USB: mos7840: fix DMA buffers on stack and endianess bugs

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
index 2cfe245..04bef4b 100644 (file)
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -283,12 +283,19 @@ static int mos7840_get_reg_sync(struct usb_serial_port *port, __u16 reg,
 {
        struct usb_device *dev = port->serial->dev;
        int ret = 0;
+       u8 *buf;
+
+       buf = kmalloc(VENDOR_READ_LENGTH, GFP_KERNEL);
+       if (!buf)
+               return -ENOMEM;
 
        ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), MCS_RDREQ,
-                             MCS_RD_RTYPE, 0, reg, val, VENDOR_READ_LENGTH,
+                             MCS_RD_RTYPE, 0, reg, buf, VENDOR_READ_LENGTH,
                              MOS_WDR_TIMEOUT);
+       *val = buf[0];
        dbg("mos7840_get_reg_sync offset is %x, return val %x", reg, *val);
-       *val = (*val) & 0x00ff;
+
+       kfree(buf);
        return ret;
 }
 
@@ -341,6 +348,11 @@ static int mos7840_get_uart_reg(struct usb_serial_port *port, __u16 reg,
        struct usb_device *dev = port->serial->dev;
        int ret = 0;
        __u16 Wval;
+       u8 *buf;
+
+       buf = kmalloc(VENDOR_READ_LENGTH, GFP_KERNEL);
+       if (!buf)
+               return -ENOMEM;
 
        /* dbg("application number is %4x",
            (((__u16)port->number - (__u16)(port->serial->minor))+1)<<8); */
@@ -364,9 +376,11 @@ static int mos7840_get_uart_reg(struct usb_serial_port *port, __u16 reg,
                }
        }
        ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), MCS_RDREQ,
-                             MCS_RD_RTYPE, Wval, reg, val, VENDOR_READ_LENGTH,
+                             MCS_RD_RTYPE, Wval, reg, buf, VENDOR_READ_LENGTH,
                              MOS_WDR_TIMEOUT);
-       *val = (*val) & 0x00ff;
+       *val = buf[0];
+
+       kfree(buf);
        return ret;
 }