2014-09-27 19:10:51 +00:00
|
|
|
From 898039471876ec67191d7afcabea38ac5e90285a Mon Sep 17 00:00:00 2001
|
2014-02-28 20:30:08 +00:00
|
|
|
From: P33M <P33M@github.com>
|
|
|
|
Date: Thu, 28 Feb 2013 16:52:51 +0000
|
2014-09-27 19:10:51 +00:00
|
|
|
Subject: [PATCH 053/196] dwc_otg: fix potential use-after-free case in
|
2014-02-28 20:30:08 +00:00
|
|
|
interrupt handler
|
|
|
|
|
|
|
|
If a transaction had previously aborted, certain interrupts are
|
|
|
|
enabled to track error counts and reset where necessary. On IN
|
|
|
|
endpoints the host generates an ACK interrupt near-simultaneously
|
|
|
|
with completion of transfer. In the case where this transfer had
|
|
|
|
previously had an error, this results in a use-after-free on
|
|
|
|
the QTD memory space with a 1-byte length being overwritten to
|
|
|
|
0x00.
|
|
|
|
---
|
|
|
|
drivers/usb/host/dwc_otg/dwc_otg_hcd_intr.c | 3 ++-
|
|
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
|
2014-09-27 19:10:51 +00:00
|
|
|
diff --git a/drivers/usb/host/dwc_otg/dwc_otg_hcd_intr.c b/drivers/usb/host/dwc_otg/dwc_otg_hcd_intr.c
|
|
|
|
index e8c91e7..0c81a64 100644
|
2014-02-28 20:30:08 +00:00
|
|
|
--- a/drivers/usb/host/dwc_otg/dwc_otg_hcd_intr.c
|
|
|
|
+++ b/drivers/usb/host/dwc_otg/dwc_otg_hcd_intr.c
|
2014-09-27 19:10:51 +00:00
|
|
|
@@ -2223,7 +2223,8 @@ int32_t dwc_otg_hcd_handle_hc_n_intr(dwc_otg_hcd_t * dwc_otg_hcd, uint32_t num)
|
2014-02-28 20:30:08 +00:00
|
|
|
retval |= handle_hc_nak_intr(dwc_otg_hcd, hc, hc_regs, qtd);
|
|
|
|
}
|
|
|
|
if (hcint.b.ack) {
|
|
|
|
- retval |= handle_hc_ack_intr(dwc_otg_hcd, hc, hc_regs, qtd);
|
|
|
|
+ if(!hcint.b.chhltd)
|
|
|
|
+ retval |= handle_hc_ack_intr(dwc_otg_hcd, hc, hc_regs, qtd);
|
|
|
|
}
|
|
|
|
if (hcint.b.nyet) {
|
|
|
|
retval |= handle_hc_nyet_intr(dwc_otg_hcd, hc, hc_regs, qtd);
|
2014-09-27 19:10:51 +00:00
|
|
|
--
|
|
|
|
1.9.1
|
|
|
|
|