Re: [PATCH] usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub
From: Doug Anderson
Date: Mon May 21 2018 - 18:47:23 EST
Hi,
On Mon, May 21, 2018 at 3:12 AM, William Wu <william.wu@xxxxxxxxxxxxxx> wrote:
> The dwc2_get_ls_map() use ttport to reference into the
> bitmap if we're on a multi_tt hub. But the bitmaps index
> from 0 to (hub->maxchild - 1), while the ttport index from
> 1 to hub->maxchild. This will cause invalid memory access
> when the number of ttport is hub->maxchild.
>
> Without this patