From 296fcdab3321de0aca7a033e4469f4a2dd55fe96 Mon Sep 17 00:00:00 2001 From: Lalithambika Krishna Kumar Date: Fri, 29 Jan 2021 15:00:27 +0200 Subject: [PATCH] xhci: check slot_id is valid before gathering slot info Check that the slot_id that we dug out from command completion event TRB, is valid before using it to identify the slot associated with the command that generated the event. Signed-off-by: Lalithambika Krishna Kumar Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20210129130044.206855-11-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/host/xhci-ring.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 2ef5548..69c7c5a 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1430,7 +1430,7 @@ time_out_completed: static void handle_cmd_completion(struct xhci_hcd *xhci, struct xhci_event_cmd *event) { - int slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags)); + unsigned int slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags)); u64 cmd_dma; dma_addr_t cmd_dequeue_dma; u32 cmd_comp_code; @@ -1438,6 +1438,11 @@ static void handle_cmd_completion(struct xhci_hcd *xhci, struct xhci_command *cmd; u32 cmd_type; + if (slot_id >= MAX_HC_SLOTS) { + xhci_warn(xhci, "Invalid slot_id %u\n", slot_id); + return; + } + cmd_dma = le64_to_cpu(event->cmd_trb); cmd_trb = xhci->cmd_ring->dequeue; -- 2.7.4