From: Sarah Sharp <sarah.a.sharp@xxxxxxxxxxxxxxx>
Greg KH introduced a bug into xhci_trb_virt_to_dma() when he changed the
type of offset to dma_addr_t from unsigned int and dropped the casts to
unsigned int around the virtual address pointer subtraction.
trb and seg->trbs are both valid pointers to virtual addresses, so the
compiler will mod the subtraction by the size of union trb (16 bytes).
segment_offset is an unsigned long, which is guaranteed to be at least as
big as a void *.
Drop the void * casts in the first if statement because trb and seg->trbs
are both pointers of the same type (pointers to union trb).
Signed-off-by: Sarah Sharp <sarah.a.sharp@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
drivers/usb/host/xhci-ring.c | 13 ++++++-------
1 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index d42a738..02d8198 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -74,16 +74,15 @@
dma_addr_t xhci_trb_virt_to_dma(struct xhci_segment *seg,
union xhci_trb *trb)
{
- dma_addr_t offset;
+ unsigned long segment_offset;
- if (!seg || !trb || (void *) trb < (void *) seg->trbs)
+ if (!seg || !trb || trb < seg->trbs)
return 0;
- /* offset in bytes, since these are byte-addressable */
- offset = trb - seg->trbs;
- /* SEGMENT_SIZE in bytes, trbs are 16-byte aligned */
- if (offset > SEGMENT_SIZE || (offset % sizeof(*trb)) != 0)
+ /* offset in TRBs */
+ segment_offset = trb - seg->trbs;
+ if (segment_offset > TRBS_PER_SEGMENT)
return 0;
- return seg->dma + offset;
+ return seg->dma + (segment_offset * sizeof(*trb));
}
/* Does this link TRB point to the first segment in a ring,
--
1.6.3.2
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
