From: "Alexey V. Vissarionov" <gremlin@altlinux.org>
To: Rui Miguel Silva <rui.silva@linaro.org>
Cc: "Alexey V. Vissarionov" <gremlin@altlinux.org>,
Fedor Pchelkin <pchelkin@ispras.ru>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-usb@vger.kernel.org, lvc-project@linuxtesting.org
Subject: [PATCH v1] usb: isp1760: increase buffer size to avoid overflow
Date: Wed, 23 Apr 2025 14:10:40 +0300 [thread overview]
Message-ID: <20250423111040.GC857@altlinux.org> (raw)
In-Reply-To: <20250423110540.GB857@altlinux.org>
When isp1760_udc_init_hw() calls isp1760_set_pullup(), its call of
isp1760_field_set() may access the udc->fields array beyond the size
of DC_FIELD_MAX up to HC_FIELD_MAX, which is (now) bigger. Increase
the buffer size to max(DC_FIELD_MAX,HC_FIELD_MAX) to avoid possible
overflow.
Found by ALT Linux Team (altlinux.org) and Linux Verification Center
(linuxtesting.org).
Fixes: 1da9e1c06873 ("usb: isp1760: move to regmap for register access")
Signed-off-by: Alexey V. Vissarionov <gremlin@altlinux.org>
---
drivers/usb/isp1760/isp1760-hcd.h | 2 +-
drivers/usb/isp1760/isp1760-regs.h | 3 +++
drivers/usb/isp1760/isp1760-udc.h | 2 +-
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/isp1760/isp1760-hcd.h b/drivers/usb/isp1760/isp1760-hcd.h
index ee3063a34de3bccf..34dacde96c4ae3cf 100644
--- a/drivers/usb/isp1760/isp1760-hcd.h
+++ b/drivers/usb/isp1760/isp1760-hcd.h
@@ -50,7 +50,7 @@ struct isp1760_hcd {
void __iomem *base;
struct regmap *regs;
- struct regmap_field *fields[HC_FIELD_MAX];
+ struct regmap_field *fields[DC_HC_FIELD_MAX];
bool is_isp1763;
const struct isp1760_memory_layout *memory_layout;
diff --git a/drivers/usb/isp1760/isp1760-regs.h b/drivers/usb/isp1760/isp1760-regs.h
index 3a6751197e970013..a5a442015887ce0b 100644
--- a/drivers/usb/isp1760/isp1760-regs.h
+++ b/drivers/usb/isp1760/isp1760-regs.h
@@ -267,6 +267,9 @@ enum isp176x_device_controller_fields {
DC_FIELD_MAX,
};
+#define DC_HC_FIELD_MAX \
+ (DC_FIELD_MAX > HC_FIELD_MAX ? DC_FIELD_MAX : HC_FIELD_MAX)
+
/* ISP1763 */
/* Initialization Registers */
#define ISP1763_DC_ADDRESS 0x00
diff --git a/drivers/usb/isp1760/isp1760-udc.h b/drivers/usb/isp1760/isp1760-udc.h
index 22044e86bc0ecb84..609444bea306ba81 100644
--- a/drivers/usb/isp1760/isp1760-udc.h
+++ b/drivers/usb/isp1760/isp1760-udc.h
@@ -69,7 +69,7 @@ struct isp1760_udc {
char *irqname;
struct regmap *regs;
- struct regmap_field *fields[DC_FIELD_MAX];
+ struct regmap_field *fields[DC_HC_FIELD_MAX];
struct usb_gadget_driver *driver;
struct usb_gadget gadget;
--
Alexey V. Vissarionov
gremlin ПРИ altlinux ТЧК org; +vii-cmiii-ccxxix-lxxix-xlii
GPG: 0D92F19E1C0DC36E27F61A29CD17E2B43D879005 @ hkp://keys.gnupg.net
next prev parent reply other threads:[~2025-04-23 11:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-22 23:00 [PATCH] usb: isp1760: increase buffer size to avoid overflow Alexey V. Vissarionov
2025-04-23 6:30 ` Fedor Pchelkin
2025-04-23 11:05 ` Alexey V. Vissarionov
2025-04-23 11:10 ` Alexey V. Vissarionov [this message]
2025-04-24 9:15 ` [PATCH v1] " Rui Miguel Silva
2025-04-24 10:04 ` kernel test robot
-- strict thread matches above, loose matches on Subject: below --
2025-04-24 12:59 kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250423111040.GC857@altlinux.org \
--to=gremlin@altlinux.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=pchelkin@ispras.ru \
--cc=rui.silva@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.