usb: dwc2: avoid out of bounds access

flush_dcache_range may access data after priv->aligned_buffer end if len > DWC2_DATA_BUF_SIZE. memcpy may access data after buffer end if done > 0 Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de> Acked-by: Marek Vasut <marex@denx.de> Acked-by: Stephen Warren <swarren@wwwdotorg.org>
author: Stefan Brüns <stefan.bruens@rwth-aachen.de> 2015-12-22 01:21:48 +0100
committer: Marek Vasut <marex@denx.de> 2015-12-31 10:05:31 +0100
commit: 5253aded464f99734698bffd33c662f1ac071fd0 (patch)
tree: acdf8e8e03aa39d560a65a74a994eacbbffeab92 /drivers
parent: c75f57fba4712fed1b0f7b9b10c2bbfdb9ede449 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/usb/host/dwc2.c b/drivers/usb/host/dwc2.c
index 541c0f9687..5ef6debd9a 100644
--- a/drivers/usb/host/dwc2.c
+++ b/drivers/usb/host/dwc2.c
@@ -823,12 +823,13 @@ int chunk_msg(struct dwc2_priv *priv, struct usb_device *dev,
 		       (*pid << DWC2_HCTSIZ_PID_OFFSET),
 		       &hc_regs->hctsiz);
 
-		if (!in) {
-			memcpy(priv->aligned_buffer, (char *)buffer + done, len);
+		if (!in && xfer_len) {
+			memcpy(priv->aligned_buffer, (char *)buffer + done,
+			       xfer_len);
 
 			flush_dcache_range((unsigned long)priv->aligned_buffer,
 				(unsigned long)((void *)priv->aligned_buffer +
-				roundup(len, ARCH_DMA_MINALIGN)));
+				roundup(xfer_len, ARCH_DMA_MINALIGN)));
 		}
 
 		writel(phys_to_bus((unsigned long)priv->aligned_buffer),
author	Stefan Brüns <stefan.bruens@rwth-aachen.de>	2015-12-22 01:21:48 +0100
committer	Marek Vasut <marex@denx.de>	2015-12-31 10:05:31 +0100
commit	5253aded464f99734698bffd33c662f1ac071fd0 (patch)
tree	acdf8e8e03aa39d560a65a74a994eacbbffeab92 /drivers
parent	c75f57fba4712fed1b0f7b9b10c2bbfdb9ede449 (diff)