aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/cdrom
diff options
context:
space:
mode:
authorThomas Bogendoerfer <tsbogend@alpha.franken.de>2008-03-26 07:09:38 -0400
committerJens Axboe <jens.axboe@oracle.com>2008-04-21 03:50:08 -0400
commit22a9189fd073db3d03a4cf8b8c098aa207602de1 (patch)
treefdecb985720f2ca9c283d4b0f35f87e4b477e9e8 /drivers/cdrom
parent0a0c4114df4a6903bccb65b06cabb6ddc968f877 (diff)
cdrom: use kmalloced buffers instead of buffers on stack
If cdrom commands are issued to a scsi drive in most cases the buffer will be filled via dma. This leads to bad stack corruption on non coherent platforms, because the buffers are neither cache line aligned nor is the size a multiple of the cache line size. Using kmalloced buffers avoids this. Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de> Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
Diffstat (limited to 'drivers/cdrom')
-rw-r--r--drivers/cdrom/cdrom.c274
1 files changed, 181 insertions, 93 deletions
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index 663a7f7dc580..ac3829030ac5 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -461,27 +461,37 @@ int cdrom_get_media_event(struct cdrom_device_info *cdi,
461 struct media_event_desc *med) 461 struct media_event_desc *med)
462{ 462{
463 struct packet_command cgc; 463 struct packet_command cgc;
464 unsigned char buffer[8]; 464 unsigned char *buffer;
465 struct event_header *eh = (struct event_header *) buffer; 465 struct event_header *eh;
466 int ret = 1;
467
468 buffer = kmalloc(8, GFP_KERNEL);
469 if (!buffer)
470 return -ENOMEM;
466 471
467 init_cdrom_command(&cgc, buffer, sizeof(buffer), CGC_DATA_READ); 472 eh = (struct event_header *)buffer;
473
474 init_cdrom_command(&cgc, buffer, 8, CGC_DATA_READ);
468 cgc.cmd[0] = GPCMD_GET_EVENT_STATUS_NOTIFICATION; 475 cgc.cmd[0] = GPCMD_GET_EVENT_STATUS_NOTIFICATION;
469 cgc.cmd[1] = 1; /* IMMED */ 476 cgc.cmd[1] = 1; /* IMMED */
470 cgc.cmd[4] = 1 << 4; /* media event */ 477 cgc.cmd[4] = 1 << 4; /* media event */
471 cgc.cmd[8] = sizeof(buffer); 478 cgc.cmd[8] = 8;
472 cgc.quiet = 1; 479 cgc.quiet = 1;
473 480
474 if (cdi->ops->generic_packet(cdi, &cgc)) 481 if (cdi->ops->generic_packet(cdi, &cgc))
475 return 1; 482 goto err;
476 483
477 if (be16_to_cpu(eh->data_len) < sizeof(*med)) 484 if (be16_to_cpu(eh->data_len) < sizeof(*med))
478 return 1; 485 goto err;
479 486
480 if (eh->nea || eh->notification_class != 0x4) 487 if (eh->nea || eh->notification_class != 0x4)
481 return 1; 488 goto err;
482 489
483 memcpy(med, &buffer[sizeof(*eh)], sizeof(*med)); 490 memcpy(med, buffer + sizeof(*eh), sizeof(*med));
484 return 0; 491 ret = 0;
492err:
493 kfree(buffer);
494 return ret;
485} 495}
486 496
487/* 497/*
@@ -491,68 +501,82 @@ int cdrom_get_media_event(struct cdrom_device_info *cdi,
491static int cdrom_mrw_probe_pc(struct cdrom_device_info *cdi) 501static int cdrom_mrw_probe_pc(struct cdrom_device_info *cdi)
492{ 502{
493 struct packet_command cgc; 503 struct packet_command cgc;
494 char buffer[16]; 504 char *buffer;
505 int ret = 1;
506
507 buffer = kmalloc(16, GFP_KERNEL);
508 if (!buffer)
509 return -ENOMEM;
495 510
496 init_cdrom_command(&cgc, buffer, sizeof(buffer), CGC_DATA_READ); 511 init_cdrom_command(&cgc, buffer, 16, CGC_DATA_READ);
497 512
498 cgc.timeout = HZ; 513 cgc.timeout = HZ;
499 cgc.quiet = 1; 514 cgc.quiet = 1;
500 515
501 if (!cdrom_mode_sense(cdi, &cgc, MRW_MODE_PC, 0)) { 516 if (!cdrom_mode_sense(cdi, &cgc, MRW_MODE_PC, 0)) {
502 cdi->mrw_mode_page = MRW_MODE_PC; 517 cdi->mrw_mode_page = MRW_MODE_PC;
503 return 0; 518 ret = 0;
504 } else if (!cdrom_mode_sense(cdi, &cgc, MRW_MODE_PC_PRE1, 0)) { 519 } else if (!cdrom_mode_sense(cdi, &cgc, MRW_MODE_PC_PRE1, 0)) {
505 cdi->mrw_mode_page = MRW_MODE_PC_PRE1; 520 cdi->mrw_mode_page = MRW_MODE_PC_PRE1;
506 return 0; 521 ret = 0;
507 } 522 }
508 523 kfree(buffer);
509 return 1; 524 return ret;
510} 525}
511 526
512static int cdrom_is_mrw(struct cdrom_device_info *cdi, int *write) 527static int cdrom_is_mrw(struct cdrom_device_info *cdi, int *write)
513{ 528{
514 struct packet_command cgc; 529 struct packet_command cgc;
515 struct mrw_feature_desc *mfd; 530 struct mrw_feature_desc *mfd;
516 unsigned char buffer[16]; 531 unsigned char *buffer;
517 int ret; 532 int ret;
518 533
519 *write = 0; 534 *write = 0;
535 buffer = kmalloc(16, GFP_KERNEL);
536 if (!buffer)
537 return -ENOMEM;
520 538
521 init_cdrom_command(&cgc, buffer, sizeof(buffer), CGC_DATA_READ); 539 init_cdrom_command(&cgc, buffer, 16, CGC_DATA_READ);
522 540
523 cgc.cmd[0] = GPCMD_GET_CONFIGURATION; 541 cgc.cmd[0] = GPCMD_GET_CONFIGURATION;
524 cgc.cmd[3] = CDF_MRW; 542 cgc.cmd[3] = CDF_MRW;
525 cgc.cmd[8] = sizeof(buffer); 543 cgc.cmd[8] = 16;
526 cgc.quiet = 1; 544 cgc.quiet = 1;
527 545
528 if ((ret = cdi->ops->generic_packet(cdi, &cgc))) 546 if ((ret = cdi->ops->generic_packet(cdi, &cgc)))
529 return ret; 547 goto err;
530 548
531 mfd = (struct mrw_feature_desc *)&buffer[sizeof(struct feature_header)]; 549 mfd = (struct mrw_feature_desc *)&buffer[sizeof(struct feature_header)];
532 if (be16_to_cpu(mfd->feature_code) != CDF_MRW) 550 if (be16_to_cpu(mfd->feature_code) != CDF_MRW) {
533 return 1; 551 ret = 1;
552 goto err;
553 }
534 *write = mfd->write; 554 *write = mfd->write;
535 555
536 if ((ret = cdrom_mrw_probe_pc(cdi))) { 556 if ((ret = cdrom_mrw_probe_pc(cdi))) {
537 *write = 0; 557 *write = 0;
538 return ret;
539 } 558 }
540 559err:
541 return 0; 560 kfree(buffer);
561 return ret;
542} 562}
543 563
544static int cdrom_mrw_bgformat(struct cdrom_device_info *cdi, int cont) 564static int cdrom_mrw_bgformat(struct cdrom_device_info *cdi, int cont)
545{ 565{
546 struct packet_command cgc; 566 struct packet_command cgc;
547 unsigned char buffer[12]; 567 unsigned char *buffer;
548 int ret; 568 int ret;
549 569
550 printk(KERN_INFO "cdrom: %sstarting format\n", cont ? "Re" : ""); 570 printk(KERN_INFO "cdrom: %sstarting format\n", cont ? "Re" : "");
551 571
572 buffer = kmalloc(12, GFP_KERNEL);
573 if (!buffer)
574 return -ENOMEM;
575
552 /* 576 /*
553 * FmtData bit set (bit 4), format type is 1 577 * FmtData bit set (bit 4), format type is 1
554 */ 578 */
555 init_cdrom_command(&cgc, buffer, sizeof(buffer), CGC_DATA_WRITE); 579 init_cdrom_command(&cgc, buffer, 12, CGC_DATA_WRITE);
556 cgc.cmd[0] = GPCMD_FORMAT_UNIT; 580 cgc.cmd[0] = GPCMD_FORMAT_UNIT;
557 cgc.cmd[1] = (1 << 4) | 1; 581 cgc.cmd[1] = (1 << 4) | 1;
558 582
@@ -579,6 +603,7 @@ static int cdrom_mrw_bgformat(struct cdrom_device_info *cdi, int cont)
579 if (ret) 603 if (ret)
580 printk(KERN_INFO "cdrom: bgformat failed\n"); 604 printk(KERN_INFO "cdrom: bgformat failed\n");
581 605
606 kfree(buffer);
582 return ret; 607 return ret;
583} 608}
584 609
@@ -638,16 +663,17 @@ static int cdrom_mrw_set_lba_space(struct cdrom_device_info *cdi, int space)
638{ 663{
639 struct packet_command cgc; 664 struct packet_command cgc;
640 struct mode_page_header *mph; 665 struct mode_page_header *mph;
641 char buffer[16]; 666 char *buffer;
642 int ret, offset, size; 667 int ret, offset, size;
643 668
644 init_cdrom_command(&cgc, buffer, sizeof(buffer), CGC_DATA_READ); 669 buffer = kmalloc(16, GFP_KERNEL);
670 if (!buffer)
671 return -ENOMEM;
645 672
646 cgc.buffer = buffer; 673 init_cdrom_command(&cgc, buffer, 16, CGC_DATA_READ);
647 cgc.buflen = sizeof(buffer);
648 674
649 if ((ret = cdrom_mode_sense(cdi, &cgc, cdi->mrw_mode_page, 0))) 675 if ((ret = cdrom_mode_sense(cdi, &cgc, cdi->mrw_mode_page, 0)))
650 return ret; 676 goto err;
651 677
652 mph = (struct mode_page_header *) buffer; 678 mph = (struct mode_page_header *) buffer;
653 offset = be16_to_cpu(mph->desc_length); 679 offset = be16_to_cpu(mph->desc_length);
@@ -657,55 +683,70 @@ static int cdrom_mrw_set_lba_space(struct cdrom_device_info *cdi, int space)
657 cgc.buflen = size; 683 cgc.buflen = size;
658 684
659 if ((ret = cdrom_mode_select(cdi, &cgc))) 685 if ((ret = cdrom_mode_select(cdi, &cgc)))
660 return ret; 686 goto err;
661 687
662 printk(KERN_INFO "cdrom: %s: mrw address space %s selected\n", cdi->name, mrw_address_space[space]); 688 printk(KERN_INFO "cdrom: %s: mrw address space %s selected\n", cdi->name, mrw_address_space[space]);
663 return 0; 689 ret = 0;
690err:
691 kfree(buffer);
692 return ret;
664} 693}
665 694
666static int cdrom_get_random_writable(struct cdrom_device_info *cdi, 695static int cdrom_get_random_writable(struct cdrom_device_info *cdi,
667 struct rwrt_feature_desc *rfd) 696 struct rwrt_feature_desc *rfd)
668{ 697{
669 struct packet_command cgc; 698 struct packet_command cgc;
670 char buffer[24]; 699 char *buffer;
671 int ret; 700 int ret;
672 701
673 init_cdrom_command(&cgc, buffer, sizeof(buffer), CGC_DATA_READ); 702 buffer = kmalloc(24, GFP_KERNEL);
703 if (!buffer)
704 return -ENOMEM;
705
706 init_cdrom_command(&cgc, buffer, 24, CGC_DATA_READ);
674 707
675 cgc.cmd[0] = GPCMD_GET_CONFIGURATION; /* often 0x46 */ 708 cgc.cmd[0] = GPCMD_GET_CONFIGURATION; /* often 0x46 */
676 cgc.cmd[3] = CDF_RWRT; /* often 0x0020 */ 709 cgc.cmd[3] = CDF_RWRT; /* often 0x0020 */
677 cgc.cmd[8] = sizeof(buffer); /* often 0x18 */ 710 cgc.cmd[8] = 24; /* often 0x18 */
678 cgc.quiet = 1; 711 cgc.quiet = 1;
679 712
680 if ((ret = cdi->ops->generic_packet(cdi, &cgc))) 713 if ((ret = cdi->ops->generic_packet(cdi, &cgc)))
681 return ret; 714 goto err;
682 715
683 memcpy(rfd, &buffer[sizeof(struct feature_header)], sizeof (*rfd)); 716 memcpy(rfd, &buffer[sizeof(struct feature_header)], sizeof (*rfd));
684 return 0; 717 ret = 0;
718err:
719 kfree(buffer);
720 return ret;
685} 721}
686 722
687static int cdrom_has_defect_mgt(struct cdrom_device_info *cdi) 723static int cdrom_has_defect_mgt(struct cdrom_device_info *cdi)
688{ 724{
689 struct packet_command cgc; 725 struct packet_command cgc;
690 char buffer[16]; 726 char *buffer;
691 __be16 *feature_code; 727 __be16 *feature_code;
692 int ret; 728 int ret;
693 729
694 init_cdrom_command(&cgc, buffer, sizeof(buffer), CGC_DATA_READ); 730 buffer = kmalloc(16, GFP_KERNEL);
