diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-05-20 09:19:46 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-05-31 06:43:14 -0400 |
| commit | dbafc28955fa6779dc23d1607a0fee5e509a278b (patch) | |
| tree | 45ec293f30673ea7da73317d98cdea428f1b04dc | |
| parent | 7eeb11190f44bb1a5d1098b6ae0451690359dff2 (diff) | |
NFC: pn533: don't send USB data off of the stack
It's amazing that this driver ever worked, but now that x86 doesn't
allow USB data to be sent off of the stack, it really does not work at
all. Fix this up by properly allocating the data for the small
"commands" that get sent to the device off of the stack.
We do this for one command by having a whole urb just for ack messages,
as they can be submitted in interrupt context, so we can not use
usb_bulk_msg(). But the poweron command can sleep (and does), so use
usb_bulk_msg() for that transfer.
Reported-by: Carlos Manuel Santos <cmmpsantos@gmail.com>
Cc: Samuel Ortiz <sameo@linux.intel.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/nfc/pn533/usb.c | 42 |
1 files changed, 30 insertions, 12 deletions
diff --git a/drivers/nfc/pn533/usb.c b/drivers/nfc/pn533/usb.c index e153e8b64bb8..d5553c47014f 100644 --- a/drivers/nfc/pn533/usb.c +++ b/drivers/nfc/pn533/usb.c | |||
| @@ -62,6 +62,9 @@ struct pn533_usb_phy { | |||
| 62 | struct urb *out_urb; | 62 | struct urb *out_urb; |
| 63 | struct urb *in_urb; | 63 | struct urb *in_urb; |
| 64 | 64 | ||
| 65 | struct urb *ack_urb; | ||
| 66 | u8 *ack_buffer; | ||
| 67 | |||
| 65 | struct pn533 *priv; | 68 | struct pn533 *priv; |
| 66 | }; | 69 | }; |
| 67 | 70 | ||
| @@ -150,13 +153,16 @@ static int pn533_usb_send_ack(struct pn533 *dev, gfp_t flags) | |||
| 150 | struct pn533_usb_phy *phy = dev->phy; | 153 | struct pn533_usb_phy *phy = dev->phy; |
| 151 | static const u8 ack[6] = {0x00, 0x00, 0xff, 0x00, 0xff, 0x00}; | 154 | static const u8 ack[6] = {0x00, 0x00, 0xff, 0x00, 0xff, 0x00}; |
| 152 | /* spec 7.1.1.3: Preamble, SoPC (2), ACK Code (2), Postamble */ | 155 | /* spec 7.1.1.3: Preamble, SoPC (2), ACK Code (2), Postamble */ |
| 153 | int rc; | ||
| 154 | 156 | ||
| 155 | phy->out_urb->transfer_buffer = (u8 *)ack; | 157 | if (!phy->ack_buffer) { |
| 156 | phy->out_urb->transfer_buffer_length = sizeof(ack); | 158 | phy->ack_buffer = kmemdup(ack, sizeof(ack), flags); |
| 157 | rc = usb_submit_urb(phy->out_urb, flags); | 159 | if (!phy->ack_buffer) |
| 160 | return -ENOMEM; | ||
| 161 | } | ||
| 158 | 162 | ||
| 159 | return rc; | 163 | phy->ack_urb->transfer_buffer = phy->ack_buffer; |
| 164 | phy->ack_urb->transfer_buffer_length = sizeof(ack); | ||
| 165 | return usb_submit_urb(phy->ack_urb, flags); | ||
| 160 | } | 166 | } |
| 161 | 167 | ||
| 162 | static int pn533_usb_send_frame(struct pn533 *dev, | 168 | static int pn533_usb_send_frame(struct pn533 *dev, |
| @@ -375,26 +381,31 @@ static int pn533_acr122_poweron_rdr(struct pn533_usb_phy *phy) | |||
| 375 | /* Power on th reader (CCID cmd) */ | 381 | /* Power on th reader (CCID cmd) */ |
| 376 | u8 cmd[10] = {PN533_ACR122_PC_TO_RDR_ICCPOWERON, | 382 | u8 cmd[10] = {PN533_ACR122_PC_TO_RDR_ICCPOWERON, |
| 377 | 0, 0, 0, 0, 0, 0, 3, 0, 0}; | 383 | 0, 0, 0, 0, 0, 0, 3, 0, 0}; |
| 384 | char *buffer; | ||
| 385 | int transferred; | ||
| 378 | int rc; | 386 | int rc; |
| 379 | void *cntx; | 387 | void *cntx; |
| 380 | struct pn533_acr122_poweron_rdr_arg arg; | 388 | struct pn533_acr122_poweron_rdr_arg arg; |
| 381 | 389 | ||
| 382 | dev_dbg(&phy->udev->dev, "%s\n", __func__); | 390 | dev_dbg(&phy->udev->dev, "%s\n", __func__); |
| 383 | 391 | ||
| 392 | buffer = kmemdup(cmd, sizeof(cmd), GFP_KERNEL); | ||
| 393 | if (!buffer) | ||
| 394 | return -ENOMEM; | ||
| 395 | |||
| 384 | init_completion(&arg.done); | 396 | init_completion(&arg.done); |
