[kernel] 3.0-git17 snapshot
Josh Boyer
jwboyer at fedoraproject.org
Tue Aug 2 16:49:28 UTC 2011
commit c2057797f6b2fc390fb32241372177d79d544276
Author: Josh Boyer <jwboyer at redhat.com>
Date: Tue Aug 2 12:47:04 2011 -0400
3.0-git17 snapshot
Add changes for rhbz 720128,720054,708314
fix-cdc-ncm-dma-stack-vars.patch | 124 +++++++++++++++++
kernel.spec | 16 ++-
sources | 2 +-
ums-realtek-driver-uses-stack-memory-for-DMA.patch | 143 ++++++++++++++++++++
4 files changed, 282 insertions(+), 3 deletions(-)
---
diff --git a/fix-cdc-ncm-dma-stack-vars.patch b/fix-cdc-ncm-dma-stack-vars.patch
new file mode 100644
index 0000000..6d7f5b8
--- /dev/null
+++ b/fix-cdc-ncm-dma-stack-vars.patch
@@ -0,0 +1,124 @@
+From 1717b6b8b1de95ed4ca53b74d2ccb563fae9b898 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer at redhat.com>
+Date: Tue, 2 Aug 2011 08:09:56 -0400
+Subject: [PATCH] usbnet/cdc_ncm: Don't use stack variables for DMA buffers
+
+The cdc_ncm driver still has a few places where stack variables are passed
+to the cdc_ncm_do_request function. This triggers a stack trace in
+lib/dma-debug.c if the CONFIG_DEBUG_DMA_API option is set.
+
+Adjust these calls to pass parameters that have been allocated with kzalloc.
+
+Signed-off-by: Josh Boyer <jwboyer at redhat.com>
+---
+ drivers/net/usb/cdc_ncm.c | 54 +++++++++++++++++++++++++++++++++++----------
+ 1 files changed, 42 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index fd622a6..bbcb133 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -260,23 +260,39 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
+ req.wIndex = cpu_to_le16(iface_no);
+
+ if (flags & USB_CDC_NCM_NCAP_NTB_INPUT_SIZE) {
+- struct usb_cdc_ncm_ndp_input_size ndp_in_sz;
++ struct usb_cdc_ncm_ndp_input_size *ndp_in_sz;
++
++ ndp_in_sz = kzalloc(sizeof(*ndp_in_sz), GFP_KERNEL);
++ if (!ndp_in_sz) {
++ err = -ENOMEM;
++ goto size_err;
++ }
+
+ req.wLength = 8;
+- ndp_in_sz.dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
+- ndp_in_sz.wNtbInMaxDatagrams =
++ ndp_in_sz->dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
++ ndp_in_sz->wNtbInMaxDatagrams =
+ cpu_to_le16(CDC_NCM_DPT_DATAGRAMS_MAX);
+- ndp_in_sz.wReserved = 0;
+- err = cdc_ncm_do_request(ctx, &req, &ndp_in_sz, 0, NULL,
++ ndp_in_sz->wReserved = 0;
++ err = cdc_ncm_do_request(ctx, &req, ndp_in_sz, 0, NULL,
+ 1000);
++ kfree(ndp_in_sz);
+ } else {
+- __le32 dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
++ __le32 *dwNtbInMaxSize;
++ dwNtbInMaxSize = kzalloc(sizeof(*dwNtbInMaxSize),
++ GFP_KERNEL);
++ if (!dwNtbInMaxSize) {
++ err = -ENOMEM;
++ goto size_err;
++ }
++ *dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
+
+ req.wLength = 4;
+- err = cdc_ncm_do_request(ctx, &req, &dwNtbInMaxSize, 0,
++ err = cdc_ncm_do_request(ctx, &req, dwNtbInMaxSize, 0,
+ NULL, 1000);
++ kfree(dwNtbInMaxSize);
+ }
+
++size_err:
+ if (err)
+ pr_debug("Setting NTB Input Size failed\n");
+ }
+@@ -362,9 +378,16 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
+
