One of the more common cases of allocation size calculations is finding
the size of a structure that has a zero-sized array at the end, along
with memory for some number of elements for that array. For example:
struct foo {
int stuff;
void *entry[];
};
instance = kmalloc(sizeof(struct foo) + sizeof(void *) * count, GFP_KERNEL);
Instead of leaving these open-coded and prone to type mistakes, we can
now use the new struct_size() helper:
instance = kmalloc(struct_size(instance, entry, count), GFP_KERNEL);
This patch makes the changes for kmalloc()-family (and kvmalloc()-family)
uses. It was done via automatic conversion with manual review for the
"CHECKME" non-standard cases noted below, using the following Coccinelle
script:
// pkey_cache = kmalloc(sizeof *pkey_cache + tprops->pkey_tbl_len *
// sizeof *pkey_cache->table, GFP_KERNEL);
@@
identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc";
expression GFP;
identifier VAR, ELEMENT;
expression COUNT;
@@
- alloc(sizeof(*VAR) + COUNT * sizeof(*VAR->ELEMENT), GFP)
+ alloc(struct_size(VAR, ELEMENT, COUNT), GFP)
// mr = kzalloc(sizeof(*mr) + m * sizeof(mr->map[0]), GFP_KERNEL);
@@
identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc";
expression GFP;
identifier VAR, ELEMENT;
expression COUNT;
@@
- alloc(sizeof(*VAR) + COUNT * sizeof(VAR->ELEMENT[0]), GFP)
+ alloc(struct_size(VAR, ELEMENT, COUNT), GFP)
// Same pattern, but can't trivially locate the trailing element name,
// or variable name.
@@
identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc";
expression GFP;
expression SOMETHING, COUNT, ELEMENT;
@@
- alloc(sizeof(SOMETHING) + COUNT * sizeof(ELEMENT), GFP)
+ alloc(CHECKME_struct_size(&SOMETHING, ELEMENT, COUNT), GFP)
Signed-off-by: Kees Cook <keescook@chromium.org>
In usb_dmac_of_xlate(), variable ‘uchan’ is initialized but never used, which
leads to warning with W=1
drivers/dma/sh/usb-dmac.c: In function ‘usb_dmac_of_xlate’:
drivers/dma/sh/usb-dmac.c:655:24: warning: variable ‘uchan’ set but not used [-Wunused-but-set-variable]
struct usb_dmac_chan *uchan;
So remove it.
Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
The USB-DMAC's interruption happens even if the CHCR.DE is not set to 1
because CHCR.NULLE is set to 1. So, this driver should call
usb_dmac_isr_transfer_end() if the DE bit is set to 1 only. Otherwise,
the desc is possible to be NULL in the usb_dmac_isr_transfer_end().
Fixes: 0c1c8ff32f ("dmaengine: usb-dmac: Add Renesas USB DMA Controller (USB-DMAC) driver)
Cc: <stable@vger.kernel.org> # v4.1+
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
This round we have few new features, new driver and updates to few drivers.
The new features to dmaengine core are:
- Synchronized transfer termination API to terminate the dmaengine
transfers in synchronized and async fashion as required by users.
We have its user now in ALSA dmaengine lib, img, at_xdma, axi_dmac
drivers.
- Universal API for channel request and start consolidation of request
flows. It's user is ompa-dma driver.
- Introduce reuse of descriptors and use in pxa_dma driver
Add/Remove:
- STM32 DMA driver
- Removal of unused R-Car HPB-DMAC driver
Updates:
- ti-dma-crossbar updates for supporting eDMA
- tegra-apb pm updates
- idma64
- mv_xor updates
- ste_dma updates
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJWlO5UAAoJEHwUBw8lI4NH1OAP+QG35WZx3e2kfk7O4xKTugEg
i0vGdSxMu1ILKUsi+ZjwzGaMcheDDfBTRMzlBZNqYoFfnV1ull2re/GM+DwjCg6C
xuYDThhwghj+42CNRb5FGNHlLsNczNTsD3KfPAg9BjMOxEUW8bUQMtEp7cEhvf9F
+BoxTXInrEGeKeZRl557pBSSYfhs/y/b9etMY7JNKSk97C3isNHFRMV3cBESGmch
GaQR+3IEtbQfsuOypJpPMA2qmH/wQUeiQOgSR0EW9+599azVbUYohDTkBP1qA2aY
W0/UBybsCo+tFitB8WZTBAkMCmrHXqdub7sfo467oZvuJoqIIflWkr5fgLSI2tdA
+6EPIXNCjFfk5r3PrmcWBoeJ29S3/t9hRdfSvcWPX5+tdqqcD/qaLsYqMnb15bkj
sPAbhZcIb7OJRz2ibaTjcamyBXfqV89suRF64Fokm1/sN78IALtv/0RsHwEULmVJ
yZfRB8U9T7Or45FGODrfeQCIyKkJD0lCfTJryVHUdix+UgidZByuMW726B4E6V6R
tPB/tQCoHlZeUuWclR1BOpaZhtHmpMFZsBlZCHVU4GIwUkzWhlnt7FgOXPUY8gWf
zof9rMfPbZzykrlEi+iYLCPG8JCm0gzbcEeMRsr2rIBPmXW8ZRpW4+829wBgdDXs
vtJLlB8ZTlF2gaDWhDEt
=D5Fb
-----END PGP SIGNATURE-----
Merge tag 'dmaengine-4.5-rc1' of git://git.infradead.org/users/vkoul/slave-dma
Pull dmaengine updates from Vinod Koul:
"This round we have few new features, new driver and updates to few
drivers.
