From: Kevin Hilman <khilman-1D3HCaltpLuhEniVeURVKkEOCMrvLtNR@public.gmane.org>
To: felipe.balbi-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org
Cc: linux-omap-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH] MUSB: fix memory corruption when using more than max endpoints
Date: Wed, 10 Sep 2008 14:20:35 +0300 [thread overview]
Message-ID: <48C7AD83.60703@deeprootsystems.com> (raw)
In-Reply-To: <20080910103616.GQ16796-f9ZlEuEWxVfta4EC/59zMBl4MBrZKKet0E9HWUfgJXw@public.gmane.org>
Felipe Balbi wrote:
> Let's keep linux-usb on the loop for musb related patches ;-)
>
> On Wed, Sep 10, 2008 at 08:53:56AM +0300, ext Kevin Hilman wrote:
>> There is no check if platform code passes in more endpoints (num_eps)
>> than the maximum number of enpoints (MUSB_C_NUM_EPS.) The result is
>> that allocate_instance() happily writes past the end of 'struct musb'
>> corrupting memory.
>>
>> The fix below increases the max to 32 (used on omap3) and also adds a
>> BUG() if the platform code requests more than the max.
>>
>> This memory corruption was triggering various forms of crashes/panics
>> with kmem_cache_alloc() in the backtrace.
>>
>> Signed-off-by: Kevin Hilman <khilman-1D3HCaltpLuhEniVeURVKkEOCMrvLtNR@public.gmane.org>
>
> Looks ok, I'll put to my series.
>
>> ---
>> drivers/usb/musb/musb_core.c | 1 +
>> drivers/usb/musb/musb_core.h | 2 +-
>> 2 files changed, 2 insertions(+), 1 deletions(-)
>>
>> diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c
>> index c939f81..a132d9f 100644
>> --- a/drivers/usb/musb/musb_core.c
>> +++ b/drivers/usb/musb/musb_core.c
>> @@ -1806,6 +1806,7 @@ allocate_instance(struct device *dev,
>> musb->ctrl_base = mbase;
>> musb->nIrq = -ENODEV;
>> musb->config = config;
>> + BUG_ON(musb->config->num_eps > MUSB_C_NUM_EPS);
>
> It's good to have this check here.
>
>> for (epnum = 0, ep = musb->endpoints;
>> epnum < musb->config->num_eps;
>> epnum++, ep++) {
>> diff --git a/drivers/usb/musb/musb_core.h b/drivers/usb/musb/musb_core.h
>> index 8222725..5040ceb 100644
>> --- a/drivers/usb/musb/musb_core.h
>> +++ b/drivers/usb/musb/musb_core.h
>> @@ -153,7 +153,7 @@ static inline void musb_host_rx(struct musb *m, u8 e) {}
>> /****************************** CONSTANTS ********************************/
>>
>> #ifndef MUSB_C_NUM_EPS
>> -#define MUSB_C_NUM_EPS ((u8)16)
>> +#define MUSB_C_NUM_EPS ((u8)32)
>
> 16 is the right number.
>
If 16 is the right number, arch/arm/mach-omap2/usb-musb.c going to
trigger this BUG every time since it sets num_eps = 32.
I don't know much about MUSB enbpoints, but if 16 is the correct max,
then the platform code should be updated.
Kevin
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2008-09-10 11:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-10 5:53 [PATCH] MUSB: fix memory corruption when using more than max endpoints Kevin Hilman
[not found] ` <1221026036-26477-1-git-send-email-khilman-1D3HCaltpLuhEniVeURVKkEOCMrvLtNR@public.gmane.org>
2008-09-10 10:36 ` Felipe Balbi
[not found] ` <20080910103616.GQ16796-f9ZlEuEWxVfta4EC/59zMBl4MBrZKKet0E9HWUfgJXw@public.gmane.org>
2008-09-10 11:20 ` Kevin Hilman [this message]
2008-09-10 11:26 ` Felipe Balbi
[not found] ` <20080910112656.GR16796-f9ZlEuEWxVfta4EC/59zMBl4MBrZKKet0E9HWUfgJXw@public.gmane.org>
2008-09-10 23:52 ` Tony Lindgren
2008-09-11 8:16 ` Felipe Balbi
2008-09-15 8:52 ` Felipe Balbi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48C7AD83.60703@deeprootsystems.com \
--to=khilman-1d3hcaltpluheniveurvkkeocmrvltnr@public.gmane.org \
--cc=felipe.balbi-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org \
--cc=linux-omap-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.