|
|
c205779 |
From patchwork Tue Aug 2 05:04:11 2011
|
|
|
c205779 |
Content-Type: text/plain; charset="utf-8"
|
|
|
c205779 |
MIME-Version: 1.0
|
|
|
c205779 |
Content-Transfer-Encoding: 8bit
|
|
|
c205779 |
Subject: ums-realtek driver uses stack memory for DMA
|
|
|
c205779 |
Date: Tue, 02 Aug 2011 05:04:11 -0000
|
|
|
c205779 |
From: Adam Cozzette <acozzette@cs.hmc.edu>
|
|
|
c205779 |
X-Patchwork-Id: 1028062
|
|
|
c205779 |
Message-Id: <20110802050411.GC3857@[192.168.0.12]>
|
|
|
c205779 |
To: Josh Boyer <jwboyer@redhat.com>
|
|
|
c205779 |
Cc: edwin_rong <edwin_rong@realsil.com.cn>, wwang <wei_wang@realsil.com.cn>,
|
|
|
c205779 |
Greg Kroah-Hartman <gregkh@suse.de>, linux-usb@vger.kernel.org,
|
|
|
c205779 |
linux-kernel@vger.kernel.org
|
|
|
c205779 |
|
|
|
c205779 |
On Mon, Aug 01, 2011 at 05:09:06PM -0400, Josh Boyer wrote:
|
|
|
c205779 |
> Hello,
|
|
|
c205779 |
>
|
|
|
c205779 |
> We have a report that the ums-realtek driver is generating a backtrace
|
|
|
c205779 |
> due to using stack variables for DMA buffers. The backtrace is below
|
|
|
c205779 |
> and you can view the bug report here:
|
|
|
c205779 |
> https://bugzilla.redhat.com/show_bug.cgi?id=720054
|
|
|
c205779 |
>
|
|
|
c205779 |
> Looking through the code, it seems that every call to rts51x_read_mem,
|
|
|
c205779 |
> rts51x_write_mem, and rts51x_read_status passes a stack variable to
|
|
|
c205779 |
> rts51x_bulk_transport, which then calls usb_stor_bulk_transfer_buf with
|
|
|
c205779 |
> this and generates the backtrace. It is my understanding that the
|
|
|
c205779 |
> driver should be passing variables that are not on the stack and have
|
|
|
c205779 |
> been allocated with memory that will be suitable for the DMA api (e.g.
|
|
|
c205779 |
> kmalloc).
|
|
|
c205779 |
>
|
|
|
c205779 |
> Was this missed during the initial review and is anyone working on
|
|
|
c205779 |
> adapting the driver to be compliant?
|
|
|
c205779 |
|
|
|
c205779 |
Could you try out this patch if it looks ok to you? I have not tested it because
|
|
|
c205779 |
unfortunately I don't have the hardware. Right now it generates some compile
|
|
|
c205779 |
warnings like this one:
|
|
|
c205779 |
|
|
|
c205779 |
drivers/usb/storage/realtek_cr.c:419:40: warning: ‘buf[0]’ may be used uninitialized in this function [-Wuninitialized]
|
|
|
c205779 |
|
|
|
c205779 |
It think they are harmless but I didn't see an obvious way to get rid of them,
|
|
|
c205779 |
so if you have any suggestions I would be glad to hear them.
|
|
|
c205779 |
|
|
|
c205779 |
This patch changed rts51x_read_mem, rts51x_write_mem, and rts51x_read_status to
|
|
|
c205779 |
allocate temporary buffers with kmalloc. This way stack addresses are not used
|
|
|
c205779 |
for DMA when these functions call rts51x_bulk_transport.
