From 23776409e4f63ff768b5b0d6ac3f646a88d4cf97 Mon Sep 17 00:00:00 2001 From: Lalithambika Krishna Kumar Date: Fri, 29 Jan 2021 15:00:27 +0200 Subject: [PATCH] UPSTREAM: xhci: check slot_id is valid before gathering slot info Check that the slot_id that we dug out from command completion event TRB, is valid before using it to identify the slot associated with the command that generated the event. Signed-off-by: Lalithambika Krishna Kumar Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20210129130044.206855-11-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 296fcdab3321de0aca7a033e4469f4a2dd55fe96 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-linus) Signed-off-by: Greg Kroah-Hartman Change-Id: Ic325c4bc01e908de21698ba0eab0246970af2113 --- drivers/usb/host/xhci-ring.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 802042ccb2f5..00d7ecce4ce0 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1430,7 +1430,7 @@ time_out_completed: static void handle_cmd_completion(struct xhci_hcd *xhci, struct xhci_event_cmd *event) { - int slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags)); + unsigned int slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags)); u64 cmd_dma; dma_addr_t cmd_dequeue_dma; u32 cmd_comp_code; @@ -1438,6 +1438,11 @@ static void handle_cmd_completion(struct xhci_hcd *xhci, struct xhci_command *cmd; u32 cmd_type; + if (slot_id >= MAX_HC_SLOTS) { + xhci_warn(xhci, "Invalid slot_id %u\n", slot_id); + return; + } + cmd_dma = le64_to_cpu(event->cmd_trb); cmd_trb = xhci->cmd_ring->dequeue;