The zd1211rw driver uses unaligned stack buffer for USB control
message. But it might cause stack corruption on non-coherent
platform, such as MIPS. Use DMA-aware buffers for USB transfer.
Signed-off-by: Atsushi Nemoto <[email protected]>
---
drivers/net/wireless/zd1211rw/zd_usb.c | 20 ++++++++++++++------
1 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/zd1211rw/zd_usb.c b/drivers/net/wireless/zd1211rw/zd_usb.c
index 12e24f0..fbacfe4 100644
--- a/drivers/net/wireless/zd1211rw/zd_usb.c
+++ b/drivers/net/wireless/zd1211rw/zd_usb.c
@@ -172,7 +172,7 @@ static int upload_code(struct usb_device *udev,
r = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
USB_REQ_FIRMWARE_CONFIRM,
USB_DIR_IN | USB_TYPE_VENDOR,
- 0, 0, &ret, sizeof(ret), 5000 /* ms */);
+ 0, 0, p, sizeof(ret), 5000 /* ms */);
if (r != sizeof(ret)) {
dev_err(&udev->dev,
"control request firmeware confirmation failed."
@@ -181,6 +181,7 @@ static int upload_code(struct usb_device *udev,
r = -ENODEV;
goto error;
}
+ ret = p[0];
if (ret & 0x80) {
dev_err(&udev->dev,
"Internal error while downloading."
@@ -312,22 +313,29 @@ int zd_usb_read_fw(struct zd_usb *usb, zd_addr_t addr, u8 *data, u16 len)
{
int r;
struct usb_device *udev = zd_usb_to_usbdev(usb);
+ u8 *buf = kmalloc(len, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
r = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
USB_REQ_FIRMWARE_READ_DATA, USB_DIR_IN | 0x40, addr, 0,
- data, len, 5000);
+ buf, len, 5000);
if (r < 0) {
dev_err(&udev->dev,
"read over firmware interface failed: %d\n", r);
- return r;
+ goto exit;
} else if (r != len) {
dev_err(&udev->dev,
"incomplete read over firmware interface: %d/%d\n",
r, len);
- return -EIO;
+ r = -EIO;
+ goto exit;
}
-
- return 0;
+ r = 0;
+ memcpy(data, buf, len);
+exit:
+ kfree(buf);
+ return r;
}
#define urb_dev(urb) (&(urb)->dev->dev)
On Thursday 15 May 2008 17:12:15 Atsushi Nemoto wrote:
> @@ -312,22 +313,29 @@ int zd_usb_read_fw(struct zd_usb *usb, zd_addr_t addr, u8 *data, u16 len)
> {
> int r;
> struct usb_device *udev = zd_usb_to_usbdev(usb);
> + u8 *buf = kmalloc(len, GFP_KERNEL);
>
> + if (!buf)
> + return -ENOMEM;
Not that my opinion counts here, but I don't like the coding style of
doing work in the variable definition block.
Pointer assignments in there are OK (like the zd_usb_to_usbdev, which just
fetches a pointer), but a kmalloc() call is IMO very confusing.
But the decision whether this is OK or not is not up to me.
> r = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
> USB_REQ_FIRMWARE_READ_DATA, USB_DIR_IN | 0x40, addr, 0,
> - data, len, 5000);
> + buf, len, 5000);
> if (r < 0) {
> dev_err(&udev->dev,
> "read over firmware interface failed: %d\n", r);
> - return r;
> + goto exit;
> } else if (r != len) {
> dev_err(&udev->dev,
> "incomplete read over firmware interface: %d/%d\n",
> r, len);
> - return -EIO;
> + r = -EIO;
> + goto exit;
> }
> -
> - return 0;
> + r = 0;
> + memcpy(data, buf, len);
> +exit:
> + kfree(buf);
> + return r;
> }
--
Greetings Michael.
On Thu, 15 May 2008 15:16:47 -0400, "John W. Linville" <[email protected]> wrote:
> This looks like a reasonable fix to me. I would prefer to see a
> comment in the code indicating why you are reusing the "p" buffer
> instead of simply using "ret" directly. Also, I think the style
> suggestion by Michael Buesch would make the code appear more idiomatic
> as well.
OK, revised. Thank you for review.
------------------------------------------------------
Subject: [PATCH] zd1211rw: Use DMA-aware buffer for usb transfer
From: Atsushi Nemoto <[email protected]>
The zd1211rw driver uses unaligned stack buffer for USB control
message. But it might cause stack corruption on non-coherent
platform, such as MIPS. Use DMA-aware buffers for USB transfer.
Signed-off-by: Atsushi Nemoto <[email protected]>
---
drivers/net/wireless/zd1211rw/zd_usb.c | 23 +++++++++++++++++------
1 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/zd1211rw/zd_usb.c b/drivers/net/wireless/zd1211rw/zd_usb.c
index 12e24f0..f9a9a5d 100644
--- a/drivers/net/wireless/zd1211rw/zd_usb.c
+++ b/drivers/net/wireless/zd1211rw/zd_usb.c
@@ -169,10 +169,11 @@ static int upload_code(struct usb_device *udev,
if (flags & REBOOT) {
u8 ret;
+ /* Use "DMA-aware" buffer. */
r = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
USB_REQ_FIRMWARE_CONFIRM,
USB_DIR_IN | USB_TYPE_VENDOR,
- 0, 0, &ret, sizeof(ret), 5000 /* ms */);
+ 0, 0, p, sizeof(ret), 5000 /* ms */);
if (r != sizeof(ret)) {
dev_err(&udev->dev,
"control request firmeware confirmation failed."
@@ -181,6 +182,7 @@ static int upload_code(struct usb_device *udev,
r = -ENODEV;
goto error;
}
+ ret = p[0];
if (ret & 0x80) {
dev_err(&udev->dev,
"Internal error while downloading."
@@ -312,22 +314,31 @@ int zd_usb_read_fw(struct zd_usb *usb, zd_addr_t addr, u8 *data, u16 len)
{
int r;
struct usb_device *udev = zd_usb_to_usbdev(usb);
+ u8 *buf;
+ /* Use "DMA-aware" buffer. */
+ buf = kmalloc(len, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
r = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
USB_REQ_FIRMWARE_READ_DATA, USB_DIR_IN | 0x40, addr, 0,
- data, len, 5000);
+ buf, len, 5000);
if (r < 0) {
dev_err(&udev->dev,
"read over firmware interface failed: %d\n", r);
- return r;
+ goto exit;
} else if (r != len) {
dev_err(&udev->dev,
"incomplete read over firmware interface: %d/%d\n",
r, len);
- return -EIO;
+ r = -EIO;
+ goto exit;
}
-
- return 0;
+ r = 0;
+ memcpy(data, buf, len);
+exit:
+ kfree(buf);
+ return r;
}
#define urb_dev(urb) (&(urb)->dev->dev)
On Fri, May 16, 2008 at 12:12:15AM +0900, Atsushi Nemoto wrote:
> The zd1211rw driver uses unaligned stack buffer for USB control
> message. But it might cause stack corruption on non-coherent
> platform, such as MIPS. Use DMA-aware buffers for USB transfer.
>
> Signed-off-by: Atsushi Nemoto <[email protected]>
Nemoto,
This looks like a reasonable fix to me. I would prefer to see a
comment in the code indicating why you are reusing the "p" buffer
instead of simply using "ret" directly. Also, I think the style
suggestion by Michael Buesch would make the code appear more idiomatic
as well.
Thanks!
John
--
John W. Linville
[email protected]