+ /* set Max Datagram Size (MTU) */
+ if (flags & USB_CDC_NCM_NCAP_MAX_DATAGRAM_SIZE) {
+- __le16 max_datagram_size;
++ __le16 *max_datagram_size;
+ u16 eth_max_sz = le16_to_cpu(ctx->ether_desc->wMaxSegmentSize);
+
++ max_datagram_size = kzalloc(sizeof(*max_datagram_size),
++ GFP_KERNEL);
++ if (!max_datagram_size) {
++ err = -ENOMEM;
++ goto max_dgram_err;
++ }
++
+ req.bmRequestType = USB_TYPE_CLASS | USB_DIR_IN |
+ USB_RECIP_INTERFACE;
+ req.bNotificationType = USB_CDC_GET_MAX_DATAGRAM_SIZE;
+@@ -372,13 +395,17 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
+ req.wIndex = cpu_to_le16(iface_no);
+ req.wLength = cpu_to_le16(2);
+
+- err = cdc_ncm_do_request(ctx, &req, &max_datagram_size, 0, NULL,
++ err = cdc_ncm_do_request(ctx, &req, max_datagram_size, 0, NULL,
+ 1000);
++
+ if (err) {
+ pr_debug("GET_MAX_DATAGRAM_SIZE failed, use size=%u\n",
+ CDC_NCM_MIN_DATAGRAM_SIZE);
++ kfree(max_datagram_size);
+ } else {
+- ctx->max_datagram_size = le16_to_cpu(max_datagram_size);
++ ctx->max_datagram_size =
++ le16_to_cpu(*max_datagram_size);
++
+ /* Check Eth descriptor value */
+ if (eth_max_sz < CDC_NCM_MAX_DATAGRAM_SIZE) {
+ if (ctx->max_datagram_size > eth_max_sz)
+@@ -401,10 +428,13 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
+ req.wValue = 0;
+ req.wIndex = cpu_to_le16(iface_no);
+ req.wLength = 2;
+- max_datagram_size = cpu_to_le16(ctx->max_datagram_size);
++ *max_datagram_size =
++ cpu_to_le16(ctx->max_datagram_size);
+
+- err = cdc_ncm_do_request(ctx, &req, &max_datagram_size,
++ err = cdc_ncm_do_request(ctx, &req, max_datagram_size,
+ 0, NULL, 1000);
++ kfree(max_datagram_size);
++max_dgram_err:
+ if (err)
+ pr_debug("SET_MAX_DATAGRAM_SIZE failed\n");
+ }
+--
+1.7.6
+
diff --git a/kernel.spec b/kernel.spec
index fc65365..f98dca7 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -84,7 +84,7 @@ Summary: The Linux kernel
# The rc snapshot level
%define rcrev 0
# The git snapshot level
-%define gitrev 16
+%define gitrev 17
# Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0
%endif
@@ -681,6 +681,9 @@ Patch12018: neuter_intel_microcode_load.patch
Patch12021: udlfb-bind-framebuffer-to-interface.patch
+Patch12022: fix-cdc-ncm-dma-stack-vars.patch
+Patch12023: ums-realtek-driver-uses-stack-memory-for-DMA.patch
+
# Runtime power management
Patch12203: linux-2.6-usb-pci-autosuspend.patch
Patch12204: linux-2.6-enable-more-pci-autosuspend.patch
@@ -1255,6 +1258,8 @@ ApplyPatch add-appleir-usb-driver.patch
ApplyPatch neuter_intel_microcode_load.patch
ApplyPatch udlfb-bind-framebuffer-to-interface.patch
+ApplyPatch fix-cdc-ncm-dma-stack-vars.patch
+ApplyPatch ums-realtek-driver-uses-stack-memory-for-DMA.patch
# Runtime PM
#ApplyPatch linux-2.6-usb-pci-autosuspend.patch
@@ -1509,7 +1514,7 @@ BuildKernel() {
}
collect_modules_list networking \
- 'register_netdev|ieee80211_register_hw|usbnet_probe|phy_driver_register'
+ 'register_netdev|ieee80211_register_hw|usbnet_probe|phy_driver_register|rt2x00(pci|usb)_probe'
collect_modules_list block \