|
|
|
c205779 |
|
|
|
c205779 |
Signed-off-by: Adam Cozzette <acozzette@cs.hmc.edu>
|
|
|
c205779 |
|
|
|
c205779 |
---
|
|
|
c205779 |
realtek_cr.c | 35 ++++++++++++++++++++++++++++++-----
|
|
|
c205779 |
1 file changed, 30 insertions(+), 5 deletions(-)
|
|
|
c205779 |
|
|
|
c205779 |
--
|
|
|
c205779 |
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
|
|
c205779 |
the body of a message to majordomo@vger.kernel.org
|
|
|
c205779 |
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
|
|
c205779 |
Please read the FAQ at http://www.tux.org/lkml/
|
|
|
c205779 |
|
|
|
c205779 |
diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c
|
|
|
c205779 |
index 34adc4b..232167a 100644
|
|
|
c205779 |
--- a/drivers/usb/storage/realtek_cr.c
|
|
|
c205779 |
+++ b/drivers/usb/storage/realtek_cr.c
|
|
|
c205779 |
@@ -320,6 +320,11 @@ static int rts51x_read_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
|
|
|
c205779 |
{
|
|
|
c205779 |
int retval;
|
|
|
c205779 |
u8 cmnd[12] = { 0 };
|
|
|
c205779 |
+ u8 *buf;
|
|
|
c205779 |
+
|
|
|
c205779 |
+ buf = kmalloc(len, GFP_NOIO);
|
|
|
c205779 |
+ if (buf == NULL)
|
|
|
c205779 |
+ return USB_STOR_TRANSPORT_ERROR;
|
|
|
c205779 |
|
|
|
c205779 |
US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len);
|
|
|
c205779 |
|
|
|
c205779 |
@@ -331,10 +336,14 @@ static int rts51x_read_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
|
|
|
c205779 |
cmnd[5] = (u8) len;
|
|
|
c205779 |
|
|
|
c205779 |
retval = rts51x_bulk_transport(us, 0, cmnd, 12,
|
|
|
c205779 |
- data, len, DMA_FROM_DEVICE, NULL);
|
|
|
c205779 |
- if (retval != USB_STOR_TRANSPORT_GOOD)
|
|
|
c205779 |
+ buf, len, DMA_FROM_DEVICE, NULL);
|
|
|
c205779 |
+ if (retval != USB_STOR_TRANSPORT_GOOD) {
|
|
|
c205779 |
+ kfree(buf);
|
|
|
c205779 |
return -EIO;
|
|
|
c205779 |
+ }
|
|
|
c205779 |
|
|
|
c205779 |
+ memcpy(data, buf, len);
|
|
|
c205779 |
+ kfree(buf);
|
|
|
c205779 |
return 0;
|
|
|
c205779 |
}
|
|
|
c205779 |
|
|
|
c205779 |
@@ -342,6 +351,12 @@ static int rts51x_write_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
|
|
|
c205779 |
{
|
|
|
c205779 |
int retval;
|
|
|
c205779 |
u8 cmnd[12] = { 0 };
|
|
|
c205779 |
+ u8 *buf;
|
|
|
c205779 |
+
|
|
|
c205779 |
+ buf = kmalloc(len, GFP_NOIO);
|
|
|
c205779 |
+ if (buf == NULL)
|
|
|
c205779 |
+ return USB_STOR_TRANSPORT_ERROR;
|
|
|
c205779 |
+ memcpy(buf, data, len);
|
|
|
c205779 |
|
|
|
c205779 |
US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len);
|
|
|
c205779 |
|
|
|
c205779 |
@@ -353,7 +368,8 @@ static int rts51x_write_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
|
|
|
c205779 |
cmnd[5] = (u8) len;
|
|
|
c205779 |
|
|
|
c205779 |
retval = rts51x_bulk_transport(us, 0, cmnd, 12,
|
|
|
c205779 |
- data, len, DMA_TO_DEVICE, NULL);
|
|
|
c205779 |
+ buf, len, DMA_TO_DEVICE, NULL);
|
|
|
c205779 |
+ kfree(buf);
|
|
|
c205779 |
if (retval != USB_STOR_TRANSPORT_GOOD)
|
|
|
c205779 |
return -EIO;
|
|
|
c205779 |
|
|
|
c205779 |
@@ -365,6 +381,11 @@ static int rts51x_read_status(struct us_data *us,
|
|
|
c205779 |
{
|
|
|
c205779 |
int retval;
|
|
|
c205779 |
u8 cmnd[12] = { 0 };
|
|
|
c205779 |
+ u8 *buf;
|
|
|
c205779 |
+
|
|
|
c205779 |
+ buf = kmalloc(len, GFP_NOIO);
|
|
|
c205779 |
+ if (buf == NULL)
|
|
|
c205779 |
+ return USB_STOR_TRANSPORT_ERROR;
|
|
|
c205779 |
|
|
|
c205779 |
US_DEBUGP("%s, lun = %d\n", __func__, lun);
|
|
|
c205779 |
|
|
|
c205779 |
@@ -372,10 +393,14 @@ static int rts51x_read_status(struct us_data *us,
|
|
|
c205779 |
cmnd[1] = 0x09;
|
|
|
c205779 |
|
|
|
c205779 |
retval = rts51x_bulk_transport(us, lun, cmnd, 12,
|
|
|
c205779 |
- status, len, DMA_FROM_DEVICE, actlen);
|
|
|
c205779 |
- if (retval != USB_STOR_TRANSPORT_GOOD)
|
|
|
c205779 |
+ buf, len, DMA_FROM_DEVICE, actlen);
|
|
|
c205779 |
+ if (retval != USB_STOR_TRANSPORT_GOOD) {
|
|
|
c205779 |
+ kfree(buf);
|
|
|
c205779 |
return -EIO;
|
|
|
c205779 |
+ }
|
|
|
c205779 |
|
|
|
c205779 |
+ memcpy(status, buf, len);
|
|
|
c205779 |
+ kfree(buf);
|
|
|
c205779 |
return 0;
|
|
|
c205779 |
}
|
|
|
c205779 |
|