[lvc-project] [PATCH v1] usb: isp1760: increase buffer size to avoid overflow

Rui Miguel Silva rmfrfs at gmail.com
Thu Apr 24 12:15:57 MSK 2025 

Hey Alexey,
On Wed Apr 23, 2025 at 12:10 PM WEST, Alexey V. Vissarionov wrote:

> When isp1760_udc_init_hw() calls isp1760_set_pullup(), its call of
> isp1760_field_set() may access the udc->fields array beyond the size
> of DC_FIELD_MAX up to HC_FIELD_MAX, which is (now) bigger. Increase
> the buffer size to max(DC_FIELD_MAX,HC_FIELD_MAX) to avoid possible
> overflow.

This will fix the access, but not the main issue, so this is not
correct. The isp1760_set_pullup should pass to isp1760_field_set
the hcd fields and not the udc ones.

I will send a proper fix for this. Thanks for reporting.

Cheers,
   Rui
>
> Found by ALT Linux Team (altlinux.org) and Linux Verification Center
> (linuxtesting.org).
>
> Fixes: 1da9e1c06873 ("usb: isp1760: move to regmap for register access")
> Signed-off-by: Alexey V. Vissarionov <gremlin at altlinux.org>
> ---
>  drivers/usb/isp1760/isp1760-hcd.h  | 2 +-
>  drivers/usb/isp1760/isp1760-regs.h | 3 +++
>  drivers/usb/isp1760/isp1760-udc.h  | 2 +-
>  3 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/isp1760/isp1760-hcd.h b/drivers/usb/isp1760/isp1760-hcd.h
> index ee3063a34de3bccf..34dacde96c4ae3cf 100644
> --- a/drivers/usb/isp1760/isp1760-hcd.h
> +++ b/drivers/usb/isp1760/isp1760-hcd.h
> @@ -50,7 +50,7 @@ struct isp1760_hcd {
>  	void __iomem		*base;
>  
>  	struct regmap		*regs;
> -	struct regmap_field	*fields[HC_FIELD_MAX];
> +	struct regmap_field	*fields[DC_HC_FIELD_MAX];
>  
>  	bool			is_isp1763;
>  	const struct isp1760_memory_layout	*memory_layout;
> diff --git a/drivers/usb/isp1760/isp1760-regs.h b/drivers/usb/isp1760/isp1760-regs.h
> index 3a6751197e970013..a5a442015887ce0b 100644
> --- a/drivers/usb/isp1760/isp1760-regs.h
> +++ b/drivers/usb/isp1760/isp1760-regs.h
> @@ -267,6 +267,9 @@ enum isp176x_device_controller_fields {
>  	DC_FIELD_MAX,
>  };
>  
> +#define	DC_HC_FIELD_MAX	\
> +	(DC_FIELD_MAX > HC_FIELD_MAX ? DC_FIELD_MAX : HC_FIELD_MAX)
> +
>  /* ISP1763 */
>  /* Initialization Registers */
>  #define ISP1763_DC_ADDRESS		0x00
> diff --git a/drivers/usb/isp1760/isp1760-udc.h b/drivers/usb/isp1760/isp1760-udc.h
> index 22044e86bc0ecb84..609444bea306ba81 100644
> --- a/drivers/usb/isp1760/isp1760-udc.h
> +++ b/drivers/usb/isp1760/isp1760-udc.h
> @@ -69,7 +69,7 @@ struct isp1760_udc {
>  	char *irqname;
>  
>  	struct regmap *regs;
> -	struct regmap_field *fields[DC_FIELD_MAX];
> +	struct regmap_field *fields[DC_HC_FIELD_MAX];
>  
>  	struct usb_gadget_driver *driver;
>  	struct usb_gadget gadget;
>
> -- 
> Alexey V. Vissarionov
> gremlin ПРИ altlinux ТЧК org; +vii-cmiii-ccxxix-lxxix-xlii
> GPG: 0D92F19E1C0DC36E27F61A29CD17E2B43D879005 @ hkp://keys.gnupg.net

More information about the lvc-project mailing list