USB: xhci: Check URB's actual transfer buffer size.
authorSarah Sharp <sarah.a.sharp@linux.intel.com>
Thu, 27 Aug 2009 21:36:24 +0000 (14:36 -0700)
committerGreg Kroah-Hartman <gregkh@suse.de>
Wed, 23 Sep 2009 13:46:18 +0000 (06:46 -0700)
Make sure that the amount of data the xHC says was transmitted is less
than or equal to the size of the requested transfer buffer.  Before, if
the host controller erroneously reported that the number of bytes
untransferred was bigger than the buffer in the URB, urb->actual_length
could be set to a very large size.

Make sure urb->actual_length <= urb->transfer_buffer_length.

Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/usb/host/xhci-ring.c

index 4142c04b5adfcea73cff0287a35fa2d0a969d76c..b4fab00105d4d984447afed2c68bc1adc16d8d5d 100644 (file)
@@ -1092,7 +1092,8 @@ static int handle_tx_event(struct xhci_hcd *xhci,
                                td->urb->actual_length =
                                        td->urb->transfer_buffer_length -
                                        TRB_LEN(event->transfer_len);
-                               if (td->urb->actual_length < 0) {
+                               if (td->urb->transfer_buffer_length <
+                                               td->urb->actual_length) {
                                        xhci_warn(xhci, "HC gave bad length "
                                                        "of %d bytes left\n",
                                                        TRB_LEN(event->transfer_len));
@@ -1167,6 +1168,20 @@ static int handle_tx_event(struct xhci_hcd *xhci,
 td_cleanup:
                /* Clean up the endpoint's TD list */
                urb = td->urb;
+               /* Do one last check of the actual transfer length.
+                * If the host controller said we transferred more data than
+                * the buffer length, urb->actual_length will be a very big
+                * number (since it's unsigned).  Play it safe and say we didn't
+                * transfer anything.
+                */
+               if (urb->actual_length > urb->transfer_buffer_length) {
+                       xhci_warn(xhci, "URB transfer length is wrong, "
+                                       "xHC issue? req. len = %u, "
+                                       "act. len = %u\n",
+                                       urb->transfer_buffer_length,
+                                       urb->actual_length);
+                       urb->actual_length = 0;
+               }
                list_del(&td->td_list);
                /* Was this TD slated to be cancelled but completed anyway? */
                if (!list_empty(&td->cancelled_td_list)) {