From patchwork Sat Feb 16 23:00:16 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jussi Kivilinna X-Patchwork-Id: 2152651 Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork2.kernel.org (Postfix) with ESMTP id C38FADF2A1 for ; Sat, 16 Feb 2013 23:11:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754754Ab3BPXLW (ORCPT ); Sat, 16 Feb 2013 18:11:22 -0500 Received: from sd-mail-sa-02.sanoma.fi ([158.127.18.162]:34234 "EHLO sd-mail-sa-02.sanoma.fi" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754752Ab3BPXLW (ORCPT ); Sat, 16 Feb 2013 18:11:22 -0500 X-Greylist: delayed 662 seconds by postgrey-1.27 at vger.kernel.org; Sat, 16 Feb 2013 18:11:21 EST Received: from localhost (localhost [127.0.0.1]) by sd-mail-sa-02.sanoma.fi (Postfix) with ESMTP id D00B33FC4E4; Sun, 17 Feb 2013 01:00:17 +0200 (EET) Received: from sd-mail-sa-02.sanoma.fi ([127.0.0.1]) by localhost (sd-mail-sa-02.sanoma.fi [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fjpgn0+sXQ4n; Sun, 17 Feb 2013 01:00:17 +0200 (EET) Received: from hayate.dalek.fi (dyn2-85-23-163-221.psoas.suomi.net [85.23.163.221]) (Authenticated sender: axh) by sd-mail-sa-02.sanoma.fi (Postfix) with ESMTPSA id 6AFA23FC498; Sun, 17 Feb 2013 01:00:17 +0200 (EET) Received: from fate.lan ([10.0.0.10] helo=fate) by hayate.dalek.fi with esmtp (Exim 4.72) (envelope-from ) id 1U6qjx-0001sI-1x; Sun, 17 Feb 2013 01:00:17 +0200 Received: from localhost6.localdomain6 (unknown [127.0.0.1]) by fate (Postfix) with ESMTP id 0816F20086D; Sun, 17 Feb 2013 01:00:17 +0200 (EET) Subject: [PATCH] rtlwifi: usb: allocate URB control message setup_packet and data buffer separately To: linux-wireless@vger.kernel.org From: Jussi Kivilinna Cc: stable@vger.kernel.org, Larry Finger Date: Sun, 17 Feb 2013 01:00:16 +0200 Message-ID: <20130216230016.15041.99979.stgit@localhost6.localdomain6> User-Agent: StGit/0.16 MIME-Version: 1.0 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org rtlwifi allocates both setup_packet and data buffer of control message urb, using shared kmalloc in _usbctrl_vendorreq_async_write. Structure used for allocating is: struct { u8 data[254]; struct usb_ctrlrequest dr; }; Because 'struct usb_ctrlrequest' is __packed, setup packet is unaligned and DMA mapping of both 'data' and 'dr' confuses ARM/sunxi, leading to memory corruptions and freezes. Patch changes setup packet to be allocated separately. Cc: Signed-off-by: Jussi Kivilinna --- drivers/net/wireless/rtlwifi/usb.c | 44 +++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 16 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/net/wireless/rtlwifi/usb.c b/drivers/net/wireless/rtlwifi/usb.c index 476eaef..d98fcdb 100644 --- a/drivers/net/wireless/rtlwifi/usb.c +++ b/drivers/net/wireless/rtlwifi/usb.c @@ -42,8 +42,12 @@ static void usbctrl_async_callback(struct urb *urb) { - if (urb) - kfree(urb->context); + if (urb) { + /* free dr */ + kfree(urb->setup_packet); + /* free databuf */ + kfree(urb->transfer_buffer); + } } static int _usbctrl_vendorreq_async_write(struct usb_device *udev, u8 request, @@ -55,39 +59,47 @@ static int _usbctrl_vendorreq_async_write(struct usb_device *udev, u8 request, u8 reqtype; struct usb_ctrlrequest *dr; struct urb *urb; - struct rtl819x_async_write_data { - u8 data[REALTEK_USB_VENQT_MAX_BUF_SIZE]; - struct usb_ctrlrequest dr; - } *buf; + const u16 databuf_maxlen = REALTEK_USB_VENQT_MAX_BUF_SIZE; + u8 *databuf; + + if (WARN_ON(len > databuf_maxlen)) + len = databuf_maxlen; pipe = usb_sndctrlpipe(udev, 0); /* write_out */ reqtype = REALTEK_USB_VENQT_WRITE; - buf = kmalloc(sizeof(*buf), GFP_ATOMIC); - if (!buf) + dr = kmalloc(sizeof(*dr), GFP_ATOMIC); + if (!dr) return -ENOMEM; + databuf = kmalloc(databuf_maxlen, GFP_ATOMIC); + if (!databuf) { + kfree(dr); + return -ENOMEM; + } + urb = usb_alloc_urb(0, GFP_ATOMIC); if (!urb) { - kfree(buf); + kfree(databuf); + kfree(dr); return -ENOMEM; } - dr = &buf->dr; - dr->bRequestType = reqtype; dr->bRequest = request; dr->wValue = cpu_to_le16(value); dr->wIndex = cpu_to_le16(index); dr->wLength = cpu_to_le16(len); /* data are already in little-endian order */ - memcpy(buf, pdata, len); + memcpy(databuf, pdata, len); usb_fill_control_urb(urb, udev, pipe, - (unsigned char *)dr, buf, len, - usbctrl_async_callback, buf); + (unsigned char *)dr, databuf, len, + usbctrl_async_callback, NULL); rc = usb_submit_urb(urb, GFP_ATOMIC); - if (rc < 0) - kfree(buf); + if (rc < 0) { + kfree(databuf); + kfree(dr); + } usb_free_urb(urb); return rc; }