USB: usb gadgets avoid le{16,32}_to_cpup()
authorDavid Brownell <david-b@pacbell.net>
Sat, 26 May 2007 03:40:14 +0000 (20:40 -0700)
committerGreg Kroah-Hartman <gregkh@suse.de>
Fri, 8 Jun 2007 23:24:30 +0000 (16:24 -0700)
It turns out that le16_to_cpup() and le32_to_cpup() aren't always safe
to call with pointers into packed structures, since those are inlined
functions and GCC may lose the "packed" attribute.  So those references
can become unaligned kernel accesses, which are evil on some hardware.

This patch updates uses of those routines in the gadget stack.  The
references into packed structures can just use leXX_to_cpu(*x), which
in most cases is more natural.  Some other uses in RNDIS, mostly in
debug code, were wrong in the first place; those use get_unaligned().

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/usb/gadget/epautoconf.c
drivers/usb/gadget/inode.c
drivers/usb/gadget/net2280.c
drivers/usb/gadget/omap_udc.c
drivers/usb/gadget/rndis.c

index f28af06905a5caaee0245e5a85f78176ca015b0d..6042364402b8fb0b4fe1551fe8b5c57b8ae190c5 100644 (file)
@@ -132,7 +132,7 @@ ep_matches (
         * where it's an output parameter representing the full speed limit.
         * the usb spec fixes high speed bulk maxpacket at 512 bytes.
         */
-       max = 0x7ff & le16_to_cpup (&desc->wMaxPacketSize);
+       max = 0x7ff & le16_to_cpu(desc->wMaxPacketSize);
        switch (type) {
        case USB_ENDPOINT_XFER_INT:
                /* INT:  limit 64 bytes full speed, 1024 high speed */
index 188c74a95216860cb1740243211b94ef013cbddd..46d0e52527447aea5d9f63073d964317dd0bd0a9 100644 (file)
@@ -1369,12 +1369,12 @@ config_buf (struct dev_data *dev, u8 type, unsigned index)
                hs = !hs;
        if (hs) {
                dev->req->buf = dev->hs_config;
-               len = le16_to_cpup (&dev->hs_config->wTotalLength);
+               len = le16_to_cpu(dev->hs_config->wTotalLength);
        } else
 #endif
        {
                dev->req->buf = dev->config;
-               len = le16_to_cpup (&dev->config->wTotalLength);
+               len = le16_to_cpu(dev->config->wTotalLength);
        }
        ((u8 *)dev->req->buf) [1] = type;
        return len;
@@ -1885,7 +1885,7 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 
        /* full or low speed config */
        dev->config = (void *) kbuf;
-       total = le16_to_cpup (&dev->config->wTotalLength);
+       total = le16_to_cpu(dev->config->wTotalLength);
        if (!is_valid_config (dev->config) || total >= length)
                goto fail;
        kbuf += total;
@@ -1894,7 +1894,7 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
        /* optional high speed config */
        if (kbuf [1] == USB_DT_CONFIG) {
                dev->hs_config = (void *) kbuf;
-               total = le16_to_cpup (&dev->hs_config->wTotalLength);
+               total = le16_to_cpu(dev->hs_config->wTotalLength);
                if (!is_valid_config (dev->hs_config) || total >= length)
                        goto fail;
                kbuf += total;
index 52779c52b56d97231aecfc5703e062ff68c8c64e..d975ecf18e00537bb6a67895f04f4a5bd00b6ee5 100644 (file)
@@ -2440,9 +2440,9 @@ static void handle_stat0_irqs (struct net2280 *dev, u32 stat)
 
                tmp = 0;
 
-#define        w_value         le16_to_cpup (&u.r.wValue)
-#define        w_index         le16_to_cpup (&u.r.wIndex)
-#define        w_length        le16_to_cpup (&u.r.wLength)
+#define        w_value         le16_to_cpu(u.r.wValue)
+#define        w_index         le16_to_cpu(u.r.wIndex)
+#define        w_length        le16_to_cpu(u.r.wLength)
 
                /* ack the irq */
                writel (1 << SETUP_PACKET_INTERRUPT, &dev->regs->irqstat0);
index b394e63894d2e21c50ba15265fd7433838c1c91d..c4975a6cf7774cc32fcd0ff3500462694b2c0f7b 100644 (file)
@@ -1651,9 +1651,9 @@ static void ep0_irq(struct omap_udc *udc, u16 irq_src)
                        UDC_EP_NUM_REG = 0;
                } while (UDC_IRQ_SRC_REG & UDC_SETUP);
 
-#define        w_value         le16_to_cpup (&u.r.wValue)
-#define        w_index         le16_to_cpup (&u.r.wIndex)
-#define        w_length        le16_to_cpup (&u.r.wLength)
+#define        w_value         le16_to_cpu(u.r.wValue)
+#define        w_index         le16_to_cpu(u.r.wIndex)
+#define        w_length        le16_to_cpu(u.r.wLength)
 
                /* Delegate almost all control requests to the gadget driver,
                 * except for a handful of ch9 status/feature requests that
index 6ec8cf1a3ccb1cd14d39667231da28b36abdecdf..708657c89132068f2bfdbb8cc7f3552cbc182cbe 100644 (file)
@@ -186,10 +186,14 @@ gen_ndis_query_resp (int configNr, u32 OID, u8 *buf, unsigned buf_len,
                DEBUG("query OID %08x value, len %d:\n", OID, buf_len);
                for (i = 0; i < buf_len; i += 16) {
                        DEBUG ("%03d: %08x %08x %08x %08x\n", i,
-                               le32_to_cpup((__le32 *)&buf[i]),
-                               le32_to_cpup((__le32 *)&buf[i + 4]),
-                               le32_to_cpup((__le32 *)&buf[i + 8]),
-                               le32_to_cpup((__le32 *)&buf[i + 12]));
+                               le32_to_cpu(get_unaligned((__le32 *)
+                                       &buf[i])),
+                               le32_to_cpu(get_unaligned((__le32 *)
+                                       &buf[i + 4])),
+                               le32_to_cpu(get_unaligned((__le32 *)
+                                       &buf[i + 8])),
+                               le32_to_cpu(get_unaligned((__le32 *)
+                                       &buf[i + 12])));
                }
        }
 
@@ -665,7 +669,7 @@ gen_ndis_query_resp (int configNr, u32 OID, u8 *buf, unsigned buf_len,
                break;
        case OID_PNP_QUERY_POWER:
                DEBUG("%s: OID_PNP_QUERY_POWER D%d\n", __FUNCTION__,
-                               le32_to_cpup((__le32 *) buf) - 1);
+                               le32_to_cpu(get_unaligned((__le32 *)buf)) - 1);
                /* only suspend is a real power state, and
                 * it can't be entered by OID_PNP_SET_POWER...
                 */
@@ -704,10 +708,14 @@ static int gen_ndis_set_resp (u8 configNr, u32 OID, u8 *buf, u32 buf_len,
                DEBUG("set OID %08x value, len %d:\n", OID, buf_len);
                for (i = 0; i < buf_len; i += 16) {
                        DEBUG ("%03d: %08x %08x %08x %08x\n", i,
-                               le32_to_cpup((__le32 *)&buf[i]),
-                               le32_to_cpup((__le32 *)&buf[i + 4]),
-                               le32_to_cpup((__le32 *)&buf[i + 8]),
-                               le32_to_cpup((__le32 *)&buf[i + 12]));
+                               le32_to_cpu(get_unaligned((__le32 *)
+                                       &buf[i])),
+                               le32_to_cpu(get_unaligned((__le32 *)
+                                       &buf[i + 4])),
+                               le32_to_cpu(get_unaligned((__le32 *)
+                                       &buf[i + 8])),
+                               le32_to_cpu(get_unaligned((__le32 *)
+                                       &buf[i + 12])));
                }
        }
 
@@ -721,7 +729,8 @@ static int gen_ndis_set_resp (u8 configNr, u32 OID, u8 *buf, u32 buf_len,
                 *      PROMISCUOUS, DIRECTED,
                 *      MULTICAST, ALL_MULTICAST, BROADCAST
                 */
-               *params->filter = (u16) le32_to_cpup((__le32 *)buf);
+               *params->filter = (u16) le32_to_cpu(get_unaligned(
+                               (__le32 *)buf));
                DEBUG("%s: OID_GEN_CURRENT_PACKET_FILTER %08x\n",
                        __FUNCTION__, *params->filter);
 
@@ -771,7 +780,7 @@ update_linkstate:
                 * resuming, Windows forces a reset, and then SET_POWER D0.
                 * FIXME ... then things go batty; Windows wedges itself.
                 */
-               i = le32_to_cpup((__force __le32 *)buf);
+               i = le32_to_cpu(get_unaligned((__le32 *)buf));
                DEBUG("%s: OID_PNP_SET_POWER D%d\n", __FUNCTION__, i - 1);
                switch (i) {
                case NdisDeviceStateD0:
@@ -1058,8 +1067,8 @@ int rndis_msg_parser (u8 configNr, u8 *buf)
                return -ENOMEM;
 
        tmp = (__le32 *) buf;
-       MsgType   = le32_to_cpup(tmp++);
-       MsgLength = le32_to_cpup(tmp++);
+       MsgType   = le32_to_cpu(get_unaligned(tmp++));
+       MsgLength = le32_to_cpu(get_unaligned(tmp++));
 
        if (configNr >= RNDIS_MAX_CONFIGS)
                return -ENOTSUPP;