There is no check if platform code passes in more endpoints (num_eps)
than the maximum number of enpoints (MUSB_C_NUM_EPS.) The result is
that allocate_instance() happily writes past the end of 'struct musb'
corrupting memory.
The fix below increases the max to 32 (used on omap3) and also adds a
BUG() if the platform code requests more than the max.
This memory corruption was triggering various forms of crashes/panics
with kmem_cache_alloc() in the backtrace.
Signed-off-by: Kevin Hilman <khilman@xxxxxxxxxxxxxxxxxxx>
---
drivers/usb/musb/musb_core.c | 1 +
drivers/usb/musb/musb_core.h | 2 +-
2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c
index c939f81..a132d9f 100644
--- a/drivers/usb/musb/musb_core.c
+++ b/drivers/usb/musb/musb_core.c
@@ -1806,6 +1806,7 @@ allocate_instance(struct device *dev,
musb->ctrl_base = mbase;
musb->nIrq = -ENODEV;
musb->config = config;
+ BUG_ON(musb->config->num_eps > MUSB_C_NUM_EPS);
for (epnum = 0, ep = musb->endpoints;
epnum < musb->config->num_eps;
epnum++, ep++) {
diff --git a/drivers/usb/musb/musb_core.h b/drivers/usb/musb/musb_core.h
index 8222725..5040ceb 100644
--- a/drivers/usb/musb/musb_core.h
+++ b/drivers/usb/musb/musb_core.h
@@ -153,7 +153,7 @@ static inline void musb_host_rx(struct musb *m, u8 e) {}
/****************************** CONSTANTS ********************************/
#ifndef MUSB_C_NUM_EPS
-#define MUSB_C_NUM_EPS ((u8)16)
+#define MUSB_C_NUM_EPS ((u8)32)
#endif
#ifndef MUSB_MAX_END0_PACKET
--
1.6.0
--
To unsubscribe from this list: send the line "unsubscribe linux-omap" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
