projects / GitHub / LineageOS / G12 / android_kernel_amlogic_linux-4.9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a37670b)
usb: gadget: fsl_udc: fix the usage of udc->max_ep
authorPeter Chen <peter.chen@freescale.com>
Wed, 11 Jan 2012 05:39:07 +0000 (13:39 +0800)
committerFelipe Balbi <balbi@ti.com>
Tue, 24 Jan 2012 13:43:10 +0000 (15:43 +0200)
The max_ep is the number of endpoint * 2.

But in dtd_complete_irq, it does again * 2, it will deference wrong memory
after scanning max_ep - 1.

The another similar problem is at USB_REQ_SET_FEATURE (the pipe number
should be 0 and max_ep - 1).

Signed-off-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Matthieu castet <matthieu.castet@parrot.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
drivers/usb/gadget/fsl_udc_core.c patch | blob | blame | history

diff --git a/drivers/usb/gadget/fsl_udc_core.c b/drivers/usb/gadget/fsl_udc_core.c
index d7ea6c076ce98e185ee43b557c524d2b29c67270..b04712f19f1efa613261c2216b08b31958ec4973 100644 (file)
--- a/drivers/usb/gadget/fsl_udc_core.c
+++ b/drivers/usb/gadget/fsl_udc_core.c
@@ -1430,7 +1430,7 @@ static void setup_received_irq(struct fsl_udc *udc,
                        int pipe = get_pipe_by_windex(wIndex);
                        struct fsl_ep *ep;
 
-                       if (wValue != 0 || wLength != 0 || pipe > udc->max_ep)
+                       if (wValue != 0 || wLength != 0 || pipe >= udc->max_ep)
                                break;
                        ep = get_ep_by_pipe(udc, pipe);
 
@@ -1673,7 +1673,7 @@ static void dtd_complete_irq(struct fsl_udc *udc)
        if (!bit_pos)
                return;
 
-       for (i = 0; i < udc->max_ep * 2; i++) {
+       for (i = 0; i < udc->max_ep; i++) {
                ep_num = i >> 1;
                direction = i % 2;