On Wed, Jan 11, 2012 at 9:37 AM, Peter Chen <peter.chen@xxxxxxxxxxxxx> wrote:
> The max_ep is the number of endpoint * 2.
>
> But in dtd_complete_irq, it does again * 2, it will deference wrong memory
> after scanning max_ep - 1.
>
> The another similar problem is at USB_REQ_SET_FEATURE (the pipe number
> should be 0 and max_ep - 1).
>
> Signed-off-by: Peter Chen <peter.chen@xxxxxxxxxxxxx>
Acked-by: Li Yang <leoli@xxxxxxxxxxxxx>
btw: It would be better to also include the sign-off from Matthieu
CASTET in original patch as this patch looks derived from that patch.
> ---
> drivers/usb/gadget/fsl_udc_core.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/gadget/fsl_udc_core.c b/drivers/usb/gadget/fsl_udc_core.c
> index dd28ef3..42074de 100644
> --- a/drivers/usb/gadget/fsl_udc_core.c
> +++ b/drivers/usb/gadget/fsl_udc_core.c
> @@ -1430,7 +1430,7 @@ static void setup_received_irq(struct fsl_udc *udc,
> int pipe = get_pipe_by_windex(wIndex);
> struct fsl_ep *ep;
>
> - if (wValue != 0 || wLength != 0 || pipe > udc->max_ep)
> + if (wValue != 0 || wLength != 0 || pipe >= udc->max_ep)
> break;
> ep = get_ep_by_pipe(udc, pipe);
>
> @@ -1673,7 +1673,7 @@ static void dtd_complete_irq(struct fsl_udc *udc)
> if (!bit_pos)
> return;
>
> - for (i = 0; i < udc->max_ep * 2; i++) {
> + for (i = 0; i < udc->max_ep; i++) {
> ep_num = i >> 1;
> direction = i % 2;
>
> --
> 1.7.0.4
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-usb" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
- Leo
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
