Date: Mon, 20 Sep 2010 19:36:53 +0000 (UTC) From: Weongyo Jeong <weongyo@FreeBSD.org> To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r212925 - user/weongyo/usb/sys/dev/usb Message-ID: <201009201936.o8KJar4B065050@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: weongyo Date: Mon Sep 20 19:36:53 2010 New Revision: 212925 URL: http://svn.freebsd.org/changeset/base/212925 Log: Just assumes that the number of segment by bus_dmamap_load(9) is always 1 because currently it looks handling the multiple segments cause a kernel crash that the number of array `pc->page_start' isn't known. It means it could lead invalid memory access and override the kernel memory value when the array size is 1 and segments are over 1. Modified: user/weongyo/usb/sys/dev/usb/usb_busdma.c Modified: user/weongyo/usb/sys/dev/usb/usb_busdma.c ============================================================================== --- user/weongyo/usb/sys/dev/usb/usb_busdma.c Mon Sep 20 19:30:20 2010 (r212924) +++ user/weongyo/usb/sys/dev/usb/usb_busdma.c Mon Sep 20 19:36:53 2010 (r212925) @@ -425,12 +425,13 @@ usb_pc_common_mem_cb(void *arg, bus_dma_ if (error) goto done; + USB_ASSERT(nseg == 1, ("too many segments (%d)", nseg)); + pg = pc->page_start; pg->physaddr = segs->ds_addr & ~(USB_PAGE_SIZE - 1); rem = segs->ds_addr & (USB_PAGE_SIZE - 1); pc->page_offset_buf = rem; pc->page_offset_end += rem; - nseg--; #ifdef USB_DEBUG if (rem != (USB_P2U(pc->buffer) & (USB_PAGE_SIZE - 1))) { /* @@ -441,12 +442,6 @@ usb_pc_common_mem_cb(void *arg, bus_dma_ goto done; } #endif - while (nseg > 0) { - nseg--; - segs++; - pg++; - pg->physaddr = segs->ds_addr & ~(USB_PAGE_SIZE - 1); - } done: mtx_lock(uptag->mtx); uptag->dma_error = (error ? 1 : 0);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201009201936.o8KJar4B065050>