In commit c359931d2545 ("can: gs_usb: use union and FLEX_ARRAY for data in struct gs_host_frame") the driver was extended from a compile time constant USB transfer size to a transfer size depending on attached USB device and configured CAN mode.
During this conversion the size parameter of some usb_free_coherent() calls were not converted. To fix this issue replace the compile time constant sizeof(struct gs_host_frame) by hf_size_{rx,tx} for RX respectively TX USB transfers.
Fixes: c359931d2545 ("can: gs_usb: use union and FLEX_ARRAY for data in struct gs_host_frame") Cc: Peter Fink pfink@christ-es.de Cc: stable@vger.kernel.org Reported-by: Ryan Edwards ryan.edwards@gmail.com Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de --- drivers/net/can/usb/gs_usb.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c index cd4115a1b81c..57917955b8e4 100644 --- a/drivers/net/can/usb/gs_usb.c +++ b/drivers/net/can/usb/gs_usb.c @@ -699,7 +699,7 @@ static netdev_tx_t gs_can_start_xmit(struct sk_buff *skb, return NETDEV_TX_OK;
badidx: - usb_free_coherent(dev->udev, urb->transfer_buffer_length, + usb_free_coherent(dev->udev, dev->hf_size_tx, urb->transfer_buffer, urb->transfer_dma); nomem_hf: usb_free_urb(urb); @@ -787,7 +787,7 @@ static int gs_can_open(struct net_device *netdev)
usb_unanchor_urb(urb); usb_free_coherent(dev->udev, - sizeof(struct gs_host_frame), + dev->parent->hf_size_rx, buf, buf_dma); usb_free_urb(urb); @@ -864,7 +864,7 @@ static int gs_can_close(struct net_device *netdev) usb_kill_anchored_urbs(&parent->rx_submitted); for (i = 0; i < GS_MAX_RX_URBS; i++) usb_free_coherent(dev->udev, - sizeof(struct gs_host_frame), + dev->parent->hf_size_rx, dev->rxbuf[i], dev->rxbuf_dma[i]); }
Hello Greg,
with v5.18-rc1 in commit
| c359931d2545 ("can: gs_usb: use union and FLEX_ARRAY for data in struct gs_host_frame")
a bug in the gs_usb driver in the usage of usb_free_coherent() was introduced. With v6.1-rc1
| 62f102c0d156 ("can: gs_usb: remove dma allocations")
the DMA allocation was removed altogether from the driver, fixing the bug unintentionally.
We can either cherry-pick 62f102c0d156 ("can: gs_usb: remove dma allocations") on v6.0, v5.19, and v5.18 or apply this patch, which fixes the usage of usb_free_coherent() only.
regards, Marc
On 25.11.2022 21:17:27, Marc Kleine-Budde wrote:
In commit c359931d2545 ("can: gs_usb: use union and FLEX_ARRAY for data in struct gs_host_frame") the driver was extended from a compile time constant USB transfer size to a transfer size depending on attached USB device and configured CAN mode.
During this conversion the size parameter of some usb_free_coherent() calls were not converted. To fix this issue replace the compile time constant sizeof(struct gs_host_frame) by hf_size_{rx,tx} for RX respectively TX USB transfers.
