[kernel/f16] Add patches for rhbz 720128,720054
Josh Boyer
jwboyer at fedoraproject.org
Wed Aug 3 12:27:10 UTC 2011
commit b91dd47839b4f61cd471f50913f64392dcfdf406
Author: Josh Boyer <jwboyer at redhat.com>
Date: Wed Aug 3 08:07:37 2011 -0400
Add patches for rhbz 720128,720054
fix-cdc-ncm-dma-stack-vars.patch | 114 ++++++++++++++++++++
kernel.spec | 9 ++
ums-realtek-driver-uses-stack-memory-for-DMA.patch | 96 ++++++++++++++++
3 files changed, 219 insertions(+), 0 deletions(-)
---
diff --git a/fix-cdc-ncm-dma-stack-vars.patch b/fix-cdc-ncm-dma-stack-vars.patch
new file mode 100644
index 0000000..7f46a00
--- /dev/null
+++ b/fix-cdc-ncm-dma-stack-vars.patch
@@ -0,0 +1,114 @@
+commit d072ef23b8ee6bcabc00beff0b5702e704a473cb
+Author: Josh Boyer <jwboyer at redhat.com>
+Date: Tue Aug 2 08:09:56 2011 -0400
+
+ usbnet/cdc_ncm: Don't use stack variables for DMA buffers
+
+ The cdc_ncm driver still has a few places where stack variables are passed
+ to the cdc_ncm_do_request function. This triggers a stack trace in
+ lib/dma-debug.c if the CONFIG_DEBUG_DMA_API option is set.
+
+ Adjust these calls to pass parameters that have been allocated with kzalloc.
+
+ Signed-off-by: Josh Boyer <jwboyer at redhat.com>
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index fd622a6..96dd386 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -260,23 +260,38 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
+ req.wIndex = cpu_to_le16(iface_no);
+
+ if (flags & USB_CDC_NCM_NCAP_NTB_INPUT_SIZE) {
+- struct usb_cdc_ncm_ndp_input_size ndp_in_sz;
++ struct usb_cdc_ncm_ndp_input_size *ndp_in_sz;
++
++ ndp_in_sz = kzalloc(sizeof(*ndp_in_sz), GFP_KERNEL);
++ if (!ndp_in_sz) {
++ err = -ENOMEM;
++ goto size_err;
++ }
+
+ req.wLength = 8;
+- ndp_in_sz.dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
+- ndp_in_sz.wNtbInMaxDatagrams =
++ ndp_in_sz->dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
++ ndp_in_sz->wNtbInMaxDatagrams =
+ cpu_to_le16(CDC_NCM_DPT_DATAGRAMS_MAX);
+- ndp_in_sz.wReserved = 0;
+- err = cdc_ncm_do_request(ctx, &req, &ndp_in_sz, 0, NULL,
++ ndp_in_sz->wReserved = 0;
++ err = cdc_ncm_do_request(ctx, &req, ndp_in_sz, 0, NULL,
+ 1000);
++ kfree(ndp_in_sz);
+ } else {
+- __le32 dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
++ __le32 *dwNtbInMaxSize;
++ dwNtbInMaxSize = kzalloc(sizeof(*dwNtbInMaxSize), GFP_KERNEL);
