Hi, I was looking at the bug https://bugzilla.kernel.org/show_bug.cgi?id=112171 which says Feb 08 22:58:56 x kernel: UBSAN: Undefined behaviour in drivers/usb/host/ehci-hub.c:873:47 Feb 08 22:58:56 x kernel: index -1 is out of range for type 'u32 [1]' I'm suspective the ehci-tegra function ehci-tegra.c:291 calling with wIndex as 0 . I'm not sure if that is even possible .So i ask in this list ? Can someone give pointers ? In the below function we are supposed to assume that wIndex is > 0 and less than or equal to 0xff. If you look at ehci_hub_control function there are only 3 callers two in ehci-hub.c and ehci-tegra.c Look at the while(port--) lop in ehci-hub.c i assume that port cannot be 0xff since we do HCS_N_PORTS which can be maximum 0xf and it cannot call wIndex with value 0 since in that case port would be 0 and the while wouldn't enter. ehci-hub.c:96: ehci_hub_control(hcd, SetPortFeature, ehci-hub.c-97- USB_PORT_FEAT_RESET, port + 1, ehci-hub.c-98- NULL, 0); -- ehci-hub.c:114: ehci_hub_control(hcd, GetPortStatus, ehci-hub.c-115- 0, port + 1, ehci-hub.c-116- (char *) &buf, sizeof(buf)); -- ehci-hub.c:865:int ehci_hub_control( ehci-hub.c-866- struct usb_hcd *hcd, ehci-hub.c-867- u16 typeReq, -- ehci-tegra.c:184:static int tegra_ehci_hub_control( ehci-tegra.c-185- struct usb_hcd *hcd, ehci-tegra.c-186- u16 typeReq, -- ehci-tegra.c:291: return ehci_hub_control(hcd, typeReq, wValue, wIndex, buf, wLength); ehci-tegra.c-292- ehci-tegra.c-293-done: Regards, Navin -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
