shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-09 12:17:12 +09:00
Code Issues Packages Projects Releases Wiki Activity

usb: qtd usb-after-free

Browse Source
This commit is contained in:
lyz
2014-03-28 11:37:03 +08:00
parent f56355fdf3
commit 57d0c9d8d7
1 changed files with 4 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
drivers/usb/dwc_otg_310/dwc_otg_hcd_ddma.c
View File

@@ -665,7 +665,7 @@ static void init_non_isoc_dma_desc(dwc_otg_hcd_t * hcd, dwc_otg_qh_t * qh)
qtd->in_process = 1;
if (qh->ep_type == UE_CONTROL)
if (qh->ep_type == UE_CONTROL)
break;
if (n_desc == MAX_DMA_DESC_NUM_GENERIC)
@@ -716,7 +716,6 @@ void dwc_otg_hcd_start_xfer_ddma(dwc_otg_hcd_t * hcd, dwc_otg_qh_t * qh)
init_non_isoc_dma_desc(hcd, qh);
update_frame_list(hcd, qh, 1);
dwc_otg_hc_start_transfer_ddma(hcd->core_if, hc);
break;
case DWC_OTG_EP_TYPE_ISOC:
@@ -943,13 +942,12 @@ static void complete_non_isoc_xfer_ddma(dwc_otg_hcd_t * hcd,
dwc_otg_qtd_t *qtd, *qtd_tmp;
dwc_otg_qh_t *qh;
dwc_otg_host_dma_desc_t *dma_desc;
uint32_t n_bytes, n_desc, i;
uint32_t n_bytes, n_desc, i, qtd_n_desc;
uint8_t failed = 0, xfer_done;
n_desc = 0;
qh = hc->qh;
if (hc->halt_status == DWC_OTG_HC_XFER_URB_DEQUEUE) {
DWC_CIRCLEQ_FOREACH_SAFE(qtd, qtd_tmp, &hc->qh->qtd_list, qtd_list_entry) {
qtd->in_process = 0;
@@ -963,8 +961,8 @@ static void complete_non_isoc_xfer_ddma(dwc_otg_hcd_t * hcd,
n_bytes = 0;
xfer_done = 0;
for (i = 0; i < qtd->n_desc; i++) {
qtd_n_desc = qtd->n_desc;
for (i = 0; i < qtd_n_desc; i++) {
dma_desc = &qh->desc_list[n_desc];
n_bytes = qh->n_bytes[n_desc];