p54spi: fix p54spi_upload_firmware

Instead of firmware itself p54_upload_firmware was sending to the device content of struct firmware and the following random garbage. Notice '&' before priv->firmware->data at p54spi_spi_write. But simple removing of '&' sign triggered BUG_ON at dma_cache_maint. Thus kmemdup - kfree workaround. Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Signed-off-by: Christian Lamparter <chunkeey@web.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Max Filippov <jcmvbkbc@gmail.com> 2009-03-25 08:45:01 -0400
committer: John W. Linville <linville@tuxdriver.com> 2009-04-22 16:54:26 -0400
commit: 5e3af1d2d3e6c0011b4c22514d39c73dcbc6674f (patch)
tree: e8b7e4d3ae5d70ab6ca7410566ae6e746a982527
parent: f74d0f5cacb7023422098dd5c98e3ce06787ba56 (diff)
1 files changed, 19 insertions, 15 deletions
diff --git a/drivers/net/wireless/p54/p54spi.c b/drivers/net/wireless/p54/p54spi.c
index 55402729d21b..bed894ae04b5 100644
--- a/drivers/net/wireless/p54/p54spi.c
+++ b/drivers/net/wireless/p54/p54spi.c
@@ -228,8 +228,15 @@ static int p54spi_request_eeprom(struct ieee80211_hw *dev)
 static int p54spi_upload_firmware(struct ieee80211_hw *dev)
 {
        struct p54s_priv *priv = dev->priv;
-        unsigned long fw_len, fw_addr;
+        unsigned long fw_len, _fw_len;
-        long _fw_len;
+        unsigned int offset = 0;
+        int err = 0;
+        u8 *fw;
+        fw_len = priv->firmware->size;
+        fw = kmemdup(priv->firmware->data, fw_len, GFP_KERNEL);
+        if (!fw)
+                return -ENOMEM;
        /* stop the device */
        p54spi_write16(priv, SPI_ADRS_DEV_CTRL_STAT, cpu_to_le16(
@@ -244,9 +251,6 @@ static int p54spi_upload_firmware(struct ieee80211_hw *dev)
        msleep(TARGET_BOOT_SLEEP);
-        fw_addr = ISL38XX_DEV_FIRMWARE_ADDR;
-        fw_len = priv->firmware->size;
        while (fw_len > 0) {
                _fw_len = min_t(long, fw_len, SPI_MAX_PACKET_SIZE);
@@ -257,23 +261,20 @@ static int p54spi_upload_firmware(struct ieee80211_hw *dev)
                                    cpu_to_le32(HOST_ALLOWED)) == 0) {
                        dev_err(&priv->spi->dev, "fw_upload not allowed "
                                "to DMA write.");
-                        return -EAGAIN;
+                        err = -EAGAIN;
+                        goto out;
                }
                p54spi_write16(priv, SPI_ADRS_DMA_WRITE_LEN,
                               cpu_to_le16(_fw_len));
-                p54spi_write32(priv, SPI_ADRS_DMA_WRITE_BASE,
+                p54spi_write32(priv, SPI_ADRS_DMA_WRITE_BASE, cpu_to_le32(
-                               cpu_to_le32(fw_addr));
+                                ISL38XX_DEV_FIRMWARE_ADDR + offset));
                p54spi_spi_write(priv, SPI_ADRS_DMA_DATA,
-                                 &priv->firmware->data, _fw_len);
+                                 (fw + offset), _fw_len);
                fw_len -= _fw_len;
-                fw_addr += _fw_len;
+                offset += _fw_len;
-                /* FIXME: I think this doesn't work if firmware is large,
-                 * this loop goes to second round. fw->data is not
-                 * increased at all! */
        }
        BUG_ON(fw_len != 0);
@@ -292,7 +293,10 @@ static int p54spi_upload_firmware(struct ieee80211_hw *dev)
        p54spi_write16(priv, SPI_ADRS_DEV_CTRL_STAT, cpu_to_le16(
                       SPI_CTRL_STAT_HOST_OVERRIDE | SPI_CTRL_STAT_RAM_BOOT));
        msleep(TARGET_BOOT_SLEEP);
-        return 0;
+out:
+        kfree(fw);
+        return err;
 }
 static void p54spi_power_off(struct p54s_priv *priv)
author	Max Filippov <jcmvbkbc@gmail.com>	2009-03-25 08:45:01 -0400
committer	John W. Linville <linville@tuxdriver.com>	2009-04-22 16:54:26 -0400
commit	5e3af1d2d3e6c0011b4c22514d39c73dcbc6674f (patch)
tree	e8b7e4d3ae5d70ab6ca7410566ae6e746a982527
parent	f74d0f5cacb7023422098dd5c98e3ce06787ba56 (diff)

diff --git a/drivers/net/wireless/p54/p54spi.c b/drivers/net/wireless/p54/p54spi.c index 55402729d21b..bed894ae04b5 100644 --- a/drivers/net/wireless/p54/p54spi.c +++ b/drivers/net/wireless/p54/p54spi.c
@@ -228,8 +228,15 @@ static int p54spi_request_eeprom(struct ieee80211_hw *dev)
228	static int p54spi_upload_firmware(struct ieee80211_hw *dev)	228	static int p54spi_upload_firmware(struct ieee80211_hw *dev)
229	{	229	{
230	struct p54s_priv *priv = dev->priv;	230	struct p54s_priv *priv = dev->priv;
231	unsigned long fw_len, fw_addr;	231	unsigned long fw_len, _fw_len;
232	long _fw_len;	232	unsigned int offset = 0;
		233	int err = 0;
		234	u8 *fw;
		235
		236	fw_len = priv->firmware->size;
		237	fw = kmemdup(priv->firmware->data, fw_len, GFP_KERNEL);
		238	if (!fw)
		239	return -ENOMEM;
233		240
234	/* stop the device */	241	/* stop the device */
235	p54spi_write16(priv, SPI_ADRS_DEV_CTRL_STAT, cpu_to_le16(	242	p54spi_write16(priv, SPI_ADRS_DEV_CTRL_STAT, cpu_to_le16(
@@ -244,9 +251,6 @@ static int p54spi_upload_firmware(struct ieee80211_hw *dev)
244		251
245	msleep(TARGET_BOOT_SLEEP);	252	msleep(TARGET_BOOT_SLEEP);
246		253
247	fw_addr = ISL38XX_DEV_FIRMWARE_ADDR;
248	fw_len = priv->firmware->size;
249
250	while (fw_len > 0) {	254	while (fw_len > 0) {
251	_fw_len = min_t(long, fw_len, SPI_MAX_PACKET_SIZE);	255	_fw_len = min_t(long, fw_len, SPI_MAX_PACKET_SIZE);
252		256
@@ -257,23 +261,20 @@ static int p54spi_upload_firmware(struct ieee80211_hw *dev)
257	cpu_to_le32(HOST_ALLOWED)) == 0) {	261	cpu_to_le32(HOST_ALLOWED)) == 0) {
258	dev_err(&priv->spi->dev, "fw_upload not allowed "	262	dev_err(&priv->spi->dev, "fw_upload not allowed "
259	"to DMA write.");	263	"to DMA write.");
260	return -EAGAIN;	264	err = -EAGAIN;
		265	goto out;
261	}	266	}
262		267
263	p54spi_write16(priv, SPI_ADRS_DMA_WRITE_LEN,	268	p54spi_write16(priv, SPI_ADRS_DMA_WRITE_LEN,
264	cpu_to_le16(_fw_len));	269	cpu_to_le16(_fw_len));
265	p54spi_write32(priv, SPI_ADRS_DMA_WRITE_BASE,	270	p54spi_write32(priv, SPI_ADRS_DMA_WRITE_BASE, cpu_to_le32(
266	cpu_to_le32(fw_addr));	271	ISL38XX_DEV_FIRMWARE_ADDR + offset));
267		272
268	p54spi_spi_write(priv, SPI_ADRS_DMA_DATA,	273	p54spi_spi_write(priv, SPI_ADRS_DMA_DATA,
269	&priv->firmware->data, _fw_len);	274	(fw + offset), _fw_len);
270		275
271	fw_len -= _fw_len;	276	fw_len -= _fw_len;
272	fw_addr += _fw_len;	277	offset += _fw_len;
273
274	/* FIXME: I think this doesn't work if firmware is large,
275	* this loop goes to second round. fw->data is not
276	* increased at all! */
277	}	278	}
278		279
279	BUG_ON(fw_len != 0);	280	BUG_ON(fw_len != 0);
@@ -292,7 +293,10 @@ static int p54spi_upload_firmware(struct ieee80211_hw *dev)
292	p54spi_write16(priv, SPI_ADRS_DEV_CTRL_STAT, cpu_to_le16(	293	p54spi_write16(priv, SPI_ADRS_DEV_CTRL_STAT, cpu_to_le16(
293	SPI_CTRL_STAT_HOST_OVERRIDE \| SPI_CTRL_STAT_RAM_BOOT));	294	SPI_CTRL_STAT_HOST_OVERRIDE \| SPI_CTRL_STAT_RAM_BOOT));
294	msleep(TARGET_BOOT_SLEEP);	295	msleep(TARGET_BOOT_SLEEP);
295	return 0;	296
		297	out:
		298	kfree(fw);
		299	return err;
296	}	300	}
297		301
298	static void p54spi_power_off(struct p54s_priv *priv)	302	static void p54spi_power_off(struct p54s_priv *priv)