From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [v3] NFC: pn533: don't send USB data off of the stack From: Greg Kroah-Hartman Message-Id: <20180518103811.GA29186@kroah.com> Date: Fri, 18 May 2018 12:38:11 +0200 To: Arend van Spriel , Carlos Manuel Santos , Samuel Ortiz , Stephen Hemminger , linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org List-ID: SXQncyBhbWF6aW5nIHRoYXQgdGhpcyBkcml2ZXIgZXZlciB3b3JrZWQsIGJ1dCBub3cgdGhhdCB4 ODYgZG9lc24ndAphbGxvdyBVU0IgZGF0YSB0byBiZSBzZW50IG9mZiBvZiB0aGUgc3RhY2ssIGl0 IHJlYWxseSBkb2VzIG5vdCB3b3JrIGF0CmFsbC4gIEZpeCB0aGlzIHVwIGJ5IHByb3Blcmx5IGFs bG9jYXRpbmcgdGhlIGRhdGEgZm9yIHRoZSBzbWFsbAoiY29tbWFuZHMiIHRoYXQgZ2V0IHNlbnQg dG8gdGhlIGRldmljZS4KClRoZSBVU0Igc3RhY2sgd2lsbCBmcmVlIHRoZSBidWZmZXIgd2hlbiB0 aGUgZGF0YSBoYXMgYmVlbiB0cmFuc21pdHRlZCwKdGhhdCBpcyB3aHkgdGhlcmUgaXMgbm8ga2Zy ZWUoKSB0byBtaXJyb3IgdGhlIGNhbGwgdG8ga21hbGxvYygpLgoKUmVwb3J0ZWQtYnk6IENhcmxv cyBNYW51ZWwgU2FudG9zIDxjbW1wc2FudG9zQGdtYWlsLmNvbT4KQ2M6IFNhbXVlbCBPcnRpeiA8 c2FtZW9AbGludXguaW50ZWwuY29tPgpDYzogU3RlcGhlbiBIZW1taW5nZXIgPHN0ZXBoZW5AbmV0 d29ya3BsdW1iZXIub3JnPgpDYzogc3RhYmxlIDxzdGFibGVAdmdlci5rZXJuZWwub3JnPgpTaWdu ZWQtb2ZmLWJ5OiBHcmVnIEtyb2FoLUhhcnRtYW4gPGdyZWdraEBsaW51eGZvdW5kYXRpb24ub3Jn PgotLS0KdjM6IGFjdHVhbGx5IHVzZSB0aGUgY29ycmVjdCBidWZmZXIgKHRoYW5rcyB0byBBcmVu ZCB2YW4gU3ByaWVsKQogICAgdXNlIGttZW1kdXAgKHRoYW5rcyB0byBKb2hhbm5lcyBCZXJnIGFu ZCBKdWxpYSBMYXdhbGwpCnYyOiBzZXQgdGhlIHVyYiBmbGFncyBjb3JyZWN0bHkKCiBkcml2ZXJz L25mYy9wbjUzMy91c2IuYyB8ICAgMTcgKysrKysrKysrKysrKysrLS0KIDEgZmlsZSBjaGFuZ2Vk LCAxNSBpbnNlcnRpb25zKCspLCAyIGRlbGV0aW9ucygtKQoKLS0KVG8gdW5zdWJzY3JpYmUgZnJv bSB0aGlzIGxpc3Q6IHNlbmQgdGhlIGxpbmUgInVuc3Vic2NyaWJlIGxpbnV4LXVzYiIgaW4KdGhl IGJvZHkgb2YgYSBtZXNzYWdlIHRvIG1ham9yZG9tb0B2Z2VyLmtlcm5lbC5vcmcKTW9yZSBtYWpv cmRvbW8gaW5mbyBhdCAgaHR0cDovL3ZnZXIua2VybmVsLm9yZy9tYWpvcmRvbW8taW5mby5odG1s CgotLS0gYS9kcml2ZXJzL25mYy9wbjUzMy91c2IuYworKysgYi9kcml2ZXJzL25mYy9wbjUzMy91 c2IuYwpAQCAtMTUwLDEwICsxNTAsMTYgQEAgc3RhdGljIGludCBwbjUzM191c2Jfc2VuZF9hY2so c3RydWN0IHBuNQogCXN0cnVjdCBwbjUzM191c2JfcGh5ICpwaHkgPSBkZXYtPnBoeTsKIAlzdGF0 aWMgY29uc3QgdTggYWNrWzZdID0gezB4MDAsIDB4MDAsIDB4ZmYsIDB4MDAsIDB4ZmYsIDB4MDB9 OwogCS8qIHNwZWMgNy4xLjEuMzogIFByZWFtYmxlLCBTb1BDICgyKSwgQUNLIENvZGUgKDIpLCBQ b3N0YW1ibGUgKi8KKwljaGFyICpidWZmZXI7CiAJaW50IHJjOwogCi0JcGh5LT5vdXRfdXJiLT50 cmFuc2Zlcl9idWZmZXIgPSAodTggKilhY2s7CisJYnVmZmVyID0ga21lbWR1cChhY2ssIHNpemVv ZihhY2spLCBHRlBfS0VSTkVMKTsKKwlpZiAoIWJ1ZmZlcikKKwkJcmV0dXJuIC1FTk9NRU07CisK KwlwaHktPm91dF91cmItPnRyYW5zZmVyX2J1ZmZlciA9IGJ1ZmZlcjsKIAlwaHktPm91dF91cmIt PnRyYW5zZmVyX2J1ZmZlcl9sZW5ndGggPSBzaXplb2YoYWNrKTsKKwlwaHktPm91dF91cmItPnRy YW5zZmVyX2ZsYWdzIHw9IFVSQl9GUkVFX0JVRkZFUjsKIAlyYyA9IHVzYl9zdWJtaXRfdXJiKHBo eS0+b3V0X3VyYiwgZmxhZ3MpOwogCiAJcmV0dXJuIHJjOwpAQCAtMTcwLDYgKzE3Niw3IEBAIHN0 YXRpYyBpbnQgcG41MzNfdXNiX3NlbmRfZnJhbWUoc3RydWN0IHAKIAogCXBoeS0+b3V0X3VyYi0+ dHJhbnNmZXJfYnVmZmVyID0gb3V0LT5kYXRhOwogCXBoeS0+b3V0X3VyYi0+dHJhbnNmZXJfYnVm ZmVyX2xlbmd0aCA9IG91dC0+bGVuOworCXBoeS0+b3V0X3VyYi0+dHJhbnNmZXJfZmxhZ3MgJj0g flVSQl9GUkVFX0JVRkZFUjsKIAogCXByaW50X2hleF9kdW1wX2RlYnVnKCJQTjUzMyBUWDogIiwg RFVNUF9QUkVGSVhfTk9ORSwgMTYsIDEsCiAJCQkgICAgIG91dC0+ZGF0YSwgb3V0LT5sZW4sIGZh bHNlKTsKQEAgLTM3NSwyMCArMzgyLDI2IEBAIHN0YXRpYyBpbnQgcG41MzNfYWNyMTIyX3Bvd2Vy b25fcmRyKHN0cnUKIAkvKiBQb3dlciBvbiB0aCByZWFkZXIgKENDSUQgY21kKSAqLwogCXU4IGNt ZFsxMF0gPSB7UE41MzNfQUNSMTIyX1BDX1RPX1JEUl9JQ0NQT1dFUk9OLAogCQkgICAgICAwLCAw LCAwLCAwLCAwLCAwLCAzLCAwLCAwfTsKKwljaGFyICpidWZmZXI7CiAJaW50IHJjOwogCXZvaWQg KmNudHg7CiAJc3RydWN0IHBuNTMzX2FjcjEyMl9wb3dlcm9uX3Jkcl9hcmcgYXJnOwogCiAJZGV2 X2RiZygmcGh5LT51ZGV2LT5kZXYsICIlc1xuIiwgX19mdW5jX18pOwogCisJYnVmZmVyID0ga21l bWR1cChjbWQsIHNpemVvZihjbWQpLCBHRlBfS0VSTkVMKTsKKwlpZiAoIWJ1ZmZlcikKKwkJcmV0 dXJuIC1FTk9NRU07CisKIAlpbml0X2NvbXBsZXRpb24oJmFyZy5kb25lKTsKIAljbnR4ID0gcGh5 LT5pbl91cmItPmNvbnRleHQ7ICAvKiBiYWNrdXAgY29udGV4dCAqLwogCiAJcGh5LT5pbl91cmIt PmNvbXBsZXRlID0gcG41MzNfYWNyMTIyX3Bvd2Vyb25fcmRyX3Jlc3A7CiAJcGh5LT5pbl91cmIt PmNvbnRleHQgPSAmYXJnOwogCi0JcGh5LT5vdXRfdXJiLT50cmFuc2Zlcl9idWZmZXIgPSBjbWQ7 CisJcGh5LT5vdXRfdXJiLT50cmFuc2Zlcl9idWZmZXIgPSBidWZmZXI7CiAJcGh5LT5vdXRfdXJi LT50cmFuc2Zlcl9idWZmZXJfbGVuZ3RoID0gc2l6ZW9mKGNtZCk7CisJcGh5LT5vdXRfdXJiLT50 cmFuc2Zlcl9mbGFncyB8PSBVUkJfRlJFRV9CVUZGRVI7CiAKIAlwcmludF9oZXhfZHVtcF9kZWJ1 ZygiQUNSMTIyIFRYOiAiLCBEVU1QX1BSRUZJWF9OT05FLCAxNiwgMSwKIAkJICAgICAgIGNtZCwg c2l6ZW9mKGNtZCksIGZhbHNlKTsK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail.kernel.org ([198.145.29.99]:40846 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752224AbeERKia (ORCPT ); Fri, 18 May 2018 06:38:30 -0400 Date: Fri, 18 May 2018 12:38:11 +0200 From: Greg Kroah-Hartman To: Arend van Spriel , Carlos Manuel Santos , Samuel Ortiz , Stephen Hemminger , linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org Subject: [PATCH v3] NFC: pn533: don't send USB data off of the stack Message-ID: <20180518103811.GA29186@kroah.com> (sfid-20180518_123833_527986_B52B4E21) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-wireless-owner@vger.kernel.org