Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b579dec5 authored by Elson Roy Serrao's avatar Elson Roy Serrao
Browse files

usb: dwc3: Add boundary check while traversing the TRB ring buffer 



During the dequeue operation of an usb request we traverse through the
TRBs and reset the HWO bit. Without a boundary check we might iterate
past the TRB ring which results in a page fault. Fix this by adding a
link TRB boundary check while traversing the ring buffer.

Change-Id: I7ae63ed7cc829a8105f2e81b12216af910aa253a
Signed-off-by: default avatarElson Roy Serrao <eserrao@codeaurora.org>
parent 11fb2012

drivers/usb/dwc3/gadget.c

+7 −4
Original line number Diff line number Diff line
@@ -1686,17 +1686,18 @@ static int dwc3_gadget_ep_dequeue(struct usb_ep *ep, 
				goto out0;



			if (r->num_pending_sgs) {

				struct dwc3_trb *trb;

				struct dwc3_trb *trb = r->trb;

				int i = 0;



				for (i = 0; i < r->num_pending_sgs; i++) {

					trb = r->trb + i;

					trb->ctrl &= ~DWC3_TRB_CTRL_HWO;

					dwc3_ep_inc_deq(dep);

					trb++;

					if (trb->ctrl & DWC3_TRBCTL_LINK_TRB)

						trb = dep->trb_pool;

				}



				if (r->unaligned || r->zero) {

					trb = r->trb + r->num_pending_sgs + 1;

					trb->ctrl &= ~DWC3_TRB_CTRL_HWO;

					dwc3_ep_inc_deq(dep);

				}
@@ -1707,7 +1708,9 @@ static int dwc3_gadget_ep_dequeue(struct usb_ep *ep, 
				dwc3_ep_inc_deq(dep);



				if (r->unaligned || r->zero) {

					trb = r->trb + 1;

					trb++;

					if (trb->ctrl & DWC3_TRBCTL_LINK_TRB)

						trb = dep->trb_pool;

					trb->ctrl &= ~DWC3_TRB_CTRL_HWO;

					dwc3_ep_inc_deq(dep);

				}