3.0-git17 snapshot

Add changes for rhbz 720128,720054,708314
This commit is contained in:
Josh Boyer 2011-08-02 12:47:04 -04:00
parent 502500759d
commit c2057797f6
4 changed files with 282 additions and 3 deletions

View File

@ -0,0 +1,124 @@
From 1717b6b8b1de95ed4ca53b74d2ccb563fae9b898 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Tue, 2 Aug 2011 08:09:56 -0400
Subject: [PATCH] usbnet/cdc_ncm: Don't use stack variables for DMA buffers
The cdc_ncm driver still has a few places where stack variables are passed
to the cdc_ncm_do_request function. This triggers a stack trace in
lib/dma-debug.c if the CONFIG_DEBUG_DMA_API option is set.
Adjust these calls to pass parameters that have been allocated with kzalloc.
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
---
drivers/net/usb/cdc_ncm.c | 54 +++++++++++++++++++++++++++++++++++----------
1 files changed, 42 insertions(+), 12 deletions(-)
diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index fd622a6..bbcb133 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -260,23 +260,39 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
req.wIndex = cpu_to_le16(iface_no);
if (flags & USB_CDC_NCM_NCAP_NTB_INPUT_SIZE) {
- struct usb_cdc_ncm_ndp_input_size ndp_in_sz;
+ struct usb_cdc_ncm_ndp_input_size *ndp_in_sz;
+
+ ndp_in_sz = kzalloc(sizeof(*ndp_in_sz), GFP_KERNEL);
+ if (!ndp_in_sz) {
+ err = -ENOMEM;
+ goto size_err;
+ }
req.wLength = 8;
- ndp_in_sz.dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
- ndp_in_sz.wNtbInMaxDatagrams =
+ ndp_in_sz->dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
+ ndp_in_sz->wNtbInMaxDatagrams =
cpu_to_le16(CDC_NCM_DPT_DATAGRAMS_MAX);
- ndp_in_sz.wReserved = 0;
- err = cdc_ncm_do_request(ctx, &req, &ndp_in_sz, 0, NULL,
+ ndp_in_sz->wReserved = 0;
+ err = cdc_ncm_do_request(ctx, &req, ndp_in_sz, 0, NULL,
1000);
+ kfree(ndp_in_sz);
} else {
- __le32 dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
+ __le32 *dwNtbInMaxSize;
+ dwNtbInMaxSize = kzalloc(sizeof(*dwNtbInMaxSize),
+ GFP_KERNEL);
+ if (!dwNtbInMaxSize) {
+ err = -ENOMEM;
+ goto size_err;
+ }
+ *dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
req.wLength = 4;
- err = cdc_ncm_do_request(ctx, &req, &dwNtbInMaxSize, 0,
+ err = cdc_ncm_do_request(ctx, &req, dwNtbInMaxSize, 0,
NULL, 1000);
+ kfree(dwNtbInMaxSize);
}
+size_err:
if (err)
pr_debug("Setting NTB Input Size failed\n");
}
@@ -362,9 +378,16 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
/* set Max Datagram Size (MTU) */
if (flags & USB_CDC_NCM_NCAP_MAX_DATAGRAM_SIZE) {
- __le16 max_datagram_size;
+ __le16 *max_datagram_size;
u16 eth_max_sz = le16_to_cpu(ctx->ether_desc->wMaxSegmentSize);
+ max_datagram_size = kzalloc(sizeof(*max_datagram_size),
+ GFP_KERNEL);
+ if (!max_datagram_size) {
+ err = -ENOMEM;
+ goto max_dgram_err;
+ }
+
req.bmRequestType = USB_TYPE_CLASS | USB_DIR_IN |
USB_RECIP_INTERFACE;
req.bNotificationType = USB_CDC_GET_MAX_DATAGRAM_SIZE;
@@ -372,13 +395,17 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
req.wIndex = cpu_to_le16(iface_no);
req.wLength = cpu_to_le16(2);
- err = cdc_ncm_do_request(ctx, &req, &max_datagram_size, 0, NULL,
+ err = cdc_ncm_do_request(ctx, &req, max_datagram_size, 0, NULL,
1000);
+
if (err) {
pr_debug("GET_MAX_DATAGRAM_SIZE failed, use size=%u\n",
CDC_NCM_MIN_DATAGRAM_SIZE);
+ kfree(max_datagram_size);
} else {
- ctx->max_datagram_size = le16_to_cpu(max_datagram_size);
+ ctx->max_datagram_size =
+ le16_to_cpu(*max_datagram_size);
+
/* Check Eth descriptor value */
if (eth_max_sz < CDC_NCM_MAX_DATAGRAM_SIZE) {
if (ctx->max_datagram_size > eth_max_sz)
@@ -401,10 +428,13 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
req.wValue = 0;
req.wIndex = cpu_to_le16(iface_no);
req.wLength = 2;
- max_datagram_size = cpu_to_le16(ctx->max_datagram_size);
+ *max_datagram_size =
+ cpu_to_le16(ctx->max_datagram_size);
- err = cdc_ncm_do_request(ctx, &req, &max_datagram_size,
+ err = cdc_ncm_do_request(ctx, &req, max_datagram_size,
0, NULL, 1000);
+ kfree(max_datagram_size);
+max_dgram_err:
if (err)
pr_debug("SET_MAX_DATAGRAM_SIZE failed\n");
}
--
1.7.6

