From 3ecdb9acf343bbcf2bb2c287dc524ab709cfad7e Mon Sep 17 00:00:00 2001 From: Sergei Shtylyov Date: Sat, 21 Feb 2009 15:31:23 -0800 Subject: USB: musb: be careful with 64K+ transfer lengths, host side Feeding 32-bit length cast down to 'u16' to min() to calculate the FIFO count in musb_host_tx() risks sending a short packet prematurely for transfer sizes over 64 KB. Similarly, although data transfer size shouldn't exceed 65535 bytes for the control endpoint, making musb_h_ep0_continue() more robust WRT URBs with possibly oversized buffer will not hurt either... Signed-off-by: Sergei Shtylyov Signed-off-by: David Brownell Cc: Felipe Balbi Signed-off-by: Greg Kroah-Hartman --- drivers/usb/musb/musb_host.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c index fc79e76b384..23d3890fd54 100644 --- a/drivers/usb/musb/musb_host.c +++ b/drivers/usb/musb/musb_host.c @@ -937,8 +937,8 @@ static bool musb_h_ep0_continue(struct musb *musb, u16 len, struct urb *urb) switch (musb->ep0_stage) { case MUSB_EP0_IN: fifo_dest = urb->transfer_buffer + urb->actual_length; - fifo_count = min(len, ((u16) (urb->transfer_buffer_length - - urb->actual_length))); + fifo_count = min_t(size_t, len, urb->transfer_buffer_length - + urb->actual_length); if (fifo_count < len) urb->status = -EOVERFLOW; @@ -971,10 +971,9 @@ static bool musb_h_ep0_continue(struct musb *musb, u16 len, struct urb *urb) } /* FALLTHROUGH */ case MUSB_EP0_OUT: - fifo_count = min(qh->maxpacket, ((u16) - (urb->transfer_buffer_length - - urb->actual_length))); - + fifo_count = min_t(size_t, qh->maxpacket, + urb->transfer_buffer_length - + urb->actual_length); if (fifo_count) { fifo_dest = (u8 *) (urb->transfer_buffer + urb->actual_length); @@ -1304,7 +1303,8 @@ void musb_host_tx(struct musb *musb, u8 epnum) * packets before updating TXCSR ... other docs disagree ... */ /* PIO: start next packet in this URB */ - wLength = min(qh->maxpacket, (u16) wLength); + if (wLength > qh->maxpacket) + wLength = qh->maxpacket; musb_write_fifo(hw_ep, wLength, buf); qh->segsize = wLength; -- cgit v1.2.3-70-g09d2