731 if (!buffer)
732 return -ENOMEM;
733
734 init_cdrom_command(&cgc, buffer, 16, CGC_DATA_READ);
695 735
696 cgc.cmd[0] = GPCMD_GET_CONFIGURATION; 736 cgc.cmd[0] = GPCMD_GET_CONFIGURATION;
697 cgc.cmd[3] = CDF_HWDM; 737 cgc.cmd[3] = CDF_HWDM;
698 cgc.cmd[8] = sizeof(buffer); 738 cgc.cmd[8] = 16;
699 cgc.quiet = 1; 739 cgc.quiet = 1;
700 740
701 if ((ret = cdi->ops->generic_packet(cdi, &cgc))) 741 if ((ret = cdi->ops->generic_packet(cdi, &cgc)))
702 return ret; 742 goto err;
703 743
704 feature_code = (__be16 *) &buffer[sizeof(struct feature_header)]; 744 feature_code = (__be16 *) &buffer[sizeof(struct feature_header)];
705 if (be16_to_cpu(*feature_code) == CDF_HWDM) 745 if (be16_to_cpu(*feature_code) == CDF_HWDM)
706 return 0; 746 ret = 0;
707 747err:
708 return 1; 748 kfree(buffer);
749 return ret;
709} 750}
710 751
711 752
@@ -796,10 +837,14 @@ static int cdrom_mrw_open_write(struct cdrom_device_info *cdi)
796static int mo_open_write(struct cdrom_device_info *cdi) 837static int mo_open_write(struct cdrom_device_info *cdi)
797{ 838{
798 struct packet_command cgc; 839 struct packet_command cgc;
799 char buffer[255]; 840 char *buffer;
800 int ret; 841 int ret;
801 842
802 init_cdrom_command(&cgc, &buffer, 4, CGC_DATA_READ); 843 buffer = kmalloc(255, GFP_KERNEL);
844 if (!buffer)
845 return -ENOMEM;
846
847 init_cdrom_command(&cgc, buffer, 4, CGC_DATA_READ);
803 cgc.quiet = 1; 848 cgc.quiet = 1;
804 849
805 /* 850 /*
@@ -816,10 +861,15 @@ static int mo_open_write(struct cdrom_device_info *cdi)
816 } 861 }
817 862
818 /* drive gave us no info, let the user go ahead */ 863 /* drive gave us no info, let the user go ahead */
819 if (ret) 864 if (ret) {
820 return 0; 865 ret = 0;
866 goto err;
867 }
821 868
822 return buffer[3] & 0x80; 869 ret = buffer[3] & 0x80;
870err:
871 kfree(buffer);
872 return ret;
823} 873}
824 874
825static int cdrom_ram_open_write(struct cdrom_device_info *cdi) 875static int cdrom_ram_open_write(struct cdrom_device_info *cdi)
@@ -842,15 +892,19 @@ static int cdrom_ram_open_write(struct cdrom_device_info *cdi)
842static void cdrom_mmc3_profile(struct cdrom_device_info *cdi) 892static void cdrom_mmc3_profile(struct cdrom_device_info *cdi)
843{ 893{
844 struct packet_command cgc; 894 struct packet_command cgc;
845 char buffer[32]; 895 char *buffer;
846 int ret, mmc3_profile; 896 int ret, mmc3_profile;
847 897
848 init_cdrom_command(&cgc, buffer, sizeof(buffer), CGC_DATA_READ); 898 buffer = kmalloc(32, GFP_KERNEL);
899 if (!buffer)
900 return;
901
902 init_cdrom_command(&cgc, buffer, 32, CGC_DATA_READ);
849 903
850 cgc.cmd[0] = GPCMD_GET_CONFIGURATION; 904 cgc.cmd[0] = GPCMD_GET_CONFIGURATION;
851 cgc.cmd[1] = 0; 905 cgc.cmd[1] = 0;
852 cgc.cmd[2] = cgc.cmd[3] = 0; /* Starting Feature Number */ 906 cgc.cmd[2] = cgc.cmd[3] = 0; /* Starting Feature Number */
853 cgc.cmd[8] = sizeof(buffer); /* Allocation Length */ 907 cgc.cmd[8] = 32; /* Allocation Length */
854 cgc.quiet = 1; 908 cgc.quiet = 1;
855 909
856 if ((ret = cdi->ops->generic_packet(cdi, &cgc))) 910 if ((ret = cdi->ops->generic_packet(cdi, &cgc)))
@@ -859,6 +913,7 @@ static void cdrom_mmc3_profile(struct cdrom_device_info *cdi)
859 mmc3_profile = (buffer[6] << 8) | buffer[7]; 913 mmc3_profile = (buffer[6] << 8) | buffer[7];
860 914
861 cdi->mmc3_profile = mmc3_profile; 915 cdi->mmc3_profile = mmc3_profile;
916 kfree(buffer);
862} 917}
863 918
864static int cdrom_is_dvd_rw(struct cdrom_device_info *cdi) 919static int cdrom_is_dvd_rw(struct cdrom_device_info *cdi)
@@ -1573,12 +1628,15 @@ static void setup_send_key(struct packet_command *cgc, unsigned agid, unsigned t
1573static int dvd_do_auth(struct cdrom_device_info *cdi, dvd_authinfo *ai) 1628static int dvd_do_auth(struct cdrom_device_info *cdi, dvd_authinfo *ai)
1574{ 1629{
1575 int ret; 1630 int ret;
1576 u_char buf[20]; 1631 u_char *buf;
1577 struct packet_command cgc; 1632 struct packet_command cgc;
1578 struct cdrom_device_ops *cdo = cdi->ops; 1633 struct cdrom_device_ops *cdo = cdi->ops;
1579 rpc_state_t rpc_state; 1634 rpc_state_t *rpc_state;
1635
1636 buf = kzalloc(20, GFP_KERNEL);
1637 if (!buf)
1638 return -ENOMEM;
1580 1639
1581 memset(buf, 0, sizeof(buf));
1582 init_cdrom_command(&cgc, buf, 0, CGC_DATA_READ); 1640 init_cdrom_command(&cgc, buf, 0, CGC_DATA_READ);
1583 1641
1584 switch (ai->type) { 1642 switch (ai->type) {
@@ -1589,7 +1647,7 @@ static int dvd_do_auth(struct cdrom_device_info *cdi, dvd_authinfo *ai)
1589 setup_report_key(&cgc, ai->lsa.agid, 0); 1647 setup_report_key(&cgc, ai->lsa.agid, 0);
1590 1648
1591 if ((ret = cdo->generic_packet(cdi, &cgc))) 1649 if ((ret = cdo->generic_packet(cdi, &cgc)))
1592 return ret; 1650 goto err;
1593 1651
1594 ai->lsa.agid = buf[7] >> 6; 1652 ai->lsa.agid = buf[7] >> 6;
1595 /* Returning data, let host change state */ 1653 /* Returning data, let host change state */
@@ -1600,7 +1658,7 @@ static int dvd_do_auth(struct cdrom_device_info *cdi, dvd_authinfo *ai)
1600 setup_report_key(&cgc, ai->lsk.agid, 2); 1658 setup_report_key(&cgc, ai->lsk.agid, 2);
1601 1659
1602 if ((ret = cdo->generic_packet(cdi, &cgc))) 1660 if ((ret = cdo->generic_packet(cdi, &cgc)))
1603 return ret; 1661 goto err;
1604 1662
1605 copy_key(ai->lsk.key, &buf[4]); 1663 copy_key(ai->lsk.key, &buf[4]);
1606 /* Returning data, let host change state */ 1664 /* Returning data, let host change state */
@@ -1611,7 +1669,7 @@ static int dvd_do_auth(struct cdrom_device_info *cdi, dvd_authinfo *ai)
1611 setup_report_key(&cgc, ai->lsc.agid, 1); 1669 setup_report_key(&cgc, ai->lsc.agid, 1);
1612 1670
1613 if ((ret = cdo->generic_packet(cdi, &cgc))) 1671 if ((ret = cdo->generic_packet(cdi, &cgc)))
1614 return ret; 1672 goto err;
1615 1673
1616 copy_chal(ai->lsc.chal, &buf[4]); 1674 copy_chal(ai->lsc.chal, &buf[4]);
1617 /* Returning data, let host change state */ 1675 /* Returning data, let host change state */
@@ -1628,7 +1686,7 @@ static int dvd_do_auth(struct cdrom_device_info *cdi, dvd_authinfo *ai)
1628 cgc.cmd[2] = ai->lstk.lba >> 24; 1686 cgc.cmd[2] = ai->lstk.lba >> 24;
1629 1687
1630 if ((ret = cdo->generic_packet(cdi, &cgc))) 1688 if ((ret = cdo->generic_packet(cdi, &cgc)))
1631 return ret; 1689 goto err;
1632 1690
1633 ai->lstk.cpm = (buf[4] >> 7) & 1; 1691 ai->lstk.cpm = (buf[4] >> 7) & 1;
1634 ai->lstk.cp_sec = (buf[4] >> 6) & 1; 1692 ai->lstk.cp_sec = (buf[4] >> 6) & 1;
@@ -1642,7 +1700,7 @@ static int dvd_do_auth(struct cdrom_device_info *cdi, dvd_authinfo *ai)
1642 setup_report_key(&cgc, ai->lsasf.agid, 5); 1700 setup_report_key(&cgc, ai->lsasf.agid, 5);
1643 1701
1644 if ((ret = cdo->generic_packet(cdi, &cgc))) 1702 if ((ret = cdo->generic_packet(cdi, &cgc)))
1645 return ret; 1703 goto err;
1646 1704
1647 ai->lsasf.asf = buf[7] & 1; 1705 ai->lsasf.asf = buf[7] & 1;
1648 break; 1706 break;
@@ -1655,7 +1713,7 @@ static int dvd_do_auth(struct cdrom_device_info *cdi, dvd_authinfo *ai)
1655 copy_chal(&buf[4], ai->hsc.chal); 1713 copy_chal(&buf[4], ai->hsc.chal);
1656 1714
1657 if ((ret = cdo->generic_packet(cdi, &cgc))) 1715 if ((ret = cdo->generic_packet(cdi, &cgc)))
1658 return ret; 1716 goto err;
1659 1717
1660 ai->type = DVD_LU_SEND_KEY1; 1718 ai->type = DVD_LU_SEND_KEY1;
1661 break; 1719 break;
@@ -1668,7 +1726,7 @@ static int dvd_do_auth(struct cdrom_device_info *cdi, dvd_authinfo *ai)
1668 1726
1669 if ((ret = cdo->generic_packet(cdi, &cgc))) { 1727 if ((ret = cdo->generic_packet(cdi, &cgc))) {
1670 ai->type = DVD_AUTH_FAILURE; 1728 ai->type = DVD_AUTH_FAILURE;
1671 return ret; 1729 goto err;
1672 } 1730 }
1673 ai->type = DVD_AUTH_ESTABLISHED; 1731 ai->type = DVD_AUTH_ESTABLISHED;
1674 break; 1732 break;
@@ -1679,24 +1737,23 @@ static int dvd_do_auth(struct cdrom_device_info *cdi, dvd_authinfo *ai)
1679 cdinfo(CD_DVD, "entering DVD_INVALIDATE_AGID\n"); 1737 cdinfo(CD_DVD, "entering DVD_INVALIDATE_AGID\n");
1680 setup_report_key(&cgc, ai->lsa.agid, 0x3f); 1738 setup_report_key(&cgc, ai->lsa.agid, 0x3f);
1681 if ((ret = cdo->generic_packet(cdi, &cgc))) 1739 if ((ret = cdo->generic_packet(cdi, &cgc)))
1682 return ret; 1740 goto err;
1683 break; 1741 break;
1684 1742
1685 /* Get region settings */ 1743 /* Get region settings */
1686 case DVD_LU_SEND_RPC_STATE: 1744 case DVD_LU_SEND_RPC_STATE:
1687 cdinfo(CD_DVD, "entering DVD_LU_SEND_RPC_STATE\n"); 1745 cdinfo(CD_DVD, "entering DVD_LU_SEND_RPC_STATE\n");
1688 setup_report_key(&cgc, 0, 8); 1746 setup_report_key(&cgc, 0, 8);
1689 memset(&rpc_state, 0, sizeof(rpc_state_t));
1690 cgc.buffer = (char *) &rpc_state;
1691 1747
1692 if ((ret = cdo->generic_packet(cdi, &cgc))) 1748 if ((ret = cdo->generic_packet(cdi, &cgc)))
1693 return ret; 1749 goto err;
1694 1750
1695 ai->lrpcs.type = rpc_state.type_code; 1751 rpc_state = (rpc_state_t *)buf;
1696 ai->lrpcs.vra = rpc_state.vra; 1752 ai->lrpcs.type = rpc_state->type_code;
1697 ai->lrpcs.ucca = rpc_state.ucca; 1753 ai->lrpcs.vra = rpc_state->vra;
1698 ai->lrpcs.region_mask = rpc_state.region_mask; 1754 ai->lrpcs.ucca = rpc_state->ucca;
1699 ai->lrpcs.rpc_scheme = rpc_state.rpc_scheme; 1755 ai->lrpcs.region_mask = rpc_state->region_mask;
1756 ai->lrpcs.rpc_scheme = rpc_state->rpc_scheme;
1700 break; 1757 break;
1701 1758
1702 /* Set region settings */ 1759 /* Set region settings */
@@ -1707,20 +1764,23 @@ static int dvd_do_auth(struct cdrom_device_info *cdi, dvd_authinfo *ai)
1707 buf[4] = ai->hrpcs.pdrc; 1764 buf[4] = ai->hrpcs.pdrc;
1708 1765
1709 if ((ret = cdo->generic_packet(cdi, &cgc))) 1766 if ((ret = cdo->generic_packet(cdi, &cgc)))
1710 return ret; 1767 goto err;
1711 break; 1768 break;
1712 1769
1713 default: 1770 default:
1714 cdinfo(CD_WARNING, "Invalid DVD key ioctl (%d)\n", ai->type); 1771 cdinfo(CD_WARNING, "Invalid DVD key ioctl (%d)\n", ai->type);
1715 return -ENOTTY; 1772 ret = -ENOTTY;
1773 goto err;
1716 } 1774 }
1717 1775 ret = 0;
1718 return 0; 1776err:
1777 kfree(buf);
1778 return ret;
1719} 1779}
1720 1780
1721static int dvd_read_physical(struct cdrom_device_info *cdi, dvd_struct *s) 1781static int dvd_read_physical(struct cdrom_device_info *cdi, dvd_struct *s)