Fixes: c359931d2545 ("can: gs_usb: use union and FLEX_ARRAY for data in struct gs_host_frame") Cc: Peter Fink pfink@christ-es.de Cc: stable@vger.kernel.org Reported-by: Ryan Edwards ryan.edwards@gmail.com Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de
drivers/net/can/usb/gs_usb.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c index cd4115a1b81c..57917955b8e4 100644 --- a/drivers/net/can/usb/gs_usb.c +++ b/drivers/net/can/usb/gs_usb.c @@ -699,7 +699,7 @@ static netdev_tx_t gs_can_start_xmit(struct sk_buff *skb, return NETDEV_TX_OK; badidx:
- usb_free_coherent(dev->udev, urb->transfer_buffer_length,
- usb_free_coherent(dev->udev, dev->hf_size_tx, urb->transfer_buffer, urb->transfer_dma); nomem_hf: usb_free_urb(urb);
@@ -787,7 +787,7 @@ static int gs_can_open(struct net_device *netdev) usb_unanchor_urb(urb); usb_free_coherent(dev->udev,
sizeof(struct gs_host_frame),
dev->parent->hf_size_rx, buf, buf_dma); usb_free_urb(urb);@@ -864,7 +864,7 @@ static int gs_can_close(struct net_device *netdev) usb_kill_anchored_urbs(&parent->rx_submitted); for (i = 0; i < GS_MAX_RX_URBS; i++) usb_free_coherent(dev->udev,
sizeof(struct gs_host_frame),
dev->parent->hf_size_rx, dev->rxbuf[i], dev->rxbuf_dma[i]);-- 2.35.1
On Fri, Nov 25, 2022 at 09:32:17PM +0100, Marc Kleine-Budde wrote:
Hello Greg,
with v5.18-rc1 in commit
| c359931d2545 ("can: gs_usb: use union and FLEX_ARRAY for data in struct gs_host_frame")
a bug in the gs_usb driver in the usage of usb_free_coherent() was introduced. With v6.1-rc1
| 62f102c0d156 ("can: gs_usb: remove dma allocations")
the DMA allocation was removed altogether from the driver, fixing the bug unintentionally.
We can either cherry-pick 62f102c0d156 ("can: gs_usb: remove dma allocations") on v6.0, v5.19, and v5.18 or apply this patch, which fixes the usage of usb_free_coherent() only.
We should always take what is in Linus's tree, that's the best solution. Does the change backport cleanly?
And 5.19 and 5.18 are long end-of-life, no need to worry about them. Only 6.0 matters right now.
thanks,
greg k-h
On 26.11.2022 08:04:11, Greg Kroah-Hartman wrote:
On Fri, Nov 25, 2022 at 09:32:17PM +0100, Marc Kleine-Budde wrote:
Hello Greg,
with v5.18-rc1 in commit
| c359931d2545 ("can: gs_usb: use union and FLEX_ARRAY for data in struct gs_host_frame")
a bug in the gs_usb driver in the usage of usb_free_coherent() was introduced. With v6.1-rc1
| 62f102c0d156 ("can: gs_usb: remove dma allocations")
the DMA allocation was removed altogether from the driver, fixing the bug unintentionally.
We can either cherry-pick 62f102c0d156 ("can: gs_usb: remove dma allocations") on v6.0, v5.19, and v5.18 or apply this patch, which fixes the usage of usb_free_coherent() only.
We should always take what is in Linus's tree, that's the best solution.
Ok.
Does the change backport cleanly?
ACK.
And 5.19 and 5.18 are long end-of-life, no need to worry about them. Only 6.0 matters right now.
Please queue 62f102c0d156 ("can: gs_usb: remove dma allocations") for v6.0.x and add the fixes tag:
Fixes: c359931d2545 ("can: gs_usb: use union and FLEX_ARRAY for data in struct gs_host_frame")
regards, Marc
On Sat, Nov 26, 2022 at 08:26:56PM +0100, Marc Kleine-Budde wrote:
On 26.11.2022 08:04:11, Greg Kroah-Hartman wrote:
On Fri, Nov 25, 2022 at 09:32:17PM +0100, Marc Kleine-Budde wrote:
Hello Greg,
with v5.18-rc1 in commit
| c359931d2545 ("can: gs_usb: use union and FLEX_ARRAY for data in struct gs_host_frame")
a bug in the gs_usb driver in the usage of usb_free_coherent() was introduced. With v6.1-rc1
| 62f102c0d156 ("can: gs_usb: remove dma allocations")
the DMA allocation was removed altogether from the driver, fixing the bug unintentionally.
We can either cherry-pick 62f102c0d156 ("can: gs_usb: remove dma allocations") on v6.0, v5.19, and v5.18 or apply this patch, which fixes the usage of usb_free_coherent() only.
We should always take what is in Linus's tree, that's the best solution.
Ok.
Does the change backport cleanly?
ACK.
And 5.19 and 5.18 are long end-of-life, no need to worry about them. Only 6.0 matters right now.
Please queue 62f102c0d156 ("can: gs_usb: remove dma allocations") for v6.0.x and add the fixes tag:
Fixes: c359931d2545 ("can: gs_usb: use union and FLEX_ARRAY for data in struct gs_host_frame")
Now queued up, thanks.
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg Kroah-Hartman -
Marc Kleine-Budde