sec,
722 tv.tv_usec, lasttv.tv_usec); 723 (unsigned long)tv.tv_usec,
724 (unsigned long)lasttv.tv_usec);
723 data = PULSE_MASK; 725 data = PULSE_MASK;
724 } else if (deltv > 15) { 726 } else if (deltv > 15) {
725 data = PULSE_MASK; /* really long time */ 727 data = PULSE_MASK; /* really long time */
@@ -728,7 +730,8 @@ static irqreturn_t irq_handler(int i, void *blah)
728 pr_warn("AIEEEE: %d %d %lx %lx %lx %lx\n", 730 pr_warn("AIEEEE: %d %d %lx %lx %lx %lx\n",
729 dcd, sense, 731 dcd, sense,
730 tv.tv_sec, lasttv.tv_sec, 732 tv.tv_sec, lasttv.tv_sec,
731 tv.tv_usec, lasttv.tv_usec); 733 (unsigned long)tv.tv_usec,
734 (unsigned long)lasttv.tv_usec);
732 /* 735 /*
733 * detecting pulse while this 736 * detecting pulse while this
734 * MUST be a space! 737 * MUST be a space!
diff --git a/drivers/staging/media/lirc/lirc_zilog.c b/drivers/staging/media/lirc/lirc_zilog.c
index 11d5338b4f2f..0feeaadf29dc 100644
--- a/drivers/staging/media/lirc/lirc_zilog.c
+++ b/drivers/staging/media/lirc/lirc_zilog.c
@@ -61,6 +61,9 @@
61#include <media/lirc_dev.h> 61#include <media/lirc_dev.h>
62#include <media/lirc.h> 62#include <media/lirc.h>
63 63
64/* Max transfer size done by I2C transfer functions */
65#define MAX_XFER_SIZE 64
66
64struct IR; 67struct IR;
65 68
66struct IR_rx { 69struct IR_rx {
@@ -941,7 +944,14 @@ static ssize_t read(struct file *filep, char *outbuf, size_t n, loff_t *ppos)
941 schedule(); 944 schedule();
942 set_current_state(TASK_INTERRUPTIBLE); 945 set_current_state(TASK_INTERRUPTIBLE);
943 } else { 946 } else {
944 unsigned char buf[rbuf->chunk_size]; 947 unsigned char buf[MAX_XFER_SIZE];
948
949 if (rbuf->chunk_size > sizeof(buf)) {
950 zilog_error("chunk_size is too big (%d)!\n",
951 rbuf->chunk_size);
952 ret = -EINVAL;
953 break;
954 }
945 m = lirc_buffer_read(rbuf, buf); 955 m = lirc_buffer_read(rbuf, buf);
946 if (m == rbuf->chunk_size) { 956 if (m == rbuf->chunk_size) {
947 ret = copy_to_user((void *)outbuf+written, buf, 957 ret = copy_to_user((void *)outbuf+written, buf,
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-23 18:11:33 -0500