Let's keep linux-usb on the loop for musb related patches ;-)
On Wed, Sep 10, 2008 at 08:53:56AM +0300, ext Kevin Hilman wrote:
> There is no check if platform code passes in more endpoints (num_eps)
> than the maximum number of enpoints (MUSB_C_NUM_EPS.) The result is
> that allocate_instance() happily writes past the end of 'struct musb'
> corrupting memory.
>
> The fix below increases the max to 32 (used on omap3) and also adds a
> BUG() if the platform code requests more than the max.
>
> This memory corruption was triggering various forms of crashes/panics
> with kmem_cache_alloc() in the backtrace.
>
> Signed-off-by: Kevin Hilman <khilman@xxxxxxxxxxxxxxxxxxx>
Looks ok, I'll put to my series.
> ---
> drivers/usb/musb/musb_core.c | 1 +
> drivers/usb/musb/musb_core.h | 2 +-
> 2 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c
> index c939f81..a132d9f 100644
> --- a/drivers/usb/musb/musb_core.c
> +++ b/drivers/usb/musb/musb_core.c
> @@ -1806,6 +1806,7 @@ allocate_instance(struct device *dev,
> musb->ctrl_base = mbase;
> musb->nIrq = -ENODEV;
> musb->config = config;
> + BUG_ON(musb->config->num_eps > MUSB_C_NUM_EPS);
It's good to have this check here.
> for (epnum = 0, ep = musb->endpoints;
> epnum < musb->config->num_eps;
> epnum++, ep++) {
> diff --git a/drivers/usb/musb/musb_core.h b/drivers/usb/musb/musb_core.h
> index 8222725..5040ceb 100644
> --- a/drivers/usb/musb/musb_core.h
> +++ b/drivers/usb/musb/musb_core.h
> @@ -153,7 +153,7 @@ static inline void musb_host_rx(struct musb *m, u8 e) {}
> /****************************** CONSTANTS ********************************/
>
> #ifndef MUSB_C_NUM_EPS
> -#define MUSB_C_NUM_EPS ((u8)16)
> +#define MUSB_C_NUM_EPS ((u8)32)
16 is the right number.
--
balbi
--
To unsubscribe from this list: send the line "unsubscribe linux-omap" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
