Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3b9561e9 authored by Stephen Warren's avatar Stephen Warren Committed by Greg Kroah-Hartman
Browse files

USB: set device dma_mask without reference to global data 



Many USB host drivers contain code such as:

if (!pdev->dev.dma_mask)
        pdev->dev.dma_mask = &tegra_ehci_dma_mask;

... where tegra_ehci_dma_mask is a global. I suspect this code originated
in commit 4a53f4e6 "USB: ehci-tegra: add probing through device tree" and
was simply copied everywhere else.

This works fine when the code is built-in, but can cause a crash when the
code is in a module. The first module load sets up the dma_mask pointer,
but if the module is removed and re-inserted, the value is now non-NULL,
and hence is not updated to point at the new location, and hence points
at a stale location within the previous module load address, which in
turn causes a crash if the pointer is de-referenced.

The simplest way of solving this seems to be to copy the code from
ehci-platform.c, which uses the coherent_dma_mask as the target for the
dma_mask pointer.

Suggested-by: default avatarArnd Bergmann <arnd@arndb.de>
Signed-off-by: default avatarStephen Warren <swarren@nvidia.com>
Acked-by: default avatarTony Prisk <linux@prisktech.co.nz>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 8ff10bdb

drivers/usb/chipidea/ci13xxx_imx.c

+4 −11
Original line number Diff line number Diff line
@@ -173,17 +173,10 @@ static int ci13xxx_imx_probe(struct platform_device *pdev) 


	ci13xxx_imx_platdata.phy = data->phy;



	if (!pdev->dev.dma_mask) {

		pdev->dev.dma_mask = devm_kzalloc(&pdev->dev,

				      sizeof(*pdev->dev.dma_mask), GFP_KERNEL);

		if (!pdev->dev.dma_mask) {

			ret = -ENOMEM;

			dev_err(&pdev->dev, "Failed to alloc dma_mask!\n");

			goto err;

		}

		*pdev->dev.dma_mask = DMA_BIT_MASK(32);

		dma_set_coherent_mask(&pdev->dev, *pdev->dev.dma_mask);

	}

	if (!pdev->dev.dma_mask)

		pdev->dev.dma_mask = &pdev->dev.coherent_dma_mask;

	if (!pdev->dev.coherent_dma_mask)

		pdev->dev.coherent_dma_mask = DMA_BIT_MASK(32);



	if (usbmisc_ops && usbmisc_ops->init) {

		ret = usbmisc_ops->init(&pdev->dev);

drivers/usb/dwc3/dwc3-exynos.c

+3 −3
Original line number Diff line number Diff line
@@ -95,8 +95,6 @@ static int dwc3_exynos_remove_child(struct device *dev, void *unused) 
	return 0;

}



static u64 dwc3_exynos_dma_mask = DMA_BIT_MASK(32);



static int dwc3_exynos_probe(struct platform_device *pdev)

{

	struct dwc3_exynos	*exynos;
@@ -118,7 +116,9 @@ static int dwc3_exynos_probe(struct platform_device *pdev) 
	 * Once we move to full device tree support this will vanish off.

	 */

	if (!dev->dma_mask)

		dev->dma_mask = &dwc3_exynos_dma_mask;

		dev->dma_mask = &dev->coherent_dma_mask;

	if (!dev->coherent_dma_mask)

		dev->coherent_dma_mask = DMA_BIT_MASK(32);



	platform_set_drvdata(pdev, exynos);

drivers/usb/host/ehci-atmel.c

+3 −3
Original line number Diff line number Diff line
@@ -63,8 +63,6 @@ static void atmel_stop_ehci(struct platform_device *pdev) 


/*-------------------------------------------------------------------------*/



static u64 at91_ehci_dma_mask = DMA_BIT_MASK(32);



static int ehci_atmel_drv_probe(struct platform_device *pdev)

{

	struct usb_hcd *hcd;
@@ -93,7 +91,9 @@ static int ehci_atmel_drv_probe(struct platform_device *pdev) 
	 * Once we have dma capability bindings this can go away.

	 */

	if (!pdev->dev.dma_mask)

		pdev->dev.dma_mask = &at91_ehci_dma_mask;

		pdev->dev.dma_mask = &pdev->dev.coherent_dma_mask;

	if (!pdev->dev.coherent_dma_mask)

		pdev->dev.coherent_dma_mask = DMA_BIT_MASK(32);



	hcd = usb_create_hcd(driver, &pdev->dev, dev_name(&pdev->dev));

	if (!hcd) {

drivers/usb/host/ehci-omap.c

+4 −4
Original line number Diff line number Diff line
@@ -90,8 +90,6 @@ static const struct ehci_driver_overrides ehci_omap_overrides __initdata = { 
	.extra_priv_size = sizeof(struct omap_hcd),

};



static u64 omap_ehci_dma_mask = DMA_BIT_MASK(32);



/**

 * ehci_hcd_omap_probe - initialize TI-based HCDs

 *
@@ -146,8 +144,10 @@ static int ehci_hcd_omap_probe(struct platform_device *pdev) 
	 * Since shared usb code relies on it, set it here for now.

	 * Once we have dma capability bindings this can go away.

	 */

	if (!pdev->dev.dma_mask)

		pdev->dev.dma_mask = &omap_ehci_dma_mask;

	if (!dev->dma_mask)

		dev->dma_mask = &dev->coherent_dma_mask;

	if (!dev->coherent_dma_mask)

		dev->coherent_dma_mask = DMA_BIT_MASK(32);



	hcd = usb_create_hcd(&ehci_omap_hc_driver, dev,

			dev_name(dev));

drivers/usb/host/ehci-orion.c

+3 −3
Original line number Diff line number Diff line
@@ -137,8 +137,6 @@ ehci_orion_conf_mbus_windows(struct usb_hcd *hcd, 
	}

}



static u64 ehci_orion_dma_mask = DMA_BIT_MASK(32);



static int ehci_orion_drv_probe(struct platform_device *pdev)

{

	struct orion_ehci_data *pd = pdev->dev.platform_data;
@@ -183,7 +181,9 @@ static int ehci_orion_drv_probe(struct platform_device *pdev) 
	 * now. Once we have dma capability bindings this can go away.

	 */

	if (!pdev->dev.dma_mask)

		pdev->dev.dma_mask = &ehci_orion_dma_mask;

		pdev->dev.dma_mask = &pdev->dev.coherent_dma_mask;

	if (!pdev->dev.coherent_dma_mask)

		pdev->dev.coherent_dma_mask = DMA_BIT_MASK(32);



	if (!request_mem_region(res->start, resource_size(res),

				ehci_orion_hc_driver.description)) {