1 From 366250d6009a093ad8843a3721148aad7b45b291 Mon Sep 17 00:00:00 2001
2 From: Jonathan Bell <jonathan@raspberrypi.com>
3 Date: Tue, 25 Oct 2022 10:50:10 +0100
4 Subject: [PATCH] drivers: usb: dwc_otg: fix reference passing when
7 The pointer (struct usb_host_endpoint *)->hcpriv should contain a
8 reference to dwc_otg_qh_t if the driver has already seen a URB submitted
11 It then checks whether the qh exists and is already in a schedule in
12 order to decide whether to allocate periodic bandwidth or not. Passing a
13 pointer to an offset inside of struct usb_host_endpoint instead of just
14 the pointer means it dereferences bogus addresses.
16 Rationalise (delete) a variable while we're at it.
18 See https://github.com/raspberrypi/linux/issues/5189
20 Signed-off-by: Jonathan Bell <jonathan@raspberrypi.com>
22 drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c | 8 +++-----
23 1 file changed, 3 insertions(+), 5 deletions(-)
25 --- a/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c
26 +++ b/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c
27 @@ -807,7 +807,6 @@ static int dwc_otg_urb_enqueue(struct us
28 struct usb_host_endpoint *ep = urb->ep;
30 dwc_irqflags_t irqflags;
31 - void **ref_ep_hcpriv = &ep->hcpriv;
32 dwc_otg_hcd_t *dwc_otg_hcd = hcd_to_dwc_otg_hcd(hcd);
33 dwc_otg_hcd_urb_t *dwc_otg_urb;
35 @@ -824,7 +823,7 @@ static int dwc_otg_urb_enqueue(struct us
36 if ((usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS)
37 || (usb_pipetype(urb->pipe) == PIPE_INTERRUPT)) {
38 if (!dwc_otg_hcd_is_bandwidth_allocated
39 - (dwc_otg_hcd, ref_ep_hcpriv)) {
40 + (dwc_otg_hcd, ep->hcpriv)) {
44 @@ -910,13 +909,12 @@ static int dwc_otg_urb_enqueue(struct us
47 retval = dwc_otg_hcd_urb_enqueue(dwc_otg_hcd, dwc_otg_urb,
48 - /*(dwc_otg_qh_t **)*/
52 if (alloc_bandwidth) {
53 allocate_bus_bandwidth(hcd,
54 dwc_otg_hcd_get_ep_bandwidth(
55 - dwc_otg_hcd, *ref_ep_hcpriv),
56 + dwc_otg_hcd, ep->hcpriv),