On Wed, Oct 7, 2009 at 5:35 PM, Enrico Scholz
<enrico.scholz@xxxxxxxxxxxxxxxxx> wrote:
> irq_handle_data() might do out-of-bound access to ep[] array when
> hardware reports wrong interrupt. Although such a situation should not
> happen, the compiler complains about this access.
>
Hi Enrico,
In the outer loop, there is a condition (i < 16) and (i < 24) in the second,
I doubt the endpoint number will ever exceed. What exactly the compiler
is complaining about?
> This patch adds a sanity check and generates warning to detect such
> issues.
>
> Signed-off-by: Enrico Scholz <enrico.scholz@xxxxxxxxxxxxxxxxx>
> ---
> drivers/usb/gadget/pxa27x_udc.c | 19 +++++++++++++------
> 1 files changed, 13 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/usb/gadget/pxa27x_udc.c b/drivers/usb/gadget/pxa27x_udc.c
> index c686d45..e305799 100644
> --- a/drivers/usb/gadget/pxa27x_udc.c
> +++ b/drivers/usb/gadget/pxa27x_udc.c
> @@ -2220,9 +2220,13 @@ static void irq_handle_data(int irq, struct pxa_udc *udc)
> continue;
>
> udc_writel(udc, UDCISR0, UDCISR_INT(i, UDCISR_INT_MASK));
> - ep = &udc->pxa_ep[i];
> - ep->stats.irqs++;
> - handle_ep(ep);
> +
> + WARN_ON(i >= ARRAY_SIZE(udc->pxa_ep));
> + if (i < ARRAY_SIZE(udc->pxa_ep)) {
> + ep = &udc->pxa_ep[i];
> + ep->stats.irqs++;
> + handle_ep(ep);
> + }
> }
>
> for (i = 16; udcisr1 != 0 && i < 24; udcisr1 >>= 2, i++) {
> @@ -2230,9 +2234,12 @@ static void irq_handle_data(int irq, struct pxa_udc *udc)
> if (!(udcisr1 & UDCISR_INT_MASK))
> continue;
>
> - ep = &udc->pxa_ep[i];
> - ep->stats.irqs++;
> - handle_ep(ep);
> + WARN_ON(i >= ARRAY_SIZE(udc->pxa_ep));
> + if (i < ARRAY_SIZE(udc->pxa_ep)) {
> + ep = &udc->pxa_ep[i];
> + ep->stats.irqs++;
> + handle_ep(ep);
> + }
> }
>
> }
> --
> 1.6.2.5
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