1722{ 1782{
1723 unsigned char buf[21], *base; 1783 unsigned char *buf, *base;
1724 struct dvd_layer *layer; 1784 struct dvd_layer *layer;
1725 struct packet_command cgc; 1785 struct packet_command cgc;
1726 struct cdrom_device_ops *cdo = cdi->ops; 1786 struct cdrom_device_ops *cdo = cdi->ops;
@@ -1729,7 +1789,11 @@ static int dvd_read_physical(struct cdrom_device_info *cdi, dvd_struct *s)
1729 if (layer_num >= DVD_LAYERS) 1789 if (layer_num >= DVD_LAYERS)
1730 return -EINVAL; 1790 return -EINVAL;
1731 1791
1732 init_cdrom_command(&cgc, buf, sizeof(buf), CGC_DATA_READ); 1792 buf = kmalloc(21, GFP_KERNEL);
1793 if (!buf)
1794 return -ENOMEM;
1795
1796 init_cdrom_command(&cgc, buf, 21, CGC_DATA_READ);
1733 cgc.cmd[0] = GPCMD_READ_DVD_STRUCTURE; 1797 cgc.cmd[0] = GPCMD_READ_DVD_STRUCTURE;
1734 cgc.cmd[6] = layer_num; 1798 cgc.cmd[6] = layer_num;
1735 cgc.cmd[7] = s->type; 1799 cgc.cmd[7] = s->type;
@@ -1741,7 +1805,7 @@ static int dvd_read_physical(struct cdrom_device_info *cdi, dvd_struct *s)
1741 cgc.quiet = 1; 1805 cgc.quiet = 1;
1742 1806
1743 if ((ret = cdo->generic_packet(cdi, &cgc))) 1807 if ((ret = cdo->generic_packet(cdi, &cgc)))
1744 return ret; 1808 goto err;
1745 1809
1746 base = &buf[4]; 1810 base = &buf[4];
1747 layer = &s->physical.layer[layer_num]; 1811 layer = &s->physical.layer[layer_num];
@@ -1765,17 +1829,24 @@ static int dvd_read_physical(struct cdrom_device_info *cdi, dvd_struct *s)
1765 layer->end_sector_l0 = base[13] << 16 | base[14] << 8 | base[15]; 1829 layer->end_sector_l0 = base[13] << 16 | base[14] << 8 | base[15];
1766 layer->bca = base[16] >> 7; 1830 layer->bca = base[16] >> 7;
1767 1831
1768 return 0; 1832 ret = 0;
1833err:
1834 kfree(buf);
1835 return ret;
1769} 1836}
1770 1837
1771static int dvd_read_copyright(struct cdrom_device_info *cdi, dvd_struct *s) 1838static int dvd_read_copyright(struct cdrom_device_info *cdi, dvd_struct *s)
1772{ 1839{
1773 int ret; 1840 int ret;
1774 u_char buf[8]; 1841 u_char *buf;
1775 struct packet_command cgc; 1842 struct packet_command cgc;
1776 struct cdrom_device_ops *cdo = cdi->ops; 1843 struct cdrom_device_ops *cdo = cdi->ops;
1777 1844
1778 init_cdrom_command(&cgc, buf, sizeof(buf), CGC_DATA_READ); 1845 buf = kmalloc(8, GFP_KERNEL);
1846 if (!buf)
1847 return -ENOMEM;
1848
1849 init_cdrom_command(&cgc, buf, 8, CGC_DATA_READ);
1779 cgc.cmd[0] = GPCMD_READ_DVD_STRUCTURE; 1850 cgc.cmd[0] = GPCMD_READ_DVD_STRUCTURE;
1780 cgc.cmd[6] = s->copyright.layer_num; 1851 cgc.cmd[6] = s->copyright.layer_num;
1781 cgc.cmd[7] = s->type; 1852 cgc.cmd[7] = s->type;
@@ -1783,12 +1854,15 @@ static int dvd_read_copyright(struct cdrom_device_info *cdi, dvd_struct *s)
1783 cgc.cmd[9] = cgc.buflen & 0xff; 1854 cgc.cmd[9] = cgc.buflen & 0xff;
1784 1855
1785 if ((ret = cdo->generic_packet(cdi, &cgc))) 1856 if ((ret = cdo->generic_packet(cdi, &cgc)))
1786 return ret; 1857 goto err;
1787 1858
1788 s->copyright.cpst = buf[4]; 1859 s->copyright.cpst = buf[4];
1789 s->copyright.rmi = buf[5]; 1860 s->copyright.rmi = buf[5];
1790 1861
1791 return 0; 1862 ret = 0;
1863err:
1864 kfree(buf);
1865 return ret;
1792} 1866}
1793 1867
1794static int dvd_read_disckey(struct cdrom_device_info *cdi, dvd_struct *s) 1868static int dvd_read_disckey(struct cdrom_device_info *cdi, dvd_struct *s)
@@ -1820,26 +1894,33 @@ static int dvd_read_disckey(struct cdrom_device_info *cdi, dvd_struct *s)
