From patchwork Thu Feb 4 15:47:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 376289 Delivered-To: patch@linaro.org Received: by 2002:a02:b18a:0:0:0:0:0 with SMTP id t10csp1397859jah; Thu, 4 Feb 2021 07:49:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJyVlFkCQifoCb97YXy0G691akzzh7yulivRpRdjjXxaJMDUkgT9Ym2GhkrIql0sngCxYd3u X-Received: by 2002:a05:6402:1ad1:: with SMTP id ba17mr8679821edb.243.1612453747988; Thu, 04 Feb 2021 07:49:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612453747; cv=none; d=google.com; s=arc-20160816; b=ECODIEw19a6BeuYos0YauwOuen91wwvm+frh9qllnxlB0w3cawqokvpNO2HAeEuX53 wUzLgdQxmBN1klFz4kJlh1a5Vqc+ThfZaJl5qLuF/RNf+i/LaMY8y2dqgpz0LFGvnBrY nrWbjl8ofTqdoJpvzesEV3NRe0f18CkpVFThRktXyeUkZ9zz4eiZxzxYWiddQm12A5ad G8shTYR5O+MKenPH65eCzW7Ln5utuo7i5ytoq4d6bXph3FPuTrIaJKXF7Qph3gjWnNua DrNXjJJmlSU7ZucyNoClPAwZWeTjiv9Sclo0KDV+I/HtCiz1JuDSnySAMAKUPgF9a3Dd KatQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=Tm8r0UV+2YjbO/miloQvtZEx/I2XJVHf/bgnxsEWP2I=; b=VDSqeTLlsEs8ZMvo8FpmmntTXlVdjL+B85T07VUrxNHV4MEA/VqiJF2t6u6WVR2uN9 lz6r+Af/8uvk0rRGKZN8WFoj2VgfaPkdzyUQgDppY1kMgHR0MVVtYfoXEiPrVtp8xh+b G6ZxYuJK7mRxeGSVGWH6x29fZb/X//iIeO3IWjXukOkfkSnluxM9QurVcqNBBcDIZc7D K8HnMGhJEztNK88+6RPMYu5epZ5CBUmoNy+5rpzgg0QA23qdSwMsNgk0KbKw5Rnx88Ck 6/kxrEP5EWvw+E07dsMFPBggH+86fnCB6rG7O+wTfxMJwucBqT/G3ZP4k8djWh+OZHuU BK/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=tdipZSET; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t16si4636346edi.281.2021.02.04.07.49.07; Thu, 04 Feb 2021 07:49:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=tdipZSET; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237569AbhBDPsz (ORCPT + 1 other); Thu, 4 Feb 2021 10:48:55 -0500 Received: from mail.kernel.org ([198.145.29.99]:34376 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237516AbhBDPsF (ORCPT ); Thu, 4 Feb 2021 10:48:05 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3ABC464F45; Thu, 4 Feb 2021 15:47:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1612453642; bh=bNTrM8aWtufVI7iPcQTsXQghRKvyHRISmKItSiQtqR4=; h=From:To:Cc:Subject:Date:From; b=tdipZSETEVhKcd4sLIG9VlK9G/cahXZ/CPQZdx9ldR/1hPRp5B/XihZonqakev8zn MllWQsvppx/2dhisCT3w13qVx68QyU+1Q5iLAIGaOWzR8HG79QNzJJmnwlfOaYxId3 n4MC4lnygGIA8+32taJQQOpNx6DPYdsNFmP4mzneFXqV+N4bieJ7YgqBBhfCYjUScR E18w+T79v/vLEg9dRhJFtBU/rgQCk1ofl4Dpj7L4iIbZYkLkj1iNCrrlxReFISFkpd nHXTdp3SEf/NkLMJf3KZlENm/v/WYPK0UHl9AuOV7T4YIDxXM7prw3CKy1JZiDPqbN Q5YOrgXrpcnYg== From: Arnd Bergmann To: Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Mark Chen Cc: Arnd Bergmann , Kiran K , Alain Michaud , Chethan T N , Abhishek Pandit-Subedi , Sathish Narasimman , Rocky Liao , Ismael Ferreras Morezuelas , Hilda Wu , Trent Piepho , linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] Bluetooth: btusb: fix excessive stack usage Date: Thu, 4 Feb 2021 16:47:07 +0100 Message-Id: <20210204154716.1823454-1-arnd@kernel.org> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Arnd Bergmann Enlarging the size of 'struct btmtk_hci_wmt_cmd' makes it no longer fit on the kernel stack, as seen from this compiler warning: drivers/bluetooth/btusb.c:3365:12: error: stack frame size of 1036 bytes in function 'btusb_mtk_hci_wmt_sync' [-Werror,-Wframe-larger-than=] Change the function to dynamically allocate the buffer instead. As there are other sleeping functions called from the same location, using GFP_KERNEL should be fine here, and the runtime overhead should not matter as this is rarely called. Unfortunately, I could not figure out why the message size is increased in the previous patch. Using dynamic allocation means any size is possible now, but there is still a range check that limits the total size (including the five-byte header) to 255 bytes, so whatever was intended there is now undone. Fixes: 48c13301e6ba ("Bluetooth: btusb: Fine-tune mt7663 mechanism.") Signed-off-by: Arnd Bergmann --- drivers/bluetooth/btusb.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) -- 2.29.2 diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index eeafb8432c0f..838e6682301e 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -3161,7 +3161,7 @@ struct btmtk_wmt_hdr { struct btmtk_hci_wmt_cmd { struct btmtk_wmt_hdr hdr; - u8 data[1000]; + u8 data[]; } __packed; struct btmtk_hci_wmt_evt { @@ -3369,7 +3369,7 @@ static int btusb_mtk_hci_wmt_sync(struct hci_dev *hdev, struct btmtk_hci_wmt_evt_funcc *wmt_evt_funcc; u32 hlen, status = BTMTK_WMT_INVALID; struct btmtk_hci_wmt_evt *wmt_evt; - struct btmtk_hci_wmt_cmd wc; + struct btmtk_hci_wmt_cmd *wc; struct btmtk_wmt_hdr *hdr; int err; @@ -3383,20 +3383,24 @@ static int btusb_mtk_hci_wmt_sync(struct hci_dev *hdev, if (hlen > 255) return -EINVAL; - hdr = (struct btmtk_wmt_hdr *)&wc; + wc = kzalloc(hlen, GFP_KERNEL); + if (!wc) + return -ENOMEM; + + hdr = &wc->hdr; hdr->dir = 1; hdr->op = wmt_params->op; hdr->dlen = cpu_to_le16(wmt_params->dlen + 1); hdr->flag = wmt_params->flag; - memcpy(wc.data, wmt_params->data, wmt_params->dlen); + memcpy(wc->data, wmt_params->data, wmt_params->dlen); set_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags); - err = __hci_cmd_send(hdev, 0xfc6f, hlen, &wc); + err = __hci_cmd_send(hdev, 0xfc6f, hlen, wc); if (err < 0) { clear_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags); - return err; + goto err_free_wc; } /* The vendor specific WMT commands are all answered by a vendor @@ -3413,13 +3417,14 @@ static int btusb_mtk_hci_wmt_sync(struct hci_dev *hdev, if (err == -EINTR) { bt_dev_err(hdev, "Execution of wmt command interrupted"); clear_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags); - return err; + goto err_free_wc; } if (err) { bt_dev_err(hdev, "Execution of wmt command timed out"); clear_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags); - return -ETIMEDOUT; + err = -ETIMEDOUT; + goto err_free_wc; } /* Parse and handle the return WMT event */ @@ -3463,7 +3468,8 @@ static int btusb_mtk_hci_wmt_sync(struct hci_dev *hdev, err_free_skb: kfree_skb(data->evt_skb); data->evt_skb = NULL; - +err_free_wc: + kfree(wc); return err; }