| 385 | cntx = phy->in_urb->context; /* backup context */ | 397 | cntx = phy->in_urb->context; /* backup context */ |
| 386 | 398 | ||
| 387 | phy->in_urb->complete = pn533_acr122_poweron_rdr_resp; | 399 | phy->in_urb->complete = pn533_acr122_poweron_rdr_resp; |
| 388 | phy->in_urb->context = &arg; | 400 | phy->in_urb->context = &arg; |
| 389 | 401 | ||
| 390 | phy->out_urb->transfer_buffer = cmd; | ||
| 391 | phy->out_urb->transfer_buffer_length = sizeof(cmd); | ||
| 392 | |||
| 393 | print_hex_dump_debug("ACR122 TX: ", DUMP_PREFIX_NONE, 16, 1, | 402 | print_hex_dump_debug("ACR122 TX: ", DUMP_PREFIX_NONE, 16, 1, |
| 394 | cmd, sizeof(cmd), false); | 403 | cmd, sizeof(cmd), false); |
| 395 | 404 | ||
| 396 | rc = usb_submit_urb(phy->out_urb, GFP_KERNEL); | 405 | rc = usb_bulk_msg(phy->udev, phy->out_urb->pipe, buffer, sizeof(cmd), |
| 397 | if (rc) { | 406 | &transferred, 0); |
| 407 | kfree(buffer); | ||
| 408 | if (rc || (transferred != sizeof(cmd))) { | ||
| 398 | nfc_err(&phy->udev->dev, | 409 | nfc_err(&phy->udev->dev, |
| 399 | "Reader power on cmd error %d\n", rc); | 410 | "Reader power on cmd error %d\n", rc); |
| 400 | return rc; | 411 | return rc; |
| @@ -490,8 +501,9 @@ static int pn533_usb_probe(struct usb_interface *interface, | |||
| 490 | 501 | ||
| 491 | phy->in_urb = usb_alloc_urb(0, GFP_KERNEL); | 502 | phy->in_urb = usb_alloc_urb(0, GFP_KERNEL); |
| 492 | phy->out_urb = usb_alloc_urb(0, GFP_KERNEL); | 503 | phy->out_urb = usb_alloc_urb(0, GFP_KERNEL); |
| 504 | phy->ack_urb = usb_alloc_urb(0, GFP_KERNEL); | ||
| 493 | 505 | ||
| 494 | if (!phy->in_urb || !phy->out_urb) | 506 | if (!phy->in_urb || !phy->out_urb || !phy->ack_urb) |
| 495 | goto error; | 507 | goto error; |
| 496 | 508 | ||
| 497 | usb_fill_bulk_urb(phy->in_urb, phy->udev, | 509 | usb_fill_bulk_urb(phy->in_urb, phy->udev, |
| @@ -501,7 +513,9 @@ static int pn533_usb_probe(struct usb_interface *interface, | |||
| 501 | usb_fill_bulk_urb(phy->out_urb, phy->udev, | 513 | usb_fill_bulk_urb(phy->out_urb, phy->udev, |
| 502 | usb_sndbulkpipe(phy->udev, out_endpoint), | 514 | usb_sndbulkpipe(phy->udev, out_endpoint), |
| 503 | NULL, 0, pn533_send_complete, phy); | 515 | NULL, 0, pn533_send_complete, phy); |
| 504 | 516 | usb_fill_bulk_urb(phy->ack_urb, phy->udev, | |
| 517 | usb_sndbulkpipe(phy->udev, out_endpoint), | ||
| 518 | NULL, 0, pn533_send_complete, phy); | ||
| 505 | 519 | ||
| 506 | switch (id->driver_info) { | 520 | switch (id->driver_info) { |
| 507 | case PN533_DEVICE_STD: | 521 | case PN533_DEVICE_STD: |
| @@ -554,6 +568,7 @@ static int pn533_usb_probe(struct usb_interface *interface, | |||
| 554 | error: | 568 | error: |
| 555 | usb_free_urb(phy->in_urb); | 569 | usb_free_urb(phy->in_urb); |
| 556 | usb_free_urb(phy->out_urb); | 570 | usb_free_urb(phy->out_urb); |
| 571 | usb_free_urb(phy->ack_urb); | ||
| 557 | usb_put_dev(phy->udev); | 572 | usb_put_dev(phy->udev); |
| 558 | kfree(in_buf); | 573 | kfree(in_buf); |
| 559 | 574 | ||
| @@ -573,10 +588,13 @@ static void pn533_usb_disconnect(struct usb_interface *interface) | |||
| 573 | 588 | ||
| 574 | usb_kill_urb(phy->in_urb); | 589 | usb_kill_urb(phy->in_urb); |
| 575 | usb_kill_urb(phy->out_urb); | 590 | usb_kill_urb(phy->out_urb); |
| 591 | usb_kill_urb(phy->ack_urb); | ||
| 576 | 592 | ||
| 577 | kfree(phy->in_urb->transfer_buffer); | 593 | kfree(phy->in_urb->transfer_buffer); |
| 578 | usb_free_urb(phy->in_urb); | 594 | usb_free_urb(phy->in_urb); |
| 579 | usb_free_urb(phy->out_urb); | 595 | usb_free_urb(phy->out_urb); |
| 596 | usb_free_urb(phy->ack_urb); | ||
| 597 | kfree(phy->ack_buffer); | ||
| 580 | 598 | ||
| 581 | nfc_info(&interface->dev, "NXP PN533 NFC device disconnected\n"); | 599 | nfc_info(&interface->dev, "NXP PN533 NFC device disconnected\n"); |
| 582 | } | 600 | } |