GitLab has been upgraded to 13.3.6. If you encounter any issues mail

Commit ef249dac authored by Jeffrey Lee's avatar Jeffrey Lee

Fix memory corruption caused by longer than expected IN packets

  c/dwc_otg_riscos - Round all IO buffers out to a multiple of 512 bytes. This is a workaround for the way dwc_otg_hc_start_transfer rounds IN transfer request sizes up to a multiple of the max packet size (due to hardware limitations?). Without this workaround, we can easily get memory corruption if a device sends a short packet which is longer than we're expecting.
  Tested on Raspberry Pi
  Believed to fix crashes seen when using some keyboards/mice:

Version 0.17. Tagged as 'DWCDriver-0_17'
parent 1bec5bff
/* (0.16)
/* (0.17)
* This file is automatically maintained by srccommit, do not edit manually.
* Last processed by srccommit version: 1.1.
#define Module_MajorVersion_CMHG 0.16
#define Module_MajorVersion_CMHG 0.17
#define Module_MinorVersion_CMHG
#define Module_Date_CMHG 08 Jul 2014
#define Module_Date_CMHG 18 Oct 2014
#define Module_MajorVersion "0.16"
#define Module_Version 16
#define Module_MajorVersion "0.17"
#define Module_Version 17
#define Module_MinorVersion ""
#define Module_Date "08 Jul 2014"
#define Module_Date "18 Oct 2014"
#define Module_ApplicationDate "08-Jul-14"
#define Module_ApplicationDate "18-Oct-14"
#define Module_ComponentName "DWCDriver"
#define Module_ComponentPath "mixed/RiscOS/Sources/HWSupport/USB/Controllers/DWCDriver"
#define Module_FullVersion "0.16"
#define Module_HelpVersion "0.16 (08 Jul 2014)"
#define Module_LibraryVersionInfo "0:16"
#define Module_FullVersion "0.17"
#define Module_HelpVersion "0.17 (18 Oct 2014)"
#define Module_LibraryVersionInfo "0:17"
......@@ -199,6 +199,10 @@ usbd_status softc_allocm(struct usbd_bus *bus, usb_dma_t *dma, u_int32_t size)
usbd_status err;
(void) bus;
/* For IN transfers, dwc_otg_hc_start_transfer will round the request size up to a whole number of packets when it programs it into the controller.
This means we must also round up the buffer size, otherwise a device which sends a longer packet than expected will overflow the buffer
Unfortunately at this point we don't know the direction of the transfer or the max packet size of the device, so the best we can do is round all buffers to a multiple of 512 bytes */
size = (size+511) & ~511;
*dma = malloc_contig(size,0);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment