1 |
From c12675f9fa817e6d452271e832692bf2bf4f300b Mon Sep 17 00:00:00 2001 |
2 |
From: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> |
3 |
Date: Mon, 27 Aug 2018 17:05:14 +0530 |
4 |
Subject: [PATCH 073/145] rsi: fix memory alignment issue in ARM32 platforms |
5 |
|
6 |
[ Upstream commit baa8caf4ab7af2d9e84b566b99fe919a4e9e7562 ] |
7 |
|
8 |
During testing in ARM32 platforms, observed below kernel panic, as driver |
9 |
accessing data beyond the allocated memory while submitting URB to USB. |
10 |
|
11 |
Fix: Resolved this by specifying correct length by considering 64 bit |
12 |
alignment. so that, USB bus driver will access only allocated memory. |
13 |
|
14 |
Unit-test: Tested and confirm that driver bring up and scanning, |
15 |
connection and data transfer works fine with this fix. |
16 |
|
17 |
...skipping... |
18 |
[ 25.389450] Unable to handle kernel paging request at virtual |
19 |
address 5aa11422 |
20 |
[ 25.403078] Internal error: Oops: 5 [#1] SMP ARM |
21 |
[ 25.407703] Modules linked in: rsi_usb |
22 |
[ 25.411473] CPU: 1 PID: 317 Comm: RX-Thread Not tainted 4.18.0-rc7 #1 |
23 |
[ 25.419221] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) |
24 |
[ 25.425764] PC is at skb_release_data+0x90/0x168 |
25 |
[ 25.430393] LR is at skb_release_all+0x28/0x2c |
26 |
[ 25.434842] pc : [<807435b0>] lr : [<80742ba0>] psr: 200e0013 5aa1141e |
27 |
[ 25.464633] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none |
28 |
[ 25.477524] Process RX-Thread (pid: 317, stack limit = 0x(ptrval)) |
29 |
[ 25.483709] Stack: (0xedf69ed8 to 0xedf6a000) |
30 |
[ 25.569907] Backtrace: |
31 |
[ 25.572368] [<80743520>] (skb_release_data) from [<80742ba0>] |
32 |
(skb_release_all+0x28/0x2c) |
33 |
[ 25.580555] r9:7f00258c r8:00000001 r7:ee355000 r6:eddab0d0 |
34 |
r5:eddab000 r4:eddbb840 |
35 |
[ 25.588308] [<80742b78>] (skb_release_all) from [<807432cc>] |
36 |
(consume_skb+0x30/0x50) |
37 |
[ 25.596055] r5:eddab000 r4:eddbb840 |
38 |
[ 25.599648] [<8074329c>] (consume_skb) from [<7f00117c>] |
39 |
(rsi_usb_rx_thread+0x64/0x12c [rsi_usb]) |
40 |
[ 25.608524] r5:eddab000 r4:eddbb840 |
41 |
[ 25.612116] [<7f001118>] (rsi_usb_rx_thread [rsi_usb]) from |
42 |
[<80142750>] (kthread+0x11c/0x15c) |
43 |
[ 25.620735] r10:ee9ff9e0 r9:edcde3b8 r8:ee355000 r7:edf68000 |
44 |
r6:edd3a780 r5:00000000 |
45 |
[ 25.628567] r4:edcde380 |
46 |
[ 25.631110] [<80142634>] (kthread) from [<801010e8>] |
47 |
(ret_from_fork+0x14/0x2c) |
48 |
[ 25.638336] Exception stack(0xedf69fb0 to 0xedf69ff8) |
49 |
[ 25.682929] ---[ end trace 8236a5496f5b5d3b ]--- |
50 |
|
51 |
Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> |
52 |
Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
53 |
Signed-off-by: Sasha Levin <sashal@kernel.org> |
54 |
--- |
55 |
drivers/net/wireless/rsi/rsi_91x_usb.c | 11 +++++++---- |
56 |
1 file changed, 7 insertions(+), 4 deletions(-) |
57 |
|
58 |
diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c |
59 |
index c0a163e40402..f360690396dd 100644 |
60 |
--- a/drivers/net/wireless/rsi/rsi_91x_usb.c |
61 |
+++ b/drivers/net/wireless/rsi/rsi_91x_usb.c |
62 |
@@ -266,15 +266,17 @@ static void rsi_rx_done_handler(struct urb *urb) |
63 |
if (urb->status) |
64 |
goto out; |
65 |
|
66 |
- if (urb->actual_length <= 0) { |
67 |
- rsi_dbg(INFO_ZONE, "%s: Zero length packet\n", __func__); |
68 |
+ if (urb->actual_length <= 0 || |
69 |
+ urb->actual_length > rx_cb->rx_skb->len) { |
70 |
+ rsi_dbg(INFO_ZONE, "%s: Invalid packet length = %d\n", |
71 |
+ __func__, urb->actual_length); |
72 |
goto out; |
73 |
} |
74 |
if (skb_queue_len(&dev->rx_q) >= RSI_MAX_RX_PKTS) { |
75 |
rsi_dbg(INFO_ZONE, "Max RX packets reached\n"); |
76 |
goto out; |
77 |
} |
78 |
- skb_put(rx_cb->rx_skb, urb->actual_length); |
79 |
+ skb_trim(rx_cb->rx_skb, urb->actual_length); |
80 |
skb_queue_tail(&dev->rx_q, rx_cb->rx_skb); |
81 |
|
82 |
rsi_set_event(&dev->rx_thread.event); |
83 |
@@ -308,6 +310,7 @@ static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num) |
84 |
if (!skb) |
85 |
return -ENOMEM; |
86 |
skb_reserve(skb, MAX_DWORD_ALIGN_BYTES); |
87 |
+ skb_put(skb, RSI_MAX_RX_USB_PKT_SIZE - MAX_DWORD_ALIGN_BYTES); |
88 |
dword_align_bytes = (unsigned long)skb->data & 0x3f; |
89 |
if (dword_align_bytes > 0) |
90 |
skb_push(skb, dword_align_bytes); |
91 |
@@ -319,7 +322,7 @@ static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num) |
92 |
usb_rcvbulkpipe(dev->usbdev, |
93 |
dev->bulkin_endpoint_addr[ep_num - 1]), |
94 |
urb->transfer_buffer, |
95 |
- RSI_MAX_RX_USB_PKT_SIZE, |
96 |
+ skb->len, |
97 |
rsi_rx_done_handler, |
98 |
rx_cb); |
99 |
|
100 |
-- |
101 |
2.19.1 |
102 |
|