'ata_scsi_ioctl|scsi_add_host|scsi_add_host_with_dma|blk_init_queue|register_mtd_blktrans|scsi_esp_register|scsi_register_device_handler'
collect_modules_list drm \
@@ -1886,6 +1891,13 @@ fi
# || ||
%changelog
* Tue Aug 02 2011 Josh Boyer <jwboyer at redhat.com>
+- Linux 3.0-git17
+- Add patch to fix backtrace in cdc_ncm driver (rhbz 720128)
+- Add patch to fix backtrace in usm-realtek driver (rhbz 720054)
+- Add change from Yanko Kaneti to get the rt2x00 drivers in modules.networking
+ (rhbz 708314)
+
+* Tue Aug 02 2011 Josh Boyer <jwboyer at redhat.com>
- Linux 3.0-git16
* Mon Aug 01 2011 Josh Boyer <jwboyer at redhat.com>
diff --git a/sources b/sources
index 3b4fb8a..e6aa8c1 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
398e95866794def22b12dfbc15ce89c0 linux-3.0.tar.bz2
-eadb090fc532027c618cf81b18bb6a04 patch-3.0-git16.bz2
+038198e0406fd87c5dd9a1e6312bfb47 patch-3.0-git17.bz2
diff --git a/ums-realtek-driver-uses-stack-memory-for-DMA.patch b/ums-realtek-driver-uses-stack-memory-for-DMA.patch
new file mode 100644
index 0000000..98c8b0c
--- /dev/null
+++ b/ums-realtek-driver-uses-stack-memory-for-DMA.patch
@@ -0,0 +1,143 @@
+From patchwork Tue Aug 2 05:04:11 2011
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+Subject: ums-realtek driver uses stack memory for DMA
+Date: Tue, 02 Aug 2011 05:04:11 -0000
+From: Adam Cozzette <acozzette at cs.hmc.edu>
+X-Patchwork-Id: 1028062
+Message-Id: <20110802050411.GC3857@[192.168.0.12]>
+To: Josh Boyer <jwboyer at redhat.com>
+Cc: edwin_rong <edwin_rong at realsil.com.cn>, wwang <wei_wang at realsil.com.cn>,
+ Greg Kroah-Hartman <gregkh at suse.de>, linux-usb at vger.kernel.org,
+ linux-kernel at vger.kernel.org
+
+On Mon, Aug 01, 2011 at 05:09:06PM -0400, Josh Boyer wrote:
+> Hello,
+>
+> We have a report that the ums-realtek driver is generating a backtrace
+> due to using stack variables for DMA buffers. The backtrace is below
+> and you can view the bug report here:
+> https://bugzilla.redhat.com/show_bug.cgi?id=720054
+>
+> Looking through the code, it seems that every call to rts51x_read_mem,
+> rts51x_write_mem, and rts51x_read_status passes a stack variable to
+> rts51x_bulk_transport, which then calls usb_stor_bulk_transfer_buf with
+> this and generates the backtrace. It is my understanding that the
+> driver should be passing variables that are not on the stack and have
+> been allocated with memory that will be suitable for the DMA api (e.g.
+> kmalloc).
+>
+> Was this missed during the initial review and is anyone working on
+> adapting the driver to be compliant?
+
+Could you try out this patch if it looks ok to you? I have not tested it because
+unfortunately I don't have the hardware. Right now it generates some compile
+warnings like this one:
+
+drivers/usb/storage/realtek_cr.c:419:40: warning: ‘buf[0]’ may be used uninitialized in this function [-Wuninitialized]
+
+It think they are harmless but I didn't see an obvious way to get rid of them,
+so if you have any suggestions I would be glad to hear them.
