This patch modifies the buffer tbuf in the rh_call_control() function to allow for larger USB descriptors to be passed. rh_call_control() contains a buffer, tbuf, which it uses to hold USB descriptors. These discriptors are eventually copied into the transfer_buffer in the URB. The buffer in the URB is dynamically defined and is always large enough to hold the amount of data it requests. tbuf, however, is statically allocated on the stack with a size of 15 bytes, regardless of the size specified in the URB. When this buffer is passed to the hcd via the hub_control() call, it is advertized as being as large as the URB buffer ( via wLength ). when the hcd attempts to write a descriptor containing more than 15 bytes ( such as the Standard BOS Descriptor for hubs, defined in the USB3.0 Spec, section 10.13.1 ) causes tbuf to overflow onto the stack. Signed-off-by: Sean O. Stalley <sean.stalley@xxxxxxxxx> --- drivers/usb/core/hcd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c index 014dc99..90ef154 100644 --- a/drivers/usb/core/hcd.c +++ b/drivers/usb/core/hcd.c @@ -465,10 +465,10 @@ static int rh_call_control (struct usb_hcd *hcd, struct urb *urb) u16 typeReq, wValue, wIndex, wLength; u8 *ubuf = urb->transfer_buffer; /* - * tbuf should be as big as the BOS descriptor and - * the USB hub descriptor. + * tbuf should be large enough to hold the largest + * of control requests */ - u8 tbuf[USB_DT_BOS_SIZE + USB_DT_USB_SS_CAP_SIZE] + u8 tbuf[4096] __attribute__((aligned(4))); const u8 *bufp = tbuf; unsigned len = 0; -- 1.8.1.2 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