The new features to dmaengine core are:
- Synchronized transfer termination API to terminate the dmaengine
transfers in synchronized and async fashion as required by users.
We have its user now in ALSA dmaengine lib, img, at_xdma, axi_dmac
drivers.
- Universal API for channel request and start consolidation of
request flows. It's user is ompa-dma driver.
- Introduce reuse of descriptors and use in pxa_dma driver
Add/Remove:
- New STM32 DMA driver
- Removal of unused R-Car HPB-DMAC driver
Updates:
- ti-dma-crossbar updates for supporting eDMA
- tegra-apb pm updates
- idma64
- mv_xor updates
- ste_dma updates"
* tag 'dmaengine-4.5-rc1' of git://git.infradead.org/users/vkoul/slave-dma: (54 commits)
dmaengine: mv_xor: add suspend/resume support
dmaengine: mv_xor: de-duplicate mv_chan_set_mode*()
dmaengine: mv_xor: remove mv_xor_chan->current_type field
dmaengine: omap-dma: Add support for DMA filter mapping to slave devices
dmaengine: edma: Add support for DMA filter mapping to slave devices
dmaengine: core: Introduce new, universal API to request a channel
dmaengine: core: Move and merge the code paths using private_candidate
dmaengine: core: Skip mask matching when it is not provided to private_candidate
dmaengine: mdc: Correct terminate_all handling
dmaengine: edma: Add probe callback to edma_tptc_driver
dmaengine: dw: fix potential memory leak in dw_dma_parse_dt()
dmaengine: stm32-dma: Fix unchecked deference of chan->desc
dmaengine: sh: Remove unused R-Car HPB-DMAC driver
dmaengine: usb-dmac: Document SoC specific compatibility strings
ste_dma40: Delete an unnecessary variable initialisation in d40_probe()
ste_dma40: Delete another unnecessary check in d40_probe()
ste_dma40: Delete an unnecessary check before the function call "kmem_cache_destroy"
dmaengine: tegra-apb: Free interrupts before killing tasklets
dmaengine: tegra-apb: Update driver to use GFP_NOWAIT
dmaengine: tegra-apb: Only save channel state for those in use
...
This patch fixes an issue that list_for_each_entry() in
usb_dmac_chan_terminate_all() is possible to cause endless loop because
this will move own desc to the desc_freed. So, this driver should use
list_for_each_entry_safe() instead of list_for_each_entry().
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
If the call to pm_runtime_get_sync() failed, Runtime PM was left
enabled.
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
If CONFIG_PREEMPT=y:
Unable to handle kernel NULL pointer dereference at virtual address 00000014
pgd = c0003000
[00000014] *pgd=80000040004003, *pmd=00000000
Internal error: Oops: 206 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 17 Comm: kworker/0:1 Tainted: G W 4.3.0-rc3-koelsch-022
71-g705498fc5e6a5da8-dirty #1789
Hardware name: Generic R8A7791 (Flattened Device Tree)
Workqueue: pm pm_runtime_work
task: ef578e40 ti: ef57a000 task.ti: ef57a000
PC is at usb_dmac_chan_halt+0xc/0xc0
LR is at usb_dmac_runtime_suspend+0x28/0x38
pc : [<c023c880>] lr : [<c023c95c>] psr: 80000113
sp : ef57bdf8 ip : 00000008 fp : 00000003
r10: 00000008 r9 : c06ab928 r8 : ef49e810
r7 : 00000000 r6 : 000000ac r5 : ef770010 r4 : 00000000
r3 : 00000000 r2 : 8ffc2b84 r1 : 00000000 r0 : ef770010
Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
Control: 30c5307d Table: 40003000 DAC: fffffffd
Process kworker/0:1 (pid: 17, stack limit = 0xef57a210)
Stack: (0xef57bdf8 to 0xef57c000)
[...
[<c023c880>] (usb_dmac_chan_halt) from [<c023c95c>] (usb_dmac_runtime_suspend+0x28/0x38)
[<c023c95c>] (usb_dmac_runtime_suspend) from [<c027b25c>] (pm_genpd_runtime_suspend+0x74/0x23c)
This happens because usb_dmac_probe() calls pm_runtime_put() before
usb_dmac_chan_probe(), leading to the device being suspended before the
DMA channels are initialized, causing a NULL pointer dereference.
Move the call to pm_runtime_put() to the end of usb_dmac_probe() to fix
this.
Add a check to usb_dmac_runtime_suspend() to prevent the crash from
happening in the error path.
Reported-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
If CONFIG_PM=n:
drivers/dma/sh/usb-dmac.c:677: warning: ‘usb_dmac_runtime_suspend’ defined but not used
drivers/dma/sh/usb-dmac.c:688: warning: ‘usb_dmac_runtime_resume’ defined but not used
Protect the unused functions by #ifdef CONFIG_PM to fix this.
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
This patch fixes an issue that the usb_dmac_desc_free() is
dereferencing freed memory 'desc' because it uses list_for_each_entry().
This function should use list_for_each_entry_safe().
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
This DMAC is Renesas USB high-speed module DMA controller that
supports slave transfer.
This USB-DMAC has similar register sets with R-Car Gen2 DMAC, but
the USB-DMAC has specific registers to control the USB transactions.
If this code is added into the rcar-dmac driver, it will become
unreadable. So, this driver is independent from the rcar-dmac.
And, this USB-DMAC uses virt-dma infrastructure.
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>