Commit 6912354a authored by Alan Stern's avatar Alan Stern Committed by Greg Kroah-Hartman

[PATCH] USB: EHCI: fix conflation of buf == 0 with len == 0

When the ehci-hcd driver prepares a control URB, it tests for a
zero-length data stage by looking at the transfer_dma value instead of
the transfer_buffer_length.  (In fact it does this even for non-control
URBs, which is an additional aspect of the same bug.)

However, under certain circumstances it's possible for transfer_dma to
be 0 while transfer_buffer_length is non-zero.  This can happen when a
freshly allocated page (mapped to address 0 and marked Copy-On-Write,
but never written to) is used as the source buffer for an OUT transfer.
This patch (as598) fixes the problem.
Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: default avatarDavid Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 959eea21
...@@ -514,18 +514,18 @@ qh_urb_transaction ( ...@@ -514,18 +514,18 @@ qh_urb_transaction (
qtd->urb = urb; qtd->urb = urb;
qtd_prev->hw_next = QTD_NEXT (qtd->qtd_dma); qtd_prev->hw_next = QTD_NEXT (qtd->qtd_dma);
list_add_tail (&qtd->qtd_list, head); list_add_tail (&qtd->qtd_list, head);
/* for zero length DATA stages, STATUS is always IN */
if (len == 0)
token |= (1 /* "in" */ << 8);
} }
/* /*
* data transfer stage: buffer setup * data transfer stage: buffer setup
*/ */
if (likely (len > 0))
buf = urb->transfer_dma; buf = urb->transfer_dma;
else
buf = 0;
/* for zero length DATA stages, STATUS is always IN */ if (is_input)
if (!buf || is_input)
token |= (1 /* "in" */ << 8); token |= (1 /* "in" */ << 8);
/* else it's already initted to "out" pid (0 << 8) */ /* else it's already initted to "out" pid (0 << 8) */
...@@ -572,7 +572,7 @@ qh_urb_transaction ( ...@@ -572,7 +572,7 @@ qh_urb_transaction (
* control requests may need a terminating data "status" ack; * control requests may need a terminating data "status" ack;
* bulk ones may need a terminating short packet (zero length). * bulk ones may need a terminating short packet (zero length).
*/ */
if (likely (buf != 0)) { if (likely (urb->transfer_buffer_length != 0)) {
int one_more = 0; int one_more = 0;
if (usb_pipecontrol (urb->pipe)) { if (usb_pipecontrol (urb->pipe)) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment