1 From dbafc28955fa6779dc23d1607a0fee5e509a278b Mon Sep 17 00:00:00 2001
2 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
3 Date: Sun, 20 May 2018 15:19:46 +0200
4 Subject: [PATCH] NFC: pn533: don't send USB data off of the stack
6 It's amazing that this driver ever worked, but now that x86 doesn't
7 allow USB data to be sent off of the stack, it really does not work at
8 all. Fix this up by properly allocating the data for the small
9 "commands" that get sent to the device off of the stack.
11 We do this for one command by having a whole urb just for ack messages,
12 as they can be submitted in interrupt context, so we can not use
13 usb_bulk_msg(). But the poweron command can sleep (and does), so use
14 usb_bulk_msg() for that transfer.
16 Reported-by: Carlos Manuel Santos <cmmpsantos@gmail.com>
17 Cc: Samuel Ortiz <sameo@linux.intel.com>
18 Cc: Stephen Hemminger <stephen@networkplumber.org>
19 Cc: stable <stable@vger.kernel.org>
20 Reviewed-by: Johan Hovold <johan@kernel.org>
21 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
23 drivers/nfc/pn533/usb.c | 42 +++++++++++++++++++++++++++++------------
24 1 file changed, 30 insertions(+), 12 deletions(-)
26 diff --git a/drivers/nfc/pn533/usb.c b/drivers/nfc/pn533/usb.c
27 index e153e8b64bb8..d5553c47014f 100644
28 --- a/drivers/nfc/pn533/usb.c
29 +++ b/drivers/nfc/pn533/usb.c
30 @@ -62,6 +62,9 @@ struct pn533_usb_phy {
34 + struct urb *ack_urb;
40 @@ -150,13 +153,16 @@ static int pn533_usb_send_ack(struct pn533 *dev, gfp_t flags)
41 struct pn533_usb_phy *phy = dev->phy;
42 static const u8 ack[6] = {0x00, 0x00, 0xff, 0x00, 0xff, 0x00};
43 /* spec 7.1.1.3: Preamble, SoPC (2), ACK Code (2), Postamble */
46 - phy->out_urb->transfer_buffer = (u8 *)ack;
47 - phy->out_urb->transfer_buffer_length = sizeof(ack);
48 - rc = usb_submit_urb(phy->out_urb, flags);
49 + if (!phy->ack_buffer) {
50 + phy->ack_buffer = kmemdup(ack, sizeof(ack), flags);
51 + if (!phy->ack_buffer)
56 + phy->ack_urb->transfer_buffer = phy->ack_buffer;
57 + phy->ack_urb->transfer_buffer_length = sizeof(ack);
58 + return usb_submit_urb(phy->ack_urb, flags);
61 static int pn533_usb_send_frame(struct pn533 *dev,
62 @@ -375,26 +381,31 @@ static int pn533_acr122_poweron_rdr(struct pn533_usb_phy *phy)
63 /* Power on th reader (CCID cmd) */
64 u8 cmd[10] = {PN533_ACR122_PC_TO_RDR_ICCPOWERON,
65 0, 0, 0, 0, 0, 0, 3, 0, 0};
70 struct pn533_acr122_poweron_rdr_arg arg;
72 dev_dbg(&phy->udev->dev, "%s\n", __func__);
74 + buffer = kmemdup(cmd, sizeof(cmd), GFP_KERNEL);
78 init_completion(&arg.done);
79 cntx = phy->in_urb->context; /* backup context */
81 phy->in_urb->complete = pn533_acr122_poweron_rdr_resp;
82 phy->in_urb->context = &arg;
84 - phy->out_urb->transfer_buffer = cmd;
85 - phy->out_urb->transfer_buffer_length = sizeof(cmd);
87 print_hex_dump_debug("ACR122 TX: ", DUMP_PREFIX_NONE, 16, 1,
88 cmd, sizeof(cmd), false);
90 - rc = usb_submit_urb(phy->out_urb, GFP_KERNEL);
92 + rc = usb_bulk_msg(phy->udev, phy->out_urb->pipe, buffer, sizeof(cmd),
95 + if (rc || (transferred != sizeof(cmd))) {
96 nfc_err(&phy->udev->dev,
97 "Reader power on cmd error %d\n", rc);
99 @@ -490,8 +501,9 @@ static int pn533_usb_probe(struct usb_interface *interface,
101 phy->in_urb = usb_alloc_urb(0, GFP_KERNEL);
102 phy->out_urb = usb_alloc_urb(0, GFP_KERNEL);
103 + phy->ack_urb = usb_alloc_urb(0, GFP_KERNEL);
105 - if (!phy->in_urb || !phy->out_urb)
106 + if (!phy->in_urb || !phy->out_urb || !phy->ack_urb)
109 usb_fill_bulk_urb(phy->in_urb, phy->udev,
110 @@ -501,7 +513,9 @@ static int pn533_usb_probe(struct usb_interface *interface,
111 usb_fill_bulk_urb(phy->out_urb, phy->udev,
112 usb_sndbulkpipe(phy->udev, out_endpoint),
113 NULL, 0, pn533_send_complete, phy);
115 + usb_fill_bulk_urb(phy->ack_urb, phy->udev,
116 + usb_sndbulkpipe(phy->udev, out_endpoint),
117 + NULL, 0, pn533_send_complete, phy);
119 switch (id->driver_info) {
120 case PN533_DEVICE_STD:
121 @@ -554,6 +568,7 @@ static int pn533_usb_probe(struct usb_interface *interface,
123 usb_free_urb(phy->in_urb);
124 usb_free_urb(phy->out_urb);
125 + usb_free_urb(phy->ack_urb);
126 usb_put_dev(phy->udev);
129 @@ -573,10 +588,13 @@ static void pn533_usb_disconnect(struct usb_interface *interface)
131 usb_kill_urb(phy->in_urb);
132 usb_kill_urb(phy->out_urb);
133 + usb_kill_urb(phy->ack_urb);
135 kfree(phy->in_urb->transfer_buffer);
136 usb_free_urb(phy->in_urb);
137 usb_free_urb(phy->out_urb);
138 + usb_free_urb(phy->ack_urb);
139 + kfree(phy->ack_buffer);
141 nfc_info(&interface->dev, "NXP PN533 NFC device disconnected\n");