From: David Brownell <david-b@pacbell.net>
Date: Mon, 10 Dec 2007 06:53:09 +0000 (-0800)
Subject: USB: gadget: at91_udc minor fix (there is no number six)
X-Git-Tag: firefly_0821_release~23568^2~50
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=1440e0967de8c598dae96d741652d498b3eb8f27;p=firefly-linux-kernel-4.4.55.git

USB: gadget: at91_udc minor fix (there is no number six)

Fix a small glitch noted by Yannick Cote.  There is no endpoint number
six, so if a (broken) host wrongly tried to change or read status of
that endpoint, the driver could access reserved register space.

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Cc: Yannick Cote <yanick@yanos.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/drivers/usb/gadget/at91_udc.c b/drivers/usb/gadget/at91_udc.c
index 4b6ed353ae36..305db36a3b1c 100644
--- a/drivers/usb/gadget/at91_udc.c
+++ b/drivers/usb/gadget/at91_udc.c
@@ -1153,7 +1153,7 @@ static void handle_setup(struct at91_udc *udc, struct at91_ep *ep, u32 csr)
 			| USB_REQ_GET_STATUS:
 		tmp = w_index & USB_ENDPOINT_NUMBER_MASK;
 		ep = &udc->ep[tmp];
-		if (tmp > NUM_ENDPOINTS || (tmp && !ep->desc))
+		if (tmp >= NUM_ENDPOINTS || (tmp && !ep->desc))
 			goto stall;
 
 		if (tmp) {
@@ -1176,7 +1176,7 @@ static void handle_setup(struct at91_udc *udc, struct at91_ep *ep, u32 csr)
 			| USB_REQ_SET_FEATURE:
 		tmp = w_index & USB_ENDPOINT_NUMBER_MASK;
 		ep = &udc->ep[tmp];
-		if (w_value != USB_ENDPOINT_HALT || tmp > NUM_ENDPOINTS)
+		if (w_value != USB_ENDPOINT_HALT || tmp >= NUM_ENDPOINTS)
 			goto stall;
 		if (!ep->desc || ep->is_iso)
 			goto stall;
@@ -1195,7 +1195,7 @@ static void handle_setup(struct at91_udc *udc, struct at91_ep *ep, u32 csr)
 			| USB_REQ_CLEAR_FEATURE:
 		tmp = w_index & USB_ENDPOINT_NUMBER_MASK;
 		ep = &udc->ep[tmp];
-		if (w_value != USB_ENDPOINT_HALT || tmp > NUM_ENDPOINTS)
+		if (w_value != USB_ENDPOINT_HALT || tmp >= NUM_ENDPOINTS)
 			goto stall;
 		if (tmp == 0)
 			goto succeed;