+
+This patch changed rts51x_read_mem, rts51x_write_mem, and rts51x_read_status to
+allocate temporary buffers with kmalloc. This way stack addresses are not used
+for DMA when these functions call rts51x_bulk_transport.
+
+Signed-off-by: Adam Cozzette <acozzette at cs.hmc.edu>
+
+---
+realtek_cr.c | 35 ++++++++++++++++++++++++++++++-----
+ 1 file changed, 30 insertions(+), 5 deletions(-)
+
+--
+To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+Please read the FAQ at http://www.tux.org/lkml/
+
+diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c
+index 34adc4b..232167a 100644
+--- a/drivers/usb/storage/realtek_cr.c
++++ b/drivers/usb/storage/realtek_cr.c
+@@ -320,6 +320,11 @@ static int rts51x_read_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
+ {
+ int retval;
+ u8 cmnd[12] = { 0 };
++ u8 *buf;
++
++ buf = kmalloc(len, GFP_NOIO);
++ if (buf == NULL)
++ return USB_STOR_TRANSPORT_ERROR;
+
+ US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len);
+
+@@ -331,10 +336,14 @@ static int rts51x_read_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
+ cmnd[5] = (u8) len;
+
+ retval = rts51x_bulk_transport(us, 0, cmnd, 12,
+- data, len, DMA_FROM_DEVICE, NULL);
+- if (retval != USB_STOR_TRANSPORT_GOOD)
++ buf, len, DMA_FROM_DEVICE, NULL);
++ if (retval != USB_STOR_TRANSPORT_GOOD) {
++ kfree(buf);
+ return -EIO;
++ }
+
++ memcpy(data, buf, len);
++ kfree(buf);
+ return 0;
+ }
+
+@@ -342,6 +351,12 @@ static int rts51x_write_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
+ {
+ int retval;
+ u8 cmnd[12] = { 0 };
++ u8 *buf;
++
++ buf = kmalloc(len, GFP_NOIO);
++ if (buf == NULL)
++ return USB_STOR_TRANSPORT_ERROR;
++ memcpy(buf, data, len);
+
+ US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len);
+
+@@ -353,7 +368,8 @@ static int rts51x_write_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
+ cmnd[5] = (u8) len;
+
+ retval = rts51x_bulk_transport(us, 0, cmnd, 12,
+- data, len, DMA_TO_DEVICE, NULL);
++ buf, len, DMA_TO_DEVICE, NULL);
++ kfree(buf);
+ if (retval != USB_STOR_TRANSPORT_GOOD)
+ return -EIO;
+
+@@ -365,6 +381,11 @@ static int rts51x_read_status(struct us_data *us,
+ {
+ int retval;
+ u8 cmnd[12] = { 0 };
++ u8 *buf;
++
++ buf = kmalloc(len, GFP_NOIO);
++ if (buf == NULL)
++ return USB_STOR_TRANSPORT_ERROR;
+
+ US_DEBUGP("%s, lun = %d\n", __func__, lun);
+
+@@ -372,10 +393,14 @@ static int rts51x_read_status(struct us_data *us,
+ cmnd[1] = 0x09;
+
+ retval = rts51x_bulk_transport(us, lun, cmnd, 12,
+- status, len, DMA_FROM_DEVICE, actlen);
+- if (retval != USB_STOR_TRANSPORT_GOOD)
++ buf, len, DMA_FROM_DEVICE, actlen);
++ if (retval != USB_STOR_TRANSPORT_GOOD) {
++ kfree(buf);
+ return -EIO;
++ }
+
++ memcpy(status, buf, len);
++ kfree(buf);
+ return 0;
+ }
+
More information about the scm-commits
mailing list