Commit 286fd02f authored by Mathias Nyman's avatar Mathias Nyman Committed by Greg Kroah-Hartman

xhci: fix potential array out of bounds with several interrupters

The Max Interrupters supported by the controller is given in a 10bit
wide bitfield, but the driver uses a fixed 128 size array to index these
interrupters.

Klockwork reports a possible array out of bounds case which in theory
is possible. In practice this hasn't been hit as a common number of Max
Interrupters for new controllers is 8, not even close to 128.

This needs to be fixed anyway
Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20210406070208.3406266-4-mathias.nyman@linux.intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 597899d2
...@@ -227,6 +227,7 @@ static void xhci_zero_64b_regs(struct xhci_hcd *xhci) ...@@ -227,6 +227,7 @@ static void xhci_zero_64b_regs(struct xhci_hcd *xhci)
struct device *dev = xhci_to_hcd(xhci)->self.sysdev; struct device *dev = xhci_to_hcd(xhci)->self.sysdev;
int err, i; int err, i;
u64 val; u64 val;
u32 intrs;
/* /*
* Some Renesas controllers get into a weird state if they are * Some Renesas controllers get into a weird state if they are
...@@ -265,7 +266,10 @@ static void xhci_zero_64b_regs(struct xhci_hcd *xhci) ...@@ -265,7 +266,10 @@ static void xhci_zero_64b_regs(struct xhci_hcd *xhci)
if (upper_32_bits(val)) if (upper_32_bits(val))
xhci_write_64(xhci, 0, &xhci->op_regs->cmd_ring); xhci_write_64(xhci, 0, &xhci->op_regs->cmd_ring);
for (i = 0; i < HCS_MAX_INTRS(xhci->hcs_params1); i++) { intrs = min_t(u32, HCS_MAX_INTRS(xhci->hcs_params1),
ARRAY_SIZE(xhci->run_regs->ir_set));
for (i = 0; i < intrs; i++) {
struct xhci_intr_reg __iomem *ir; struct xhci_intr_reg __iomem *ir;
ir = &xhci->run_regs->ir_set[i]; ir = &xhci->run_regs->ir_set[i];
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment