svn commit: r212925 - user/weongyo/usb/sys/dev/usb
Weongyo Jeong
weongyo at FreeBSD.org
Mon Sep 20 19:36:53 UTC 2010
Author: weongyo
Date: Mon Sep 20 19:36:53 2010
New Revision: 212925
URL: http://svn.freebsd.org/changeset/base/212925
Log:
Just assumes that the number of segment by bus_dmamap_load(9) is always
1 because currently it looks handling the multiple segments cause a
kernel crash that the number of array `pc->page_start' isn't known. It
means it could lead invalid memory access and override the kernel memory
value when the array size is 1 and segments are over 1.
Modified:
user/weongyo/usb/sys/dev/usb/usb_busdma.c
Modified: user/weongyo/usb/sys/dev/usb/usb_busdma.c
==============================================================================
--- user/weongyo/usb/sys/dev/usb/usb_busdma.c Mon Sep 20 19:30:20 2010 (r212924)
+++ user/weongyo/usb/sys/dev/usb/usb_busdma.c Mon Sep 20 19:36:53 2010 (r212925)
@@ -425,12 +425,13 @@ usb_pc_common_mem_cb(void *arg, bus_dma_
if (error)
goto done;
+ USB_ASSERT(nseg == 1, ("too many segments (%d)", nseg));
+
pg = pc->page_start;
pg->physaddr = segs->ds_addr & ~(USB_PAGE_SIZE - 1);
rem = segs->ds_addr & (USB_PAGE_SIZE - 1);
pc->page_offset_buf = rem;
pc->page_offset_end += rem;
- nseg--;
#ifdef USB_DEBUG
if (rem != (USB_P2U(pc->buffer) & (USB_PAGE_SIZE - 1))) {
/*
@@ -441,12 +442,6 @@ usb_pc_common_mem_cb(void *arg, bus_dma_
goto done;
}
#endif
- while (nseg > 0) {
- nseg--;
- segs++;
- pg++;
- pg->physaddr = segs->ds_addr & ~(USB_PAGE_SIZE - 1);
- }
done:
mtx_lock(uptag->mtx);
uptag->dma_error = (error ? 1 : 0);
More information about the svn-src-user
mailing list