[PATCH] usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub

From: William Wu
Date: Mon May 21 2018 - 05:18:28 EST

Next message: John Garry: "[PATCH 05/13] scsi: hisi_sas: Reset disks when discovered"
Previous message: John Garry: "[PATCH 09/13] scsi: hisi_sas: Include TMF elements in struct hisi_sas_slot"
Next in thread: Doug Anderson: "Re: [PATCH] usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The dwc2_get_ls_map() use ttport to reference into the
bitmap if we're on a multi_tt hub. But the bitmaps index
from 0 to (hub->maxchild - 1), while the ttport index from
1 to hub->maxchild. This will cause invalid memory access
when the number of ttport is hub->maxchild.

Without this patch, I can easily meet a Kernel panic issue
if connect a low-speed USB mouse with the max port of FE2.1
multi-tt hub (1a40:0201) on rk3288 platform.

Signed-off-by: William Wu <william.wu@xxxxxxxxxxxxxx>
---
drivers/usb/dwc2/hcd_queue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/dwc2/hcd_queue.c b/drivers/usb/dwc2/hcd_queue.c
index d7c3d6c..9c55d1a 100644
--- a/drivers/usb/dwc2/hcd_queue.c
+++ b/drivers/usb/dwc2/hcd_queue.c
@@ -383,7 +383,7 @@ static unsigned long *dwc2_get_ls_map(struct dwc2_hsotg *hsotg,
/* Get the map and adjust if this is a multi_tt hub */
map = qh->dwc_tt->periodic_bitmaps;
if (qh->dwc_tt->usb_tt->multi)
- map += DWC2_ELEMENTS_PER_LS_BITMAP * qh->ttport;
+ map += DWC2_ELEMENTS_PER_LS_BITMAP * (qh->ttport - 1);

return map;
}
--
2.0.0

Next message: John Garry: "[PATCH 05/13] scsi: hisi_sas: Reset disks when discovered"
Previous message: John Garry: "[PATCH 09/13] scsi: hisi_sas: Include TMF elements in struct hisi_sas_slot"
Next in thread: Doug Anderson: "Re: [PATCH] usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]