bas_gigaset: correctly allocate USB interrupt transfer buffer

[ Upstream commit 170ebf85160dd128e1c4206cc197cce7d1424705 ]

Every USB transfer buffer has to be allocated individually by kmalloc.

Impact: bugfix, no functional change

Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Tested-by: Kolja Waschk <kawk@users.sourceforge.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/isdn/gigaset/bas-gigaset.c b/drivers/isdn/gigaset/bas-gigaset.c
index 3f11910c7ccdbf4c2edb31d360f3e40feba77d4b..fcec2dfc9963e30405ddb4825a0c84fda113918f 100644 (file)
--- a/drivers/isdn/gigaset/bas-gigaset.c
+++ b/drivers/isdn/gigaset/bas-gigaset.c
@@ -46,6 +46,9 @@ MODULE_PARM_DESC(cidmode, "Call-ID mode");
 /* length limit according to Siemens 3070usb-protokoll.doc ch. 2.1 */
 #define IF_WRITEBUF 264
 
+/* interrupt pipe message size according to ibid. ch. 2.2 */
+#define IP_MSGSIZE 3
+
 /* Values for the Gigaset 307x */
 #define USB_GIGA_VENDOR_ID      0x0681
 #define USB_3070_PRODUCT_ID     0x0001
@@ -110,7 +113,7 @@ struct bas_cardstate {
        unsigned char           *rcvbuf;        /* AT reply receive buffer */
 
        struct urb              *urb_int_in;    /* URB for interrupt pipe */
-       unsigned char           int_in_buf[3];
+       unsigned char           *int_in_buf;
 
        spinlock_t              lock;           /* locks all following */
        int                     basstate;       /* bitmap (BS_*) */
@@ -657,7 +660,7 @@ static void read_int_callback(struct urb *urb)
        }
 
        /* drop incomplete packets even if the missing bytes wouldn't matter */
-       if (unlikely(urb->actual_length < 3)) {
+       if (unlikely(urb->actual_length < IP_MSGSIZE)) {
                dev_warn(cs->dev, "incomplete interrupt packet (%d bytes)\n",
                         urb->actual_length);
                goto resubmit;
@@ -2127,6 +2130,7 @@ static void gigaset_reinitbcshw(struct bc_state *bcs)
 static void gigaset_freecshw(struct cardstate *cs)
 {
        /* timers, URBs and rcvbuf are disposed of in disconnect */
+       kfree(cs->hw.bas->int_in_buf);
        kfree(cs->hw.bas);
        cs->hw.bas = NULL;
 }
@@ -2232,6 +2236,12 @@ static int gigaset_probe(struct usb_interface *interface,
                }
                hostif = interface->cur_altsetting;
        }
+       ucs->int_in_buf = kmalloc(IP_MSGSIZE, GFP_KERNEL);
+       if (!ucs->int_in_buf) {
+               kfree(ucs);
+               pr_err("out of memory\n");
+               return 0;
+       }
 
        /* Reject application specific interfaces
         */
@@ -2290,7 +2300,7 @@ static int gigaset_probe(struct usb_interface *interface,
        usb_fill_int_urb(ucs->urb_int_in, udev,
                         usb_rcvintpipe(udev,
                                        (endpoint->bEndpointAddress) & 0x0f),
-                        ucs->int_in_buf, 3, read_int_callback, cs,
+                        ucs->int_in_buf, IP_MSGSIZE, read_int_callback, cs,
                         endpoint->bInterval);
        if ((rc = usb_submit_urb(ucs->urb_int_in, GFP_KERNEL)) != 0) {
                dev_err(cs->dev, "could not submit interrupt URB: %s\n",