++ if (!dwNtbInMaxSize) {
++ err = -ENOMEM;
++ goto size_err;
++ }
++ *dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
+
+ req.wLength = 4;
+- err = cdc_ncm_do_request(ctx, &req, &dwNtbInMaxSize, 0,
++ err = cdc_ncm_do_request(ctx, &req, dwNtbInMaxSize, 0,
+ NULL, 1000);
++ kfree(dwNtbInMaxSize);
+ }
+
++size_err:
+ if (err)
+ pr_debug("Setting NTB Input Size failed\n");
+ }
+@@ -362,9 +377,15 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
+
+ /* set Max Datagram Size (MTU) */
+ if (flags & USB_CDC_NCM_NCAP_MAX_DATAGRAM_SIZE) {
+- __le16 max_datagram_size;
++ __le16 *max_datagram_size;
+ u16 eth_max_sz = le16_to_cpu(ctx->ether_desc->wMaxSegmentSize);
+
++ max_datagram_size = kzalloc(sizeof(*max_datagram_size), GFP_KERNEL);
++ if (!max_datagram_size) {
++ err = -ENOMEM;
++ goto max_dgram_err;
++ }
++
+ req.bmRequestType = USB_TYPE_CLASS | USB_DIR_IN |
+ USB_RECIP_INTERFACE;
+ req.bNotificationType = USB_CDC_GET_MAX_DATAGRAM_SIZE;
+@@ -372,13 +393,15 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
+ req.wIndex = cpu_to_le16(iface_no);
+ req.wLength = cpu_to_le16(2);
+
+- err = cdc_ncm_do_request(ctx, &req, &max_datagram_size, 0, NULL,
++ err = cdc_ncm_do_request(ctx, &req, max_datagram_size, 0, NULL,
+ 1000);
++
+ if (err) {
+ pr_debug("GET_MAX_DATAGRAM_SIZE failed, use size=%u\n",
+ CDC_NCM_MIN_DATAGRAM_SIZE);
++ kfree(max_datagram_size);
+ } else {
+- ctx->max_datagram_size = le16_to_cpu(max_datagram_size);
++ ctx->max_datagram_size = le16_to_cpu(*max_datagram_size);
+ /* Check Eth descriptor value */
+ if (eth_max_sz < CDC_NCM_MAX_DATAGRAM_SIZE) {
+ if (ctx->max_datagram_size > eth_max_sz)
+@@ -401,10 +424,12 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
+ req.wValue = 0;
+ req.wIndex = cpu_to_le16(iface_no);
+ req.wLength = 2;
+- max_datagram_size = cpu_to_le16(ctx->max_datagram_size);
++ *max_datagram_size = cpu_to_le16(ctx->max_datagram_size);
+
+- err = cdc_ncm_do_request(ctx, &req, &max_datagram_size,
++ err = cdc_ncm_do_request(ctx, &req, max_datagram_size,
+ 0, NULL, 1000);
++ kfree(max_datagram_size);
++max_dgram_err:
+ if (err)
+ pr_debug("SET_MAX_DATAGRAM_SIZE failed\n");
+ }
diff --git a/kernel.spec b/kernel.spec
index c2d30b1..2016b0e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -688,6 +688,9 @@ Patch12020: linux-2.6-zd1211rw-fix-invalid-signal-values-from-device.patch
Patch12021: udlfb-bind-framebuffer-to-interface.patch
+Patch12022: fix-cdc-ncm-dma-stack-vars.patch
+Patch12023: ums-realtek-driver-uses-stack-memory-for-DMA.patch
+
# Runtime power management
Patch12203: linux-2.6-usb-pci-autosuspend.patch
Patch12204: linux-2.6-enable-more-pci-autosuspend.patch
@@ -1271,6 +1274,8 @@ ApplyPatch neuter_intel_microcode_load.patch
ApplyPatch linux-2.6-rt2x00-Add-device-ID-for-RT539F-device.patch
ApplyPatch udlfb-bind-framebuffer-to-interface.patch
+ApplyPatch fix-cdc-ncm-dma-stack-vars.patch
+ApplyPatch ums-realtek-driver-uses-stack-memory-for-DMA.patch
# Runtime PM
#ApplyPatch linux-2.6-usb-pci-autosuspend.patch
@@ -1897,6 +1902,10 @@ fi
# and build.
%changelog
+* Wed Aug 03 2011 Josh Boyer <jwboyer at redhat.com>
+- Add patch to fix backtrace in cdc_ncm driver (rhbz 720128)
+- Add patch to fix backtrace in usm-realtek driver (rhbz 720054)
+
* Tue Aug 02 2011 Josh Boyer <jwboyer at redhat.com>
- Add patch to fix HFSPlus filesystem mounting (rhbz 720771)
diff --git a/ums-realtek-driver-uses-stack-memory-for-DMA.patch b/ums-realtek-driver-uses-stack-memory-for-DMA.patch
new file mode 100644
index 0000000..2564fdb
--- /dev/null
+++ b/ums-realtek-driver-uses-stack-memory-for-DMA.patch
@@ -0,0 +1,96 @@
+commit 82e632009bb7d6b97f8cabe9918c82703f4e5cd2
+Author: Josh Boyer <jwboyer at redhat.com>
+Date: Tue Aug 2 08:37:53 2011 -0400
+
+ This patch changed rts51x_read_mem, rts51x_write_mem, and rts51x_read_status to
+ allocate temporary buffers with kmalloc. This way stack addresses are not used
+ for DMA when these functions call rts51x_bulk_transport.
+
+ Signed-off-by: Adam Cozzette <acozzette at cs.hmc.edu>
+ Backported-by: Josh Boyer <jwboyer at redhat.com>
+
+diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c
+index d509a4a..69a1bd3 100644
+--- a/drivers/usb/storage/realtek_cr.c
++++ b/drivers/usb/storage/realtek_cr.c
+@@ -285,6 +285,11 @@ static int rts51x_read_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
+ {
+ int retval;
+ u8 cmnd[12] = {0};
++ u8 *buf;
++
++ buf = kmalloc(len, GFP_NOIO);
++ if (buf == NULL)
++ return USB_STOR_TRANSPORT_ERROR;
+
+ US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len);
+
+@@ -296,10 +301,14 @@ static int rts51x_read_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
+ cmnd[5] = (u8)len;
+
+ retval = rts51x_bulk_transport(us, 0, cmnd, 12,
+- data, len, DMA_FROM_DEVICE, NULL);
+- if (retval != USB_STOR_TRANSPORT_GOOD)
++ buf, len, DMA_FROM_DEVICE, NULL);
++ if (retval != USB_STOR_TRANSPORT_GOOD) {
++ kfree(buf);
+ return -EIO;
++ }
+
++ memcpy(data, buf, len);
++ kfree(buf);
+ return 0;
+ }
+
+@@ -307,6 +316,12 @@ static int rts51x_write_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
+ {
+ int retval;
+ u8 cmnd[12] = {0};
++ u8 *buf;
++
++ buf = kmalloc(len, GFP_NOIO);
++ if (buf == NULL)
++ return USB_STOR_TRANSPORT_ERROR;
++ memcpy(buf, data, len);
+
+ US_DEBUGP("%s, addr = 0x%x, len = %d\n", __func__, addr, len);
+
+@@ -318,7 +333,8 @@ static int rts51x_write_mem(struct us_data *us, u16 addr, u8 *data, u16 len)
+ cmnd[5] = (u8)len;
+
+ retval = rts51x_bulk_transport(us, 0, cmnd, 12,
+- data, len, DMA_TO_DEVICE, NULL);
++ buf, len, DMA_TO_DEVICE, NULL);
++ kfree(buf);
+ if (retval != USB_STOR_TRANSPORT_GOOD)
+ return -EIO;
+
+@@ -330,6 +346,11 @@ static int rts51x_read_status(struct us_data *us,
+ {
+ int retval;
+ u8 cmnd[12] = {0};
++ u8 *buf;
++
++ buf = kmalloc(len, GFP_NOIO);
++ if (buf == NULL)
++ return USB_STOR_TRANSPORT_ERROR;
+
+ US_DEBUGP("%s, lun = %d\n", __func__, lun);
+
+@@ -337,10 +358,14 @@ static int rts51x_read_status(struct us_data *us,
+ cmnd[1] = 0x09;
+
+ retval = rts51x_bulk_transport(us, lun, cmnd, 12,
+- status, len, DMA_FROM_DEVICE, actlen);
+- if (retval != USB_STOR_TRANSPORT_GOOD)
++ buf, len, DMA_FROM_DEVICE, actlen);
++ if (retval != USB_STOR_TRANSPORT_GOOD) {
++ kfree(buf);
+ return -EIO;
++ }
+
++ memcpy(status, buf, len);
++ kfree(buf);
+ return 0;
+ }
+
More information about the scm-commits
mailing list