From: Larry Finger <Larry.Finger@lwfinger.net>
To: Greg KH <greg@kroah.com>
Cc: Eric Valette <eric.valette@free.fr>,
FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>,
"John W. Linville" <linville@tuxdriver.com>,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-usb@vger.kernel.org, Hin-Tak Leung <hintak.leung@gmail.com>
Subject: Re: DMA debug trace pointing to rtl8187
Date: Sat, 09 May 2009 12:29:27 -0500 [thread overview]
Message-ID: <4A05BD77.9020003@lwfinger.net> (raw)
In-Reply-To: <20090506064513.GA7460@kroah.com>
Greg KH wrote:
>
> The problem is in the rtl8187 driver.
>
> They are calling usb_control_msg and passing a pointer to a buffer on
> the stack. See drivers/net/wireless/rtl818x/rtl8187.h for where the
> problem happens in numerous places.
>
> Also it looks like rtl8225_write_8051() is incorrect. You are passing a
> pointer to a variable that was passed as an argument. I don't know
> where that is supposed to be on, somewhere on the stack I guess.
>
> Larry, care to fix this up?
Yes, I'll try to fix it. I'm currently traveling and have intermittent Internet
access.
I think there is a second problem that John's fix does not treat. Although the
buffer is removed from the stack, there is no assurance that the buffer obtained
with kmalloc() is reachable by DMA. This case will be triggered if the USB
adapter does 32-bit DMA and the system has more than 4 GB RAM.
Please let me know if my analysis is wrong. If so, then John's patch will be
fine, although the error handling should be improved. The severity should be
that of a warning rather than a bug. If I'm correct, my fix would be to allocate
a DMA-reachable buffer in the initialization and keep a pointer to it in the
private area.
I just saw John's version 2 that looks more like what I was thinking about. I
will be testing soon.
Thanks,
Larry
next prev parent reply other threads:[~2009-05-09 17:30 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <49FDB9F8.3080400@free.fr>
[not found] ` <20090506133131F.fujita.tomonori@lab.ntt.co.jp>
[not found] ` <4A012FC8.3020304@free.fr>
2009-05-06 6:45 ` DMA debug trace pointing to rtl8187 Greg KH
2009-05-06 18:02 ` [RFT] rtl8187: use DMA-aware buffers with usb_control_msg John W. Linville
2009-05-08 23:20 ` Hin-Tak Leung
2009-05-09 9:38 ` Eric Valette
2009-05-09 13:57 ` Greg KH
2009-05-09 15:50 ` John W. Linville
2009-05-09 16:35 ` Greg KH
2009-05-09 21:24 ` Larry Finger
2009-05-11 13:20 ` John W. Linville
2009-05-11 22:23 ` Hin-Tak Leung
2009-05-06 18:03 ` DMA debug trace pointing to rtl8187 John W. Linville
2009-05-09 17:29 ` Larry Finger [this message]
2009-05-09 17:46 ` Eric Valette
2009-05-09 19:22 ` Eric Valette
2009-05-09 19:29 ` Greg KH
2009-05-09 20:19 ` Michael Buesch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A05BD77.9020003@lwfinger.net \
--to=larry.finger@lwfinger.net \
--cc=eric.valette@free.fr \
--cc=fujita.tomonori@lab.ntt.co.jp \
--cc=greg@kroah.com \
--cc=hintak.leung@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).