From c2057797f6b2fc390fb32241372177d79d544276 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Aug 02 2011 16:49:07 +0000 Subject: 3.0-git17 snapshot Add changes for rhbz 720128,720054,708314 --- diff --git a/fix-cdc-ncm-dma-stack-vars.patch b/fix-cdc-ncm-dma-stack-vars.patch new file mode 100644 index 0000000..6d7f5b8 --- /dev/null +++ b/fix-cdc-ncm-dma-stack-vars.patch @@ -0,0 +1,124 @@ +From 1717b6b8b1de95ed4ca53b74d2ccb563fae9b898 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Tue, 2 Aug 2011 08:09:56 -0400 +Subject: [PATCH] usbnet/cdc_ncm: Don't use stack variables for DMA buffers + +The cdc_ncm driver still has a few places where stack variables are passed +to the cdc_ncm_do_request function. This triggers a stack trace in +lib/dma-debug.c if the CONFIG_DEBUG_DMA_API option is set. + +Adjust these calls to pass parameters that have been allocated with kzalloc. + +Signed-off-by: Josh Boyer +--- + drivers/net/usb/cdc_ncm.c | 54 +++++++++++++++++++++++++++++++++++---------- + 1 files changed, 42 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index fd622a6..bbcb133 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -260,23 +260,39 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx) + req.wIndex = cpu_to_le16(iface_no); + + if (flags & USB_CDC_NCM_NCAP_NTB_INPUT_SIZE) { +- struct usb_cdc_ncm_ndp_input_size ndp_in_sz; ++ struct usb_cdc_ncm_ndp_input_size *ndp_in_sz; ++ ++ ndp_in_sz = kzalloc(sizeof(*ndp_in_sz), GFP_KERNEL); ++ if (!ndp_in_sz) { ++ err = -ENOMEM; ++ goto size_err; ++ } + + req.wLength = 8; +- ndp_in_sz.dwNtbInMaxSize = cpu_to_le32(ctx->rx_max); +- ndp_in_sz.wNtbInMaxDatagrams = ++ ndp_in_sz->dwNtbInMaxSize = cpu_to_le32(ctx->rx_max); ++ ndp_in_sz->wNtbInMaxDatagrams = + cpu_to_le16(CDC_NCM_DPT_DATAGRAMS_MAX); +- ndp_in_sz.wReserved = 0; +- err = cdc_ncm_do_request(ctx, &req, &ndp_in_sz, 0, NULL, ++ ndp_in_sz->wReserved = 0; ++ err = cdc_ncm_do_request(ctx, &req, ndp_in_sz, 0, NULL, + 1000); ++ kfree(ndp_in_sz); + } else { +- __le32 dwNtbInMaxSize = cpu_to_le32(ctx->rx_max); ++ __le32 *dwNtbInMaxSize; ++ dwNtbInMaxSize = kzalloc(sizeof(*dwNtbInMaxSize), ++ GFP_KERNEL); ++ if (!dwNtbInMaxSize) { ++ err = -ENOMEM; ++ goto size_err; ++ } ++ *dwNtbInMaxSize = cpu_to_le32(ctx->rx_max); + + req.wLength = 4; +- err = cdc_ncm_do_request(ctx, &req, &dwNtbInMaxSize, 0, ++ err = cdc_ncm_do_request(ctx, &req, dwNtbInMaxSize, 0, + NULL, 1000); ++ kfree(dwNtbInMaxSize); + } + ++size_err: + if (err) + pr_debug("Setting NTB Input Size failed\n"); + } +@@ -362,9 +378,16 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx) + + /* set Max Datagram Size (MTU) */ + if (flags & USB_CDC_NCM_NCAP_MAX_DATAGRAM_SIZE) { +- __le16 max_datagram_size; ++ __le16 *max_datagram_size; + u16 eth_max_sz = le16_to_cpu(ctx->ether_desc->wMaxSegmentSize); + ++ max_datagram_size = kzalloc(sizeof(*max_datagram_size), ++ GFP_KERNEL); ++ if (!max_datagram_size) { ++ err = -ENOMEM; ++ goto max_dgram_err; ++ } ++ + req.bmRequestType = USB_TYPE_CLASS | USB_DIR_IN | + USB_RECIP_INTERFACE; + req.bNotificationType = USB_CDC_GET_MAX_DATAGRAM_SIZE; +@@ -372,13 +395,17 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx) + req.wIndex = cpu_to_le16(iface_no); + req.wLength = cpu_to_le16(2); + +- err = cdc_ncm_do_request(ctx, &req, &max_datagram_size, 0, NULL, ++ err = cdc_ncm_do_request(ctx, &req, max_datagram_size, 0, NULL, + 1000); ++ + if (err) { + pr_debug("GET_MAX_DATAGRAM_SIZE failed, use size=%u\n", + CDC_NCM_MIN_DATAGRAM_SIZE); ++ kfree(max_datagram_size); + } else { +- ctx->max_datagram_size = le16_to_cpu(max_datagram_size); ++ ctx->max_datagram_size = ++ le16_to_cpu(*max_datagram_size); ++ + /* Check Eth descriptor value */ + if (eth_max_sz < CDC_NCM_MAX_DATAGRAM_SIZE) { + if (ctx->max_datagram_size > eth_max_sz) +@@ -401,10 +428,13 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx) + req.wValue = 0; + req.wIndex = cpu_to_le16(iface_no); + req.wLength = 2; +- max_datagram_size = cpu_to_le16(ctx->max_datagram_size); ++ *max_datagram_size = ++ cpu_to_le16(ctx->max_datagram_size); + +- err = cdc_ncm_do_request(ctx, &req, &max_datagram_size, ++ err = cdc_ncm_do_request(ctx, &req, max_datagram_size, + 0, NULL, 1000); ++ kfree(max_datagram_size); ++max_dgram_err: + if (err) + pr_debug("SET_MAX_DATAGRAM_SIZE failed\n"); + } +-- +1.7.6 + diff --git a/kernel.spec b/kernel.spec index fc65365..f98dca7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -84,7 +84,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 0 # The git snapshot level -%define gitrev 16 +%define gitrev 17 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -681,6 +681,9 @@ Patch12018: neuter_intel_microcode_load.patch Patch12021: udlfb-bind-framebuffer-to-interface.patch +Patch12022: fix-cdc-ncm-dma-stack-vars.patch +Patch12023: ums-realtek-driver-uses-stack-memory-for-DMA.patch + # Runtime power management Patch12203: linux-2.6-usb-pci-autosuspend.patch Patch12204: linux-2.6-enable-more-pci-autosuspend.patch @@ -1255,6 +1258,8 @@ ApplyPatch add-appleir-usb-driver.patch ApplyPatch neuter_intel_microcode_load.patch ApplyPatch udlfb-bind-framebuffer-to-interface.patch +ApplyPatch fix-cdc-ncm-dma-stack-vars.patch +ApplyPatch ums-realtek-driver-uses-stack-memory-for-DMA.patch # Runtime PM #ApplyPatch linux-2.6-usb-pci-autosuspend.patch @@ -1509,7 +1514,7 @@ BuildKernel() { } collect_modules_list networking \ - 'register_netdev|ieee80211_register_hw|usbnet_probe|phy_driver_register' + 'register_netdev|ieee80211_register_hw|usbnet_probe|phy_driver_register|rt2x00(pci|usb)_probe' collect_modules_list block \ 'ata_scsi_ioctl|scsi_add_host|scsi_add_host_with_dma|blk_init_queue|register_mtd_blktrans|scsi_esp_register|scsi_register_device_handler' collect_modules_list drm \ @@ -1886,6 +1891,13 @@ fi # || || %changelog * Tue Aug 02 2011 Josh Boyer +- Linux 3.0-git17 +- Add patch to fix backtrace in cdc_ncm driver (rhbz 720128) +- Add patch to fix backtrace in usm-realtek driver (rhbz 720054) +- Add change from Yanko Kaneti to get the rt2x00 drivers in modules.networking + (rhbz 708314) + +* Tue Aug 02 2011 Josh Boyer - Linux 3.0-git16 * Mon Aug 01 2011 Josh Boyer diff --git a/sources b/sources index 3b4fb8a..e6aa8c1 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 398e95866794def22b12dfbc15ce89c0 linux-3.0.tar.bz2 -eadb090fc532027c618cf81b18bb6a04 patch-3.0-git16.bz2 +038198e0406fd87c5dd9a1e6312bfb47 patch-3.0-git17.bz2 diff --git a/ums-realtek-driver-uses-stack-memory-for-DMA.patch b/ums-realtek-driver-uses-stack-memory-for-DMA.patch new file mode 100644 index 0000000..98c8b0c --- /dev/null +++ b/ums-realtek-driver-uses-stack-memory-for-DMA.patch @@ -0,0 +1,143 @@ +From patchwork Tue Aug 2 05:04:11 2011 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +Subject: ums-realtek driver uses stack memory for DMA +Date: Tue, 02 Aug 2011 05:04:11 -0000 +From: Adam Cozzette +X-Patchwork-Id: 1028062 +Message-Id: <20110802050411.GC3857@[192.168.0.12]> +To: Josh Boyer +Cc: edwin_rong , wwang , + Greg Kroah-Hartman , linux-usb@vger.kernel.org, + linux-kernel@vger.kernel.org + +On Mon, Aug 01, 2011 at 05:09:06PM -0400, Josh Boyer wrote: +> Hello, +> +> We have a report that the ums-realtek driver is generating a backtrace +> due to using stack variables for DMA buffers. The backtrace is below +> and you can view the bug report here: +> https://bugzilla.redhat.com/show_bug.cgi?id=720054 +> +> Looking through the code, it seems that every call to rts51x_read_mem, +> rts51x_write_mem, and rts51x_read_status passes a stack variable to +> rts51x_bulk_transport, which then calls usb_stor_bulk_transfer_buf with +> this and generates the backtrace. It is my understanding that the +> driver should be passing variables that are not on the stack and have +> been allocated with memory that will be suitable for the DMA api (e.g. +> kmalloc). +> +> Was this missed during the initial review and is anyone working on +> adapting the driver to be compliant? + +Could you try out this patch if it looks ok to you? I have not tested it because +unfortunately I don't have the hardware. Right now it generates some compile +warnings like this one: + +drivers/usb/storage/realtek_cr.c:419:40: warning: ‘buf[0]’ may be used uninitialized in this function [-Wuninitialized] + +It think they are harmless but I didn't see an obvious way to get rid of them, +so if you have any suggestions I would be glad to hear them. + +This patch changed rts51x_read_mem, rts51x_write_mem, and rts51x_read_status to +allocate temporary buffers with kmalloc. This way stack addresses are not used +for DMA when these functions call rts51x_bulk_transport. + +Signed-off-by: Adam Cozzette + +--- +realtek_cr.c | 35 ++++++++++++++++++++++++++++++----- + 1 file changed, 30 insertions(+), 5 deletions(-) + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ + +diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c +index 34adc4b..232167a 100644 +--- a/drivers/usb/storage/realtek_cr.c ++++ b/drivers/usb/storage/realtek_cr.c +@@ -320,6 +320,11 @@ static int rts51x_read_mem(struct us_data *us, u16 addr, u8 *data, u16 len) + { + int retval; + u8 cmnd[12] = { 0 }; ++ u8 *buf; ++ ++ buf = kmalloc(len, GFP_NOIO); ++ if (buf == NULL) ++ return USB_STOR_TRANSPORT_ERROR; + + US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len); + +@@ -331,10 +336,14 @@ static int rts51x_read_mem(struct us_data *us, u16 addr, u8 *data, u16 len) + cmnd[5] = (u8) len; + + retval = rts51x_bulk_transport(us, 0, cmnd, 12, +- data, len, DMA_FROM_DEVICE, NULL); +- if (retval != USB_STOR_TRANSPORT_GOOD) ++ buf, len, DMA_FROM_DEVICE, NULL); ++ if (retval != USB_STOR_TRANSPORT_GOOD) { ++ kfree(buf); + return -EIO; ++ } + ++ memcpy(data, buf, len); ++ kfree(buf); + return 0; + } + +@@ -342,6 +351,12 @@ static int rts51x_write_mem(struct us_data *us, u16 addr, u8 *data, u16 len) + { + int retval; + u8 cmnd[12] = { 0 }; ++ u8 *buf; ++ ++ buf = kmalloc(len, GFP_NOIO); ++ if (buf == NULL) ++ return USB_STOR_TRANSPORT_ERROR; ++ memcpy(buf, data, len); + + US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len); + +@@ -353,7 +368,8 @@ static int rts51x_write_mem(struct us_data *us, u16 addr, u8 *data, u16 len) + cmnd[5] = (u8) len; + + retval = rts51x_bulk_transport(us, 0, cmnd, 12, +- data, len, DMA_TO_DEVICE, NULL); ++ buf, len, DMA_TO_DEVICE, NULL); ++ kfree(buf); + if (retval != USB_STOR_TRANSPORT_GOOD) + return -EIO; + +@@ -365,6 +381,11 @@ static int rts51x_read_status(struct us_data *us, + { + int retval; + u8 cmnd[12] = { 0 }; ++ u8 *buf; ++ ++ buf = kmalloc(len, GFP_NOIO); ++ if (buf == NULL) ++ return USB_STOR_TRANSPORT_ERROR; + + US_DEBUGP("%s, lun = %d\n", __func__, lun); + +@@ -372,10 +393,14 @@ static int rts51x_read_status(struct us_data *us, + cmnd[1] = 0x09; + + retval = rts51x_bulk_transport(us, lun, cmnd, 12, +- status, len, DMA_FROM_DEVICE, actlen); +- if (retval != USB_STOR_TRANSPORT_GOOD) ++ buf, len, DMA_FROM_DEVICE, actlen); ++ if (retval != USB_STOR_TRANSPORT_GOOD) { ++ kfree(buf); + return -EIO; ++ } + ++ memcpy(status, buf, len); ++ kfree(buf); + return 0; + } +