summaryrefslogtreecommitdiffstats
path: root/drivers/usb/host
diff options
context:
space:
mode:
authorLalithambika Krishna Kumar <lalithambika.krishnakumar@intel.com>2021-01-29 14:00:27 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2021-01-29 14:16:50 +0100
commit296fcdab3321de0aca7a033e4469f4a2dd55fe96 (patch)
tree71bf6a6995731ed754b55c4be1c4d81f337d5d55 /drivers/usb/host
parentxhci: prevent a theoretical endless loop while preparing rings. (diff)
downloadlinux-296fcdab3321de0aca7a033e4469f4a2dd55fe96.tar.xz
linux-296fcdab3321de0aca7a033e4469f4a2dd55fe96.zip
xhci: check slot_id is valid before gathering slot info
Check that the slot_id that we dug out from command completion event TRB, is valid before using it to identify the slot associated with the command that generated the event. Signed-off-by: Lalithambika Krishna Kumar <lalithambika.krishnakumar@intel.com> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Link: https://lore.kernel.org/r/20210129130044.206855-11-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb/host')
-rw-r--r--drivers/usb/host/xhci-ring.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 2ef55484317e..69c7c5ab1565 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1430,7 +1430,7 @@ time_out_completed:
static void handle_cmd_completion(struct xhci_hcd *xhci,
struct xhci_event_cmd *event)
{
- int slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags));
+ unsigned int slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags));
u64 cmd_dma;
dma_addr_t cmd_dequeue_dma;
u32 cmd_comp_code;
@@ -1438,6 +1438,11 @@ static void handle_cmd_completion(struct xhci_hcd *xhci,
struct xhci_command *cmd;
u32 cmd_type;
+ if (slot_id >= MAX_HC_SLOTS) {
+ xhci_warn(xhci, "Invalid slot_id %u\n", slot_id);
+ return;
+ }
+
cmd_dma = le64_to_cpu(event->cmd_trb);
cmd_trb = xhci->cmd_ring->dequeue;