From patchwork Mon Aug 19 20:37:27 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Gimpelevich
 <daniel@gimpelevich.san-francisco.ca.us>
X-Patchwork-Id: 268306
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 5C8E52C00E6
	for <patchwork-incoming@ozlabs.org>;
	Tue, 20 Aug 2013 06:37:47 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751128Ab3HSUhe (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 19 Aug 2013 16:37:34 -0400
Received: from mail-pd0-f182.google.com ([209.85.192.182]:59426 "EHLO
	mail-pd0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751131Ab3HSUhb (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 19 Aug 2013 16:37:31 -0400
Received: by mail-pd0-f182.google.com with SMTP id r10so4737786pdi.27
	for <netdev@vger.kernel.org>; Mon, 19 Aug 2013 13:37:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=x-gm-message-state:message-id:subject:from:to:date
	:disposition-notification-to:content-type:content-transfer-encoding
	:mime-version;
	bh=Nk7cEQ9OlxXX+5Hvi8EJcYpmHkCI422zdF4p0y1qI/k=;
	b=KkYGkg8v+KQyjMglzS6251M8uMe3b8pytZnVxh22cQBdjN2LODe+j3wOHL6Ba1Rjpe
	iGbOHJi//wJ6ocLfiNdw96Y9G7ROC90xlMaANntCs3u0FigBvEkf6jOBcnMN4iCVa2Y7
	WjNAefHu6JKTq9FB43RkbkhGrTZTUjP7yDqBx8RAhgBcUkTnLAoH/cmH4jytn2SYo1dG
	KRAQ8cR9uS0Yf0w3kIKiQ7F6j6Zt/ulZoIqIEyeaT8WjbU17Ep1sspVotvYczkGmWx1M
	m/XpZLneeBPovjzvzdkMK4oRNS2UJylikrhVgylQxTdYCMXftOOlmOuCU6cc2ZIt/pME
	aeBg==
X-Gm-Message-State: 
 ALoCoQlPhKExXkKX4rF/o1+nCP6HJq1p3A/uR8VJKCq25PKamojnYaIKa1bTw0uYY8sFjg7+eDhJ
X-Received: by 10.68.34.165 with SMTP id a5mr4566524pbj.156.1376944651452;
	Mon, 19 Aug 2013 13:37:31 -0700 (PDT)
Received: from [192.168.254.5] (70-36-141-91.dsl.dynamic.sonic.net.
	[70.36.141.91]) by mx.google.com with ESMTPSA id
	w6sm16928933pbt.32.1969.12.31.16.00.00
	(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Mon, 19 Aug 2013 13:37:30 -0700 (PDT)
Message-ID: <1376944647.5082.12.camel@chimera>
Subject: [PATCH] Fix stack corruption on some architectures
From: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
To: Jan Dumon <j.dumon@option.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-usb@vger.kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Date: Mon, 19 Aug 2013 13:37:27 -0700
X-Mailer: Evolution 3.2.3-0ubuntu6 
Mime-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

There is no need to get an interface specification if we know it's the
wrong one; trivial change. The big thing, though, was explained in the
#mipslinux IRC channel: 
[Mon 2013-08-19 12:28:21 PM PDT] <headless> guys, are you sure it's not "DMA off stack" case?
[Mon 2013-08-19 12:28:35 PM PDT] <headless> it's a known stack corruptor on non-coherent arches
[Mon 2013-08-19 12:31:48 PM PDT] <DonkeyHotei> headless: for usb/ehci?
[Mon 2013-08-19 12:34:11 PM PDT] <DonkeyHotei> headless: explain
[Mon 2013-08-19 12:35:38 PM PDT] <headless> usb_control_msg() (or other such func) should not use buffer on stack. DMA from/to stack is prohibited
[Mon 2013-08-19 12:35:58 PM PDT] <headless> and EHCI uses DMA on control xfers (as well as all the others)

Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/hso.c |   15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index cba1d46..86292e6 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2816,13 +2816,16 @@ exit:
 static int hso_get_config_data(struct usb_interface *interface)
 {
 	struct usb_device *usbdev = interface_to_usbdev(interface);
-	u8 config_data[17];
+	u8 *config_data = kmalloc(17, GFP_KERNEL);
 	u32 if_num = interface->altsetting->desc.bInterfaceNumber;
 	s32 result;
 
+	if (!config_data)
+		return -ENOMEM;
 	if (usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
 			    0x86, 0xC0, 0, 0, config_data, 17,
 			    USB_CTRL_SET_TIMEOUT) != 0x11) {
+		kfree(config_data);
 		return -EIO;
 	}
 
@@ -2873,6 +2876,7 @@ static int hso_get_config_data(struct usb_interface *interface)
 	if (config_data[16] & 0x1)
 		result |= HSO_INFO_CRC_BUG;
 
+	kfree(config_data);
 	return result;
 }
 
@@ -2886,6 +2890,11 @@ static int hso_probe(struct usb_interface *interface,
 	struct hso_shared_int *shared_int;
 	struct hso_device *tmp_dev = NULL;
 
+	if (interface->cur_altsetting->desc.bInterfaceClass != 0xFF) {
+		dev_err(&interface->dev, "Not our interface\n");
+		return -ENODEV;
+	}
+
 	if_num = interface->altsetting->desc.bInterfaceNumber;
 
 	/* Get the interface/port specification from either driver_info or from
@@ -2895,10 +2904,6 @@ static int hso_probe(struct usb_interface *interface,
 	else
 		port_spec = hso_get_config_data(interface);
 
-	if (interface->cur_altsetting->desc.bInterfaceClass != 0xFF) {
-		dev_err(&interface->dev, "Not our interface\n");
-		return -ENODEV;
-	}
 	/* Check if we need to switch to alt interfaces prior to port
 	 * configuration */
 	if (interface->num_altsetting > 1)