aboutsummaryrefslogtreecommitdiffstats
path: root/target/linux/brcm2708/patches-3.10/0053-dwc_otg-fix-potential-use-after-free-case-in-interru.patch
blob: e446e0c83c74b89c7049433911b9df75a4adb0d3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
From 898039471876ec67191d7afcabea38ac5e90285a Mon Sep 17 00:00:00 2001
From: P33M <P33M@github.com>
Date: Thu, 28 Feb 2013 16:52:51 +0000
Subject: [PATCH 053/196] dwc_otg: fix potential use-after-free case in
 interrupt handler

If a transaction had previously aborted, certain interrupts are
enabled to track error counts and reset where necessary. On IN
endpoints the host generates an ACK interrupt near-simultaneously
with completion of transfer. In the case where this transfer had
previously had an error, this results in a use-after-free on
the QTD memory space with a 1-byte length being overwritten to
0x00.
---
 drivers/usb/host/dwc_otg/dwc_otg_hcd_intr.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/host/dwc_otg/dwc_otg_hcd_intr.c b/drivers/usb/host/dwc_otg/dwc_otg_hcd_intr.c
index e8c91e7..0c81a64 100644
--- a/drivers/usb/host/dwc_otg/dwc_otg_hcd_intr.c
+++ b/drivers/usb/host/dwc_otg/dwc_otg_hcd_intr.c
@@ -2223,7 +2223,8 @@ int32_t dwc_otg_hcd_handle_hc_n_intr(dwc_otg_hcd_t * dwc_otg_hcd, uint32_t num)
 		retval |= handle_hc_nak_intr(dwc_otg_hcd, hc, hc_regs, qtd);
 	}
 	if (hcint.b.ack) {
-		retval |= handle_hc_ack_intr(dwc_otg_hcd, hc, hc_regs, qtd);
+		if(!hcint.b.chhltd)
+			retval |= handle_hc_ack_intr(dwc_otg_hcd, hc, hc_regs, qtd);
 	}
 	if (hcint.b.nyet) {
 		retval |= handle_hc_nyet_intr(dwc_otg_hcd, hc, hc_regs, qtd);
-- 
1.9.1