xhci: check slot_id is valid before gathering slot info
authorLalithambika Krishna Kumar <lalithambika.krishnakumar@intel.com>
Fri, 29 Jan 2021 13:00:27 +0000 (15:00 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 29 Jan 2021 13:16:50 +0000 (14:16 +0100)
Check that the slot_id that we dug out from command completion event
TRB, is valid before using it to identify the slot associated with the
command that generated the event.

Signed-off-by: Lalithambika Krishna Kumar <lalithambika.krishnakumar@intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20210129130044.206855-11-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/host/xhci-ring.c

index 2ef5548..69c7c5a 100644 (file)
@@ -1430,7 +1430,7 @@ time_out_completed:
 static void handle_cmd_completion(struct xhci_hcd *xhci,
                struct xhci_event_cmd *event)
 {
-       int slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags));
+       unsigned int slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags));
        u64 cmd_dma;
        dma_addr_t cmd_dequeue_dma;
        u32 cmd_comp_code;
@@ -1438,6 +1438,11 @@ static void handle_cmd_completion(struct xhci_hcd *xhci,
        struct xhci_command *cmd;
        u32 cmd_type;
 
+       if (slot_id >= MAX_HC_SLOTS) {
+               xhci_warn(xhci, "Invalid slot_id %u\n", slot_id);
+               return;
+       }
+
        cmd_dma = le64_to_cpu(event->cmd_trb);
        cmd_trb = xhci->cmd_ring->dequeue;