1820static int dvd_read_bca(struct cdrom_device_info *cdi, dvd_struct *s) 1894static int dvd_read_bca(struct cdrom_device_info *cdi, dvd_struct *s)
1821{ 1895{
1822 int ret; 1896 int ret;
1823 u_char buf[4 + 188]; 1897 u_char *buf;
1824 struct packet_command cgc; 1898 struct packet_command cgc;
1825 struct cdrom_device_ops *cdo = cdi->ops; 1899 struct cdrom_device_ops *cdo = cdi->ops;
1826 1900
1827 init_cdrom_command(&cgc, buf, sizeof(buf), CGC_DATA_READ); 1901 buf = kmalloc(4 + 188, GFP_KERNEL);
1902 if (!buf)
1903 return -ENOMEM;
1904
1905 init_cdrom_command(&cgc, buf, 4 + 188, CGC_DATA_READ);
1828 cgc.cmd[0] = GPCMD_READ_DVD_STRUCTURE; 1906 cgc.cmd[0] = GPCMD_READ_DVD_STRUCTURE;
1829 cgc.cmd[7] = s->type; 1907 cgc.cmd[7] = s->type;
1830 cgc.cmd[9] = cgc.buflen & 0xff; 1908 cgc.cmd[9] = cgc.buflen & 0xff;
1831 1909
1832 if ((ret = cdo->generic_packet(cdi, &cgc))) 1910 if ((ret = cdo->generic_packet(cdi, &cgc)))
1833 return ret; 1911 goto err;
1834 1912
1835 s->bca.len = buf[0] << 8 | buf[1]; 1913 s->bca.len = buf[0] << 8 | buf[1];
1836 if (s->bca.len < 12 || s->bca.len > 188) { 1914 if (s->bca.len < 12 || s->bca.len > 188) {
1837 cdinfo(CD_WARNING, "Received invalid BCA length (%d)\n", s->bca.len); 1915 cdinfo(CD_WARNING, "Received invalid BCA length (%d)\n", s->bca.len);
1838 return -EIO; 1916 ret = -EIO;
1917 goto err;
1839 } 1918 }
1840 memcpy(s->bca.value, &buf[4], s->bca.len); 1919 memcpy(s->bca.value, &buf[4], s->bca.len);
1841 1920 ret = 0;
1842 return 0; 1921err:
1922 kfree(buf);
1923 return ret;
1843} 1924}
1844 1925
1845static int dvd_read_manufact(struct cdrom_device_info *cdi, dvd_struct *s) 1926static int dvd_read_manufact(struct cdrom_device_info *cdi, dvd_struct *s)
@@ -1939,9 +2020,13 @@ static int cdrom_read_subchannel(struct cdrom_device_info *cdi,
1939{ 2020{
1940 struct cdrom_device_ops *cdo = cdi->ops; 2021 struct cdrom_device_ops *cdo = cdi->ops;
1941 struct packet_command cgc; 2022 struct packet_command cgc;
1942 char buffer[32]; 2023 char *buffer;
1943 int ret; 2024 int ret;
1944 2025
2026 buffer = kmalloc(32, GFP_KERNEL);
2027 if (!buffer)
2028 return -ENOMEM;
2029
1945 init_cdrom_command(&cgc, buffer, 16, CGC_DATA_READ); 2030 init_cdrom_command(&cgc, buffer, 16, CGC_DATA_READ);
1946 cgc.cmd[0] = GPCMD_READ_SUBCHANNEL; 2031 cgc.cmd[0] = GPCMD_READ_SUBCHANNEL;
1947 cgc.cmd[1] = 2; /* MSF addressing */ 2032 cgc.cmd[1] = 2; /* MSF addressing */
@@ -1950,7 +2035,7 @@ static int cdrom_read_subchannel(struct cdrom_device_info *cdi,
1950 cgc.cmd[8] = 16; 2035 cgc.cmd[8] = 16;
1951 2036
1952 if ((ret = cdo->generic_packet(cdi, &cgc))) 2037 if ((ret = cdo->generic_packet(cdi, &cgc)))
1953 return ret; 2038 goto err;
1954 2039
1955 subchnl->cdsc_audiostatus = cgc.buffer[1]; 2040 subchnl->cdsc_audiostatus = cgc.buffer[1];
1956 subchnl->cdsc_format = CDROM_MSF; 2041 subchnl->cdsc_format = CDROM_MSF;
@@ -1965,7 +2050,10 @@ static int cdrom_read_subchannel(struct cdrom_device_info *cdi,
1965 subchnl->cdsc_absaddr.msf.second = cgc.buffer[10]; 2050 subchnl->cdsc_absaddr.msf.second = cgc.buffer[10];
1966 subchnl->cdsc_absaddr.msf.frame = cgc.buffer[11]; 2051 subchnl->cdsc_absaddr.msf.frame = cgc.buffer[11];
1967 2052
1968 return 0; 2053 ret = 0;
2054err:
2055 kfree(buffer);
2056 return ret;
1969} 2057}
1970 2058
1971/* 2059/*