diff options
author | Josh Boyer <jwboyer@redhat.com> | 2011-08-02 12:47:04 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@redhat.com> | 2011-08-02 12:49:07 -0400 |
commit | c2057797f6b2fc390fb32241372177d79d544276 (patch) | |
tree | 431911d3920fce22fa0deb7121e0801e4a6057c0 /ums-realtek-driver-uses-stack-memory-for-DMA.patch | |
parent | 502500759d247e7cfddc2717f9a770f522e6f5fc (diff) | |
download | kernel-c2057797f6b2fc390fb32241372177d79d544276.tar.gz kernel-c2057797f6b2fc390fb32241372177d79d544276.tar.xz kernel-c2057797f6b2fc390fb32241372177d79d544276.zip |
3.0-git17 snapshot
Add changes for rhbz 720128,720054,708314
Diffstat (limited to 'ums-realtek-driver-uses-stack-memory-for-DMA.patch')
-rw-r--r-- | ums-realtek-driver-uses-stack-memory-for-DMA.patch | 143 |
1 files changed, 143 insertions, 0 deletions
diff --git a/ums-realtek-driver-uses-stack-memory-for-DMA.patch b/ums-realtek-driver-uses-stack-memory-for-DMA.patch new file mode 100644 index 000000000..98c8b0cf9 --- /dev/null +++ b/ums-realtek-driver-uses-stack-memory-for-DMA.patch @@ -0,0 +1,143 @@ +From patchwork Tue Aug 2 05:04:11 2011 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +Subject: ums-realtek driver uses stack memory for DMA +Date: Tue, 02 Aug 2011 05:04:11 -0000 +From: Adam Cozzette <acozzette@cs.hmc.edu> +X-Patchwork-Id: 1028062 +Message-Id: <20110802050411.GC3857@[192.168.0.12]> +To: Josh Boyer <jwboyer@redhat.com> +Cc: edwin_rong <edwin_rong@realsil.com.cn>, wwang <wei_wang@realsil.com.cn>, + Greg Kroah-Hartman <gregkh@suse.de>, linux-usb@vger.kernel.org, + linux-kernel@vger.kernel.org + +On Mon, Aug 01, 2011 at 05:09:06PM -0400, Josh Boyer wrote: +> Hello, +> +> We have a report that the ums-realtek driver is generating a backtrace +> due to using stack variables for DMA buffers. The backtrace is below +> and you can view the bug report here: +> https://bugzilla.redhat.com/show_bug.cgi?id=720054 +> +> Looking through the code, it seems that every call to rts51x_read_mem, +> rts51x_write_mem, and rts51x_read_status passes a stack variable to +> rts51x_bulk_transport, which then calls usb_stor_bulk_transfer_buf with +> this and generates the backtrace. It is my understanding that the +> driver should be passing variables that are not on the stack and have +> been allocated with memory that will be suitable for the DMA api (e.g. +> kmalloc). +> +> Was this missed during the initial review and is anyone working on +> adapting the driver to be compliant? + +Could you try out this patch if it looks ok to you? I have not tested it because +unfortunately I don't have the hardware. Right now it generates some compile +warnings like this one: + +drivers/usb/storage/realtek_cr.c:419:40: warning: ‘buf[0]’ may be used uninitialized in this function [-Wuninitialized] + +It think they are harmless but I didn't see an obvious way to get rid of them, +so if you have any suggestions I would be glad to hear them. + +This patch changed rts51x_read_mem, rts51x_write_mem, and rts51x_read_status to +allocate temporary buffers with kmalloc. This way stack addresses are not used +for DMA when these functions call rts51x_bulk_transport. + +Signed-off-by: Adam Cozzette <acozzette@cs.hmc.edu> + +--- +realtek_cr.c | 35 ++++++++++++++++++++++++++++++----- + 1 file changed, 30 insertions(+), 5 deletions(-) + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ + +diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c +index 34adc4b..232167a 100644 +--- a/drivers/usb/storage/realtek_cr.c ++++ b/drivers/usb/storage/realtek_cr.c +@@ -320,6 +320,11 @@ static int rts51x_read_mem(struct us_data *us, u16 addr, u8 *data, u16 len) + { + int retval; + u8 cmnd[12] = { 0 }; ++ u8 *buf; ++ ++ buf = kmalloc(len, GFP_NOIO); ++ if (buf == NULL) ++ return USB_STOR_TRANSPORT_ERROR; + + US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len); + +@@ -331,10 +336,14 @@ static int rts51x_read_mem(struct us_data *us, u16 addr, u8 *data, u16 len) + cmnd[5] = (u8) len; + + retval = rts51x_bulk_transport(us, 0, cmnd, 12, +- data, len, DMA_FROM_DEVICE, NULL); +- if (retval != USB_STOR_TRANSPORT_GOOD) ++ buf, len, DMA_FROM_DEVICE, NULL); ++ if (retval != USB_STOR_TRANSPORT_GOOD) { ++ kfree(buf); + return -EIO; ++ } + ++ memcpy(data, buf, len); ++ kfree(buf); + return 0; + } + +@@ -342,6 +351,12 @@ static int rts51x_write_mem(struct us_data *us, u16 addr, u8 *data, u16 len) + { + int retval; + u8 cmnd[12] = { 0 }; ++ u8 *buf; ++ ++ buf = kmalloc(len, GFP_NOIO); ++ if (buf == NULL) ++ return USB_STOR_TRANSPORT_ERROR; ++ memcpy(buf, data, len); + + US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len); + +@@ -353,7 +368,8 @@ static int rts51x_write_mem(struct us_data *us, u16 addr, u8 *data, u16 len) + cmnd[5] = (u8) len; + + retval = rts51x_bulk_transport(us, 0, cmnd, 12, +- data, len, DMA_TO_DEVICE, NULL); ++ buf, len, DMA_TO_DEVICE, NULL); ++ kfree(buf); + if (retval != USB_STOR_TRANSPORT_GOOD) + return -EIO; + +@@ -365,6 +381,11 @@ static int rts51x_read_status(struct us_data *us, + { + int retval; + u8 cmnd[12] = { 0 }; ++ u8 *buf; ++ ++ buf = kmalloc(len, GFP_NOIO); ++ if (buf == NULL) ++ return USB_STOR_TRANSPORT_ERROR; + + US_DEBUGP("%s, lun = %d\n", __func__, lun); + +@@ -372,10 +393,14 @@ static int rts51x_read_status(struct us_data *us, + cmnd[1] = 0x09; + + retval = rts51x_bulk_transport(us, lun, cmnd, 12, +- status, len, DMA_FROM_DEVICE, actlen); +- if (retval != USB_STOR_TRANSPORT_GOOD) ++ buf, len, DMA_FROM_DEVICE, actlen); ++ if (retval != USB_STOR_TRANSPORT_GOOD) { ++ kfree(buf); + return -EIO; ++ } + ++ memcpy(status, buf, len); ++ kfree(buf); + return 0; + } + |