From zaitcev@redhat.com  Tue Jun 23 14:52:05 2009
From: Pete Zaitcev <zaitcev@redhat.com>
Date: Wed, 10 Jun 2009 14:44:14 -0600
Subject: Staging: rspiusb: use NULL virtual address instead of a bogus one
To: <gregkh@suse.de>
Cc: <julia@diku.dk>, zaitcev@redhat.com, linux-usb@vger.kernel.org
Message-ID: <20090610144414.a20d4313.zaitcev@redhat.com>


The main problem here is that I just cannot see how this could ever
be correct:

	usb_fill_bulk_urb(pdx->PixelUrb[frameInfo][i], pdx->udev, epAddr,
		(dma_addr_t *) sg_dma_address(&pdx->sgl[frameInfo][i]),
 		sg_dma_len(&pdx->sgl[frameInfo][i]),

You cannot take a DMA address, cast it to a _pointer to_ a DMA address,
and then regard it as a virtual address of the transfer buffer.
However, finding the right virtual address was too hard for me,
so I just stubbed it with NULL. At least usbmon won't oops then
(it will not show any data but it's better than crashing).

Also, too big a buffer was allocated elsewhere.

And since we're at it, drop clearly unnecessary usb_buffer_alloc too,
leaving it where it may be useful.

Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/staging/rspiusb/rspiusb.c |   14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

--- a/drivers/staging/rspiusb/rspiusb.c
+++ b/drivers/staging/rspiusb/rspiusb.c
@@ -444,8 +444,7 @@ static void piusb_write_bulk_callback(st
 			__func__, status);
 
 	pdx->pendingWrite = 0;
-	usb_buffer_free(urb->dev, urb->transfer_buffer_length,
-			urb->transfer_buffer, urb->transfer_dma);
+	kfree(urb->transfer_buffer);
 }
 
 int piusb_output(struct ioctl_struct *io, unsigned char *uBuf, int len,
@@ -457,9 +456,7 @@ int piusb_output(struct ioctl_struct *io
 
 	urb = usb_alloc_urb(0, GFP_KERNEL);
 	if (urb != NULL) {
-		kbuf =
-		    usb_buffer_alloc(pdx->udev, len, GFP_KERNEL,
-				     &urb->transfer_dma);
+		kbuf = kmalloc(len, GFP_KERNEL);
 		if (!kbuf) {
 			dev_err(&pdx->udev->dev, "buffer_alloc failed\n");
 			return -ENOMEM;
@@ -470,7 +467,6 @@ int piusb_output(struct ioctl_struct *io
 		}
 		usb_fill_bulk_urb(urb, pdx->udev, pdx->hEP[io->endpoint], kbuf,
 				  len, piusb_write_bulk_callback, pdx);
-		urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
 		err = usb_submit_urb(urb, GFP_KERNEL);
 		if (err) {
 			dev_err(&pdx->udev->dev,
@@ -641,7 +637,7 @@ static int MapUserBuffer(struct ioctl_st
 	numPagesRequired =
 	    ((uaddr & ~PAGE_MASK) + count + ~PAGE_MASK) >> PAGE_SHIFT;
 	dbg("Number of pages needed = %d", numPagesRequired);
-	maplist_p = vmalloc(numPagesRequired * sizeof(struct page));
+	maplist_p = vmalloc(numPagesRequired * sizeof(struct page *));
 	if (!maplist_p) {
 		dbg("Can't Allocate Memory for maplist_p");
 		return -ENOMEM;
@@ -712,9 +708,7 @@ static int MapUserBuffer(struct ioctl_st
 		usb_fill_bulk_urb(pdx->PixelUrb[frameInfo][i],
 				  pdx->udev,
 				  epAddr,
-				  (dma_addr_t *) sg_dma_address(&pdx->
-								sgl[frameInfo]
-								[i]),
+				  NULL, // non-DMA HC? buy a better hardware
 				  sg_dma_len(&pdx->sgl[frameInfo][i]),
 				  piusb_readPIXEL_callback, (void *)pdx);
 		pdx->PixelUrb[frameInfo][i]->transfer_dma =