On Mon, 2015-03-16 at 22:37 +0100, Jiri Kosina wrote:

On Mon, 16 Mar 2015, Pavel Machek wrote:

quoted

quoted

quoted

Oliver Neukum [off-list ref] wrote:

quoted

quoted

+	ret = usb_interrupt_msg(dev, usb_sndintpipe(dev, 0x02),
+				buf2, sizeof(buf2),
+				&transfered, USB_CTRL_SET_TIMEOUT);

You cannot do this. Even for a single byte DMA on the stack is
wrong. Not on all architectures it works at all and you violate
the DMA constrainsts. You must use kmalloc().

Hi Oliver,

Does this still apply when using hid_hw_output_report?

Yes. For USB devices hid_hw_output_report() goes to
usbhid_output_report(). That goes to usb_interrupt_msg(),
which passes the buffer pointer. It will then be mapped
for DMA. You must not do that on the stack.

Should we have some kind of runtime test for this ...? Because this is
very very easy to get wrong... and I bet we do get it wrong at > 1
place...

Are you sure CONFIG_DMA_API_DEBUG wouldn't warn here?

As far as I can tell, it will not warn. The problem is not in the
mapping itself. That is usually legitimate. The problem arises
because the buffer doesn't have a cacheline of its own. Thus the
memory corruption happens after the IO operation has started.

	Regards
		Oliver