>Subject: [PATCH] Fix endpoint overflow in fsl_udc_core > >While reusing the driver fsl_udc_core on a chipidea core with 16 endpoint, >we >encounter a crash. > >The max_ep is the number of endpoint * 2 (32 in our case). > >But in dtd_complete_irq, we do again * 2, we end up scaning for 32 >endpoints and deference wrong memory. > >The same problem seems to happen in USB_REQ_SET_FEATURE (the pipe number >should be 0 and max_ep/2 - 1) > >Signed-off-by: Matthieu CASTET <matthieu.castet@xxxxxxxxxx> >--- > drivers/usb/gadget/fsl_udc_core.c | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > >diff --git a/drivers/usb/gadget/fsl_udc_core.c >b/drivers/usb/gadget/fsl_udc_core.c >index b3b3d83..9c17b784 100644 >--- a/drivers/usb/gadget/fsl_udc_core.c >+++ b/drivers/usb/gadget/fsl_udc_core.c >@@ -1434,7 +1434,7 @@ static void setup_received_irq(struct fsl_udc *udc, > int pipe = get_pipe_by_windex(wIndex); > struct fsl_ep *ep; > >- if (wValue != 0 || wLength != 0 || pipe > udc->max_ep) >+ if (wValue != 0 || wLength != 0 || pipe >= udc->max_ep / >2) Thanks for the patch. But the pipe here is the ep number * 2 + direction so I think it should be changed to pipe >= udc->maxep - Leo -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
