usb: dwc2: avoid out of bounds access

flush_dcache_range may access data after priv->aligned_buffer end if
len > DWC2_DATA_BUF_SIZE.
memcpy may access data after buffer end if done > 0

Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
Acked-by: Marek Vasut <marex@denx.de>
Acked-by: Stephen Warren <swarren@wwwdotorg.org>

diff --git a/drivers/usb/host/dwc2.c b/drivers/usb/host/dwc2.c
index 541c0f9..5ef6deb 100644 (file)
--- a/drivers/usb/host/dwc2.c
+++ b/drivers/usb/host/dwc2.c
@@ -823,12 +823,13 @@ int chunk_msg(struct dwc2_priv *priv, struct usb_device *dev,
                       (*pid << DWC2_HCTSIZ_PID_OFFSET),
                       &hc_regs->hctsiz);
 
-               if (!in) {
-                       memcpy(priv->aligned_buffer, (char *)buffer + done, len);
+               if (!in && xfer_len) {
+                       memcpy(priv->aligned_buffer, (char *)buffer + done,
+                              xfer_len);
 
                        flush_dcache_range((unsigned long)priv->aligned_buffer,
                                (unsigned long)((void *)priv->aligned_buffer +
-                               roundup(len, ARCH_DMA_MINALIGN)));
+                               roundup(xfer_len, ARCH_DMA_MINALIGN)));
                }
 
                writel(phys_to_bus((unsigned long)priv->aligned_buffer),