List-ID: It's amazing that this driver ever worked, but now that x86 doesn't allow USB data to be sent off of the stack, it really does not work at all. Fix this up by properly allocating the data for the small "commands" that get sent to the device. The USB stack will free the buffer when the data has been transmitted, that is why there is no kfree() to mirror the call to kmalloc(). Reported-by: Carlos Manuel Santos Cc: Samuel Ortiz Cc: Stephen Hemminger Cc: stable Signed-off-by: Greg Kroah-Hartman --- v3: actually use the correct buffer (thanks to Arend van Spriel) use kmemdup (thanks to Johannes Berg and Julia Lawall) v2: set the urb flags correctly drivers/nfc/pn533/usb.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) --- a/drivers/nfc/pn533/usb.c +++ b/drivers/nfc/pn533/usb.c @@ -150,10 +150,16 @@ static int pn533_usb_send_ack(struct pn5 struct pn533_usb_phy *phy = dev->phy; static const u8 ack[6] = {0x00, 0x00, 0xff, 0x00, 0xff, 0x00}; /* spec 7.1.1.3: Preamble, SoPC (2), ACK Code (2), Postamble */ + char *buffer; int rc; - phy->out_urb->transfer_buffer = (u8 *)ack; + buffer = kmemdup(ack, sizeof(ack), GFP_KERNEL); + if (!buffer) + return -ENOMEM; + + phy->out_urb->transfer_buffer = buffer; phy->out_urb->transfer_buffer_length = sizeof(ack); + phy->out_urb->transfer_flags |= URB_FREE_BUFFER; rc = usb_submit_urb(phy->out_urb, flags); return rc; @@ -170,6 +176,7 @@ static int pn533_usb_send_frame(struct p phy->out_urb->transfer_buffer = out->data; phy->out_urb->transfer_buffer_length = out->len; + phy->out_urb->transfer_flags &= ~URB_FREE_BUFFER; print_hex_dump_debug("PN533 TX: ", DUMP_PREFIX_NONE, 16, 1, out->data, out->len, false); @@ -375,20 +382,26 @@ static int pn533_acr122_poweron_rdr(stru /* Power on th reader (CCID cmd) */ u8 cmd[10] = {PN533_ACR122_PC_TO_RDR_ICCPOWERON, 0, 0, 0, 0, 0, 0, 3, 0, 0}; + char *buffer; int rc; void *cntx; struct pn533_acr122_poweron_rdr_arg arg; dev_dbg(&phy->udev->dev, "%s\n", __func__); + buffer = kmemdup(cmd, sizeof(cmd), GFP_KERNEL); + if (!buffer) + return -ENOMEM; + init_completion(&arg.done); cntx = phy->in_urb->context; /* backup context */ phy->in_urb->complete = pn533_acr122_poweron_rdr_resp; phy->in_urb->context = &arg; - phy->out_urb->transfer_buffer = cmd; + phy->out_urb->transfer_buffer = buffer; phy->out_urb->transfer_buffer_length = sizeof(cmd); + phy->out_urb->transfer_flags |= URB_FREE_BUFFER; print_hex_dump_debug("ACR122 TX: ", DUMP_PREFIX_NONE, 16, 1, cmd, sizeof(cmd), false);