View File

@ -84,7 +84,7 @@ Summary: The Linux kernel
# The rc snapshot level # The rc snapshot level
%define rcrev 0 %define rcrev 0
# The git snapshot level # The git snapshot level
%define gitrev 16 %define gitrev 17
# Set rpm version accordingly # Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0 %define rpmversion 3.%{upstream_sublevel}.0
%endif %endif
@ -681,6 +681,9 @@ Patch12018: neuter_intel_microcode_load.patch
Patch12021: udlfb-bind-framebuffer-to-interface.patch Patch12021: udlfb-bind-framebuffer-to-interface.patch
Patch12022: fix-cdc-ncm-dma-stack-vars.patch
Patch12023: ums-realtek-driver-uses-stack-memory-for-DMA.patch
# Runtime power management # Runtime power management
Patch12203: linux-2.6-usb-pci-autosuspend.patch Patch12203: linux-2.6-usb-pci-autosuspend.patch
Patch12204: linux-2.6-enable-more-pci-autosuspend.patch Patch12204: linux-2.6-enable-more-pci-autosuspend.patch
@ -1255,6 +1258,8 @@ ApplyPatch add-appleir-usb-driver.patch
ApplyPatch neuter_intel_microcode_load.patch ApplyPatch neuter_intel_microcode_load.patch
ApplyPatch udlfb-bind-framebuffer-to-interface.patch ApplyPatch udlfb-bind-framebuffer-to-interface.patch
ApplyPatch fix-cdc-ncm-dma-stack-vars.patch
ApplyPatch ums-realtek-driver-uses-stack-memory-for-DMA.patch
# Runtime PM # Runtime PM
#ApplyPatch linux-2.6-usb-pci-autosuspend.patch #ApplyPatch linux-2.6-usb-pci-autosuspend.patch
@ -1509,7 +1514,7 @@ BuildKernel() {
} }
collect_modules_list networking \ collect_modules_list networking \
'register_netdev|ieee80211_register_hw|usbnet_probe|phy_driver_register' 'register_netdev|ieee80211_register_hw|usbnet_probe|phy_driver_register|rt2x00(pci|usb)_probe'
collect_modules_list block \ collect_modules_list block \
'ata_scsi_ioctl|scsi_add_host|scsi_add_host_with_dma|blk_init_queue|register_mtd_blktrans|scsi_esp_register|scsi_register_device_handler' 'ata_scsi_ioctl|scsi_add_host|scsi_add_host_with_dma|blk_init_queue|register_mtd_blktrans|scsi_esp_register|scsi_register_device_handler'
collect_modules_list drm \ collect_modules_list drm \
@ -1885,6 +1890,13 @@ fi
# ||----w | # ||----w |
# || || # || ||
%changelog %changelog
* Tue Aug 02 2011 Josh Boyer <jwboyer@redhat.com>
- Linux 3.0-git17
- Add patch to fix backtrace in cdc_ncm driver (rhbz 720128)
- Add patch to fix backtrace in usm-realtek driver (rhbz 720054)
- Add change from Yanko Kaneti to get the rt2x00 drivers in modules.networking
(rhbz 708314)
* Tue Aug 02 2011 Josh Boyer <jwboyer@redhat.com> * Tue Aug 02 2011 Josh Boyer <jwboyer@redhat.com>
- Linux 3.0-git16 - Linux 3.0-git16

View File

@ -1,2 +1,2 @@
398e95866794def22b12dfbc15ce89c0 linux-3.0.tar.bz2 398e95866794def22b12dfbc15ce89c0 linux-3.0.tar.bz2
eadb090fc532027c618cf81b18bb6a04 patch-3.0-git16.bz2 038198e0406fd87c5dd9a1e6312bfb47 patch-3.0-git17.bz2

View File

@ -0,0 +1,143 @@
From patchwork Tue Aug 2 05:04:11 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: ums-realtek driver uses stack memory for DMA
Date: Tue, 02 Aug 2011 05:04:11 -0000
From: Adam Cozzette <acozzette@cs.hmc.edu>
X-Patchwork-Id: 1028062
Message-Id: <20110802050411.GC3857@[192.168.0.12]>
To: Josh Boyer <jwboyer@redhat.com>
Cc: edwin_rong <edwin_rong@realsil.com.cn>, wwang <wei_wang@realsil.com.cn>,
Greg Kroah-Hartman <gregkh@suse.de>, linux-usb@vger.kernel.org,
linux-kernel@vger.kernel.org
On Mon, Aug 01, 2011 at 05:09:06PM -0400, Josh Boyer wrote:
> Hello,
>
> We have a report that the ums-realtek driver is generating a backtrace
> due to using stack variables for DMA buffers. The backtrace is below
> and you can view the bug report here:
> https://bugzilla.redhat.com/show_bug.cgi?id=720054
>
> Looking through the code, it seems that every call to rts51x_read_mem,
> rts51x_write_mem, and rts51x_read_status passes a stack variable to
> rts51x_bulk_transport, which then calls usb_stor_bulk_transfer_buf with
> this and generates the backtrace. It is my understanding that the
> driver should be passing variables that are not on the stack and have
> been allocated with memory that will be suitable for the DMA api (e.g.
> kmalloc).
>
> Was this missed during the initial review and is anyone working on
> adapting the driver to be compliant?
Could you try out this patch if it looks ok to you? I have not tested it because
unfortunately I don't have the hardware. Right now it generates some compile
warnings like this one:
drivers/usb/storage/realtek_cr.c:419:40: warning: buf[0] may be used uninitialized in this function [-Wuninitialized]
It think they are harmless but I didn't see an obvious way to get rid of them,
so if you have any suggestions I would be glad to hear them.
This patch changed rts51x_read_mem, rts51x_write_mem, and rts51x_read_status to
allocate temporary buffers with kmalloc. This way stack addresses are not used
for DMA when these functions call rts51x_bulk_transport.
Signed-off-by: Adam Cozzette <acozzette@cs.hmc.edu>
---
realtek_cr.c | 35 ++++++++++++++++++++++++++++++-----
1 file changed, 30 insertions(+), 5 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c
index 34adc4b..232167a 100644
--- a/drivers/usb/storage/realtek_cr.c
+++ b/drivers/usb/storage/realtek_cr.c
@@ -320,6 +320,11 @@ static int rts51x_read_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
{
int retval;
u8 cmnd[12] = { 0 };
+ u8 *buf;
+
+ buf = kmalloc(len, GFP_NOIO);
+ if (buf == NULL)
+ return USB_STOR_TRANSPORT_ERROR;
US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len);
@@ -331,10 +336,14 @@ static int rts51x_read_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
cmnd[5] = (u8) len;
retval = rts51x_bulk_transport(us, 0, cmnd, 12,
- data, len, DMA_FROM_DEVICE, NULL);
- if (retval != USB_STOR_TRANSPORT_GOOD)
+ buf, len, DMA_FROM_DEVICE, NULL);
+ if (retval != USB_STOR_TRANSPORT_GOOD) {
+ kfree(buf);
return -EIO;
+ }
+ memcpy(data, buf, len);
+ kfree(buf);
return 0;
}
@@ -342,6 +351,12 @@ static int rts51x_write_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
{
int retval;
u8 cmnd[12] = { 0 };
+ u8 *buf;
+
+ buf = kmalloc(len, GFP_NOIO);
+ if (buf == NULL)
+ return USB_STOR_TRANSPORT_ERROR;
+ memcpy(buf, data, len);
US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len);
@@ -353,7 +368,8 @@ static int rts51x_write_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
cmnd[5] = (u8) len;
retval = rts51x_bulk_transport(us, 0, cmnd, 12,
- data, len, DMA_TO_DEVICE, NULL);
+ buf, len, DMA_TO_DEVICE, NULL);
+ kfree(buf);
if (retval != USB_STOR_TRANSPORT_GOOD)
return -EIO;
@@ -365,6 +381,11 @@ static int rts51x_read_status(struct us_data *us,
{
int retval;
u8 cmnd[12] = { 0 };
+ u8 *buf;
+
+ buf = kmalloc(len, GFP_NOIO);
+ if (buf == NULL)
+ return USB_STOR_TRANSPORT_ERROR;
US_DEBUGP("%s, lun = %d\n", __func__, lun);
@@ -372,10 +393,14 @@ static int rts51x_read_status(struct us_data *us,
cmnd[1] = 0x09;
retval = rts51x_bulk_transport(us, lun, cmnd, 12,
- status, len, DMA_FROM_DEVICE, actlen);
- if (retval != USB_STOR_TRANSPORT_GOOD)
+ buf, len, DMA_FROM_DEVICE, actlen);
+ if (retval != USB_STOR_TRANSPORT_GOOD) {
+ kfree(buf);
return -EIO;
+ }
+ memcpy(status, buf, len);
+ kfree(buf);
return 0;
}