Greg KH wrote: > > The problem is in the rtl8187 driver. > > They are calling usb_control_msg and passing a pointer to a buffer on > the stack. See drivers/net/wireless/rtl818x/rtl8187.h for where the > problem happens in numerous places. > > Also it looks like rtl8225_write_8051() is incorrect. You are passing a > pointer to a variable that was passed as an argument. I don't know > where that is supposed to be on, somewhere on the stack I guess. > > Larry, care to fix this up? Yes, I'll try to fix it. I'm currently traveling and have intermittent Internet access. I think there is a second problem that John's fix does not treat. Although the buffer is removed from the stack, there is no assurance that the buffer obtained with kmalloc() is reachable by DMA. This case will be triggered if the USB adapter does 32-bit DMA and the system has more than 4 GB RAM. Please let me know if my analysis is wrong. If so, then John's patch will be fine, although the error handling should be improved. The severity should be that of a warning rather than a bug. If I'm correct, my fix would be to allocate a DMA-reachable buffer in the initialization and keep a pointer to it in the private area. I just saw John's version 2 that looks more like what I was thinking about. I will be testing soon. Thanks, Larry -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html