While reusing the driver fsl_udc_core on a chipidea core with 16 endpoint, we
encounter a crash.
The max_ep is the number of endpoint * 2 (32 in our case).
But in dtd_complete_irq, we do again * 2, we end up scaning for 32
endpoints and deference wrong memory.
The same problem seems to happen in USB_REQ_SET_FEATURE (the pipe number
should be 0 and max_ep/2 - 1)
Signed-off-by: Matthieu CASTET <matthieu.castet@xxxxxxxxxx>
---
drivers/usb/gadget/fsl_udc_core.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/fsl_udc_core.c b/drivers/usb/gadget/fsl_udc_core.c
index b3b3d83..9c17b784 100644
--- a/drivers/usb/gadget/fsl_udc_core.c
+++ b/drivers/usb/gadget/fsl_udc_core.c
@@ -1434,7 +1434,7 @@ static void setup_received_irq(struct fsl_udc *udc,
int pipe = get_pipe_by_windex(wIndex);
struct fsl_ep *ep;
- if (wValue != 0 || wLength != 0 || pipe > udc->max_ep)
+ if (wValue != 0 || wLength != 0 || pipe >= udc->max_ep / 2)
break;
ep = get_ep_by_pipe(udc, pipe);
@@ -1677,7 +1677,7 @@ static void dtd_complete_irq(struct fsl_udc *udc)
if (!bit_pos)
return;
- for (i = 0; i < udc->max_ep * 2; i++) {
+ for (i = 0; i < udc->max_ep; i++) {
ep_num = i >> 1;
direction = i % 2;
--
1.7.7.3
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
