git.baikalelectronics.ru Git - kernel.git/commit

author	Alan Stern <stern@rowland.harvard.edu>
	Thu, 19 May 2016 20:29:50 +0000 (16:29 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 1 Jun 2016 21:56:24 +0000 (14:56 -0700)
commit	3f82d0e433201c9c3fca86ed5ca8d7b8f7332b9d
tree	95e3543db5be9bd43fbe7e1808a717fd29d12fc1	tree \| snapshot
parent	6ea450b604349f583b2a04f55b29b67f692d79be	commit \| diff

USB: EHCI: avoid undefined pointer arithmetic and placate UBSAN

Several people have reported that UBSAN doesn't like the pointer
arithmetic in ehci_hub_control():

u32 __iomem *status_reg = &ehci->regs->port_status[
(wIndex & 0xff) - 1];
u32 __iomem *hostpc_reg = &ehci->regs->hostpc[(wIndex & 0xff) - 1];

If wIndex is 0 (and it often is), these calculations underflow and
UBSAN complains.

According to the C standard, pointer computations leading to locations
outside the bounds of an array object (other than 1 position past the
end) are undefined.  In this case, the compiler would be justified in
concluding the wIndex can never be 0 and then optimizing away the
tests for !wIndex that occur later in the subroutine.  (Although,
since ehci->regs->port_status and ehci->regs->hostpc are both 0-length
arrays and are thus GCC extensions to the C standard, it's not clear
what the compiler is really allowed to do.)

At any rate, we can avoid all these difficulties, at the cost of
making the code slightly longer, by not decrementing the index when it
is equal to 0.  The runtime effect is minimal, and anyway
ehci_hub_control() is not on a hot path.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Reported-by: Meelis Roos <mroos@linux.ee>
Reported-by: Martin_MOKREJÅ <mmokrejs@gmail.com>
Reported-by: "Navin P.S" <navinp1912@gmail.com>
CC: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>