On Wednesday 04 February 2009, Sergei Shtylyov wrote:
> Feeding 32-bit length cast down to 'u16' to min() to calculate the FIFO count
> in musb_host_tx() risks sending a short packet prematurely for transfer sizes
> over 64 KB. And although data transfer size shouldn't exceed 65535 bytes for
> the control endpoint, making musb_h_ep0_continue() more robust WRT URBs with
> possibly oversized buffer will not hurt either...
>
> Signed-off-by: Sergei Shtylyov <sshtylyov@xxxxxxxxxxxxx>
Acked-by: David Brownell <dbrownell@xxxxxxxxxxxxxxxxxxxxx>
OK for 2.6.29-rc ... maybe a bit marginal, unless someone
has specifically observed this. But I hope the merge criteria
aren't that tight yet; this would prevent various intermittent
and poorly-reproducible flakiness.
>
> ---
> Only whitespace changes. The patch is against the recent Linus' kernel...
>
> drivers/usb/musb/musb_host.c | 14 +++++++-------
> 1 files changed, 7 insertions(+), 7 deletions(-)
>
> Index: linux-2.6/drivers/usb/musb/musb_host.c
> ===================================================================
> --- linux-2.6.orig/drivers/usb/musb/musb_host.c
> +++ linux-2.6/drivers/usb/musb/musb_host.c
> @@ -936,8 +936,8 @@ static bool musb_h_ep0_continue(struct m
> switch (musb->ep0_stage) {
> case MUSB_EP0_IN:
> fifo_dest = urb->transfer_buffer + urb->actual_length;
> - fifo_count = min(len, ((u16) (urb->transfer_buffer_length
> - - urb->actual_length)));
> + fifo_count = min_t(size_t, len, urb->transfer_buffer_length -
> + urb->actual_length);
> if (fifo_count < len)
> urb->status = -EOVERFLOW;
>
> @@ -970,10 +970,9 @@ static bool musb_h_ep0_continue(struct m
> }
> /* FALLTHROUGH */
> case MUSB_EP0_OUT:
> - fifo_count = min(qh->maxpacket, ((u16)
> - (urb->transfer_buffer_length
> - - urb->actual_length)));
> -
> + fifo_count = min_t(size_t, qh->maxpacket,
> + urb->transfer_buffer_length -
> + urb->actual_length);
> if (fifo_count) {
> fifo_dest = (u8 *) (urb->transfer_buffer
> + urb->actual_length);
> @@ -1303,7 +1302,8 @@ void musb_host_tx(struct musb *musb, u8
> * packets before updating TXCSR ... other docs disagree ...
> */
> /* PIO: start next packet in this URB */
> - wLength = min(qh->maxpacket, (u16) wLength);
> + if (wLength > qh->maxpacket)
> + wLength = qh->maxpacket;
> musb_write_fifo(hw_ep, wLength, buf);
> qh->segsize = wLength;
>
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
