board: fix stack overflow issue

PD#169652: board: fix stack overflow issue it is better to use kmalloc to alloc buffer instead of in stack buffer. Change-Id: I6825d8acff19248f2f6c789ed2218af42ca4ffd3 Signed-off-by: Ao Xu <ao.xu@amlogic.com>
2026-06-07 11:26:02 +09:00 · 2018-08-01 19:30:04 +08:00
parent 679da508da
commit c2c2825f0b
4 changed files with 45 additions and 7 deletions
--- a/drivers/amlogic/audioinfo/audio_data.c
+++ b/drivers/amlogic/audioinfo/audio_data.c
@@ -156,7 +156,13 @@ static ssize_t audio_data_read(struct file *filp, char __user *buf,
 {
 	int err = 0;
 	loff_t pos = 0;
-	char buftmp[EFUSE_BUF_SIZE] = {0};
+	char *buftmp;
+
+	buftmp = kzalloc(EFUSE_BUF_SIZE, GFP_KERNEL);
+	if (!buftmp) {
+		MYPRT("kzalloc fail.\n");
+		return -ENOMEM;
+	}

 	MYPRT("[%s]\n", __func__);
 	if (count > EFUSE_BUF_SIZE) {
@@ -175,6 +181,8 @@ static ssize_t audio_data_read(struct file *filp, char __user *buf,
 			}
 		}
 	}
+
+	kfree(buftmp);
 	if (!err)
 		return count;
 	else
--- a/drivers/amlogic/irblaster/irblaster.c
+++ b/drivers/amlogic/irblaster/irblaster.c
@@ -368,15 +368,21 @@ static long aml_irblaster_ioctl(struct file *filp, unsigned int cmd,

 	int consumerir_freqs = 0, duty_cycle = 0;
 	s32 r = 0;
-	char sendcode[MAX_PLUSE];
+	char *sendcode;
 	void __user *argp = (void __user *)args;

+	sendcode = kzalloc(MAX_PLUSE, GFP_KERNEL);
+	if (!sendcode)
+		return -ENOMEM;
+
 	irblaster_dbg("aml_irblaster_ioctl()  0x%4x\n ", cmd);
 	switch (cmd) {
 	case CONSUMERIR_TRANSMIT:
 		if (copy_from_user(sendcode, (char *)argp,
-					strlen((char *)argp)))
+					strlen((char *)argp))) {
+			kfree(sendcode);
 			return -EFAULT;
+		}
 		pr_info("send code is %s\n", sendcode);
 		r = send(sendcode, strlen(argp));
 		break;
@@ -384,6 +390,7 @@ static long aml_irblaster_ioctl(struct file *filp, unsigned int cmd,
 		pr_info("in get freq\n");
 		consumerir_freqs = get_consumerir_freqs(irblaster);
 		put_user(consumerir_freqs, (int *)argp);
+		kfree(sendcode);
 		return consumerir_freqs;
 	case SET_CARRIER:
 		pr_info("in set freq\n");
@@ -392,8 +399,10 @@ static long aml_irblaster_ioctl(struct file *filp, unsigned int cmd,
 		break;
 	case SET_DUTYCYCLE:
 		pr_info("in set duty_cycle\n");
-		if (copy_from_user(&duty_cycle, argp, sizeof(int)))
+		if (copy_from_user(&duty_cycle, argp, sizeof(int))) {
+			kfree(sendcode);
 			return -EFAULT;
+		}
 		get_user(duty_cycle, (int *)argp);
 		r = set_duty_cycle(duty_cycle);
 		break;
@@ -403,6 +412,7 @@ static long aml_irblaster_ioctl(struct file *filp, unsigned int cmd,
 		break;
 	}

+	kfree(sendcode);
 	return r;
 }
 static int aml_irblaster_release(struct inode *inode, struct file *file)
--- a/drivers/amlogic/irblaster/meson-irblaster.c
+++ b/drivers/amlogic/irblaster/meson-irblaster.c
@@ -377,15 +377,21 @@ static long aml_ir_blaster_ioctl(struct file *filp, unsigned int cmd,

 	int consumerir_freqs = 0, duty_cycle = 0;
 	s32 r = 0;
-	char sendcode[MAX_PLUSE];
+	char *sendcode;
 	void __user *argp = (void __user *)args;

+	sendcode = kzalloc(MAX_PLUSE, GFP_KERNEL);
+	if (!sendcode)
+		return -ENOMEM;
+
 	irblaster_dbg("aml_ir_blaster_ioctl()  0x%4x\n ", cmd);
 	switch (cmd) {
 	case CONSUMERIR_TRANSMIT:
 		if (copy_from_user(sendcode, (char *)argp,
-					strlen((char *)argp)))
+					strlen((char *)argp))) {
+			kfree(sendcode);
 			return -EFAULT;
+		}
 		pr_info("send code is %s\n", sendcode);
 		r = irblaster_send(sendcode, strlen(argp));
 		break;
@@ -394,6 +400,7 @@ static long aml_ir_blaster_ioctl(struct file *filp, unsigned int cmd,
 		consumerir_freqs =
 				get_irblaster_consumerir_freqs(irblaster_win);
 		put_user(consumerir_freqs, (int *)argp);
+		kfree(sendcode);
 		return consumerir_freqs;
 	case SET_CARRIER:
 		pr_info("in set freq\n");
@@ -403,8 +410,10 @@ static long aml_ir_blaster_ioctl(struct file *filp, unsigned int cmd,
 		break;
 	case SET_DUTYCYCLE:
 		pr_info("in set duty_cycle\n");
-		if (copy_from_user(&duty_cycle, argp, sizeof(int)))
+		if (copy_from_user(&duty_cycle, argp, sizeof(int))) {
+			kfree(sendcode);
 			return -EFAULT;
+		}
 		get_user(duty_cycle, (int *)argp);
 		r = set_irblaster_duty_cycle(duty_cycle);
 		break;
@@ -414,6 +423,7 @@ static long aml_ir_blaster_ioctl(struct file *filp, unsigned int cmd,
 		break;
 	}

+	kfree(sendcode);
 	return r;
 }
 static int aml_ir_blaster_release(struct inode *inode, struct file *file)
--- a/drivers/amlogic/mmc/emmc_partitions.c
+++ b/drivers/amlogic/mmc/emmc_partitions.c
@@ -158,6 +158,7 @@ static int _dtb_init(struct mmc_card *mmc)
 	int cpy = 1, valid = 0;
 	int bit = mmc->csd.read_blkbits;
 	int blk;
+#ifdef CONFIG_ARM64
 	unsigned int pgcnt;
 	struct page *page = NULL;

@@ -168,6 +169,11 @@ static int _dtb_init(struct mmc_card *mmc)
 	if (!page)
 		return -ENOMEM;
 	dtb = page_address(page);
+#else
+	dtb = kmalloc(CONFIG_DTB_SIZE, GFP_KERNEL);
+	if (!dtb)
+		return -ENOMEM;
+#endif

 	/* read dtb2 1st, for compatibility without checksum. */
 	while (cpy >= 0) {
@@ -190,7 +196,11 @@ static int _dtb_init(struct mmc_card *mmc)
 	}
 	pr_info("total valid %d\n", valid);

+#ifdef CONFIG_ARM64
 	dma_release_from_contiguous(NULL, page, pgcnt);
+#else
+	kfree(dtb);
+#endif

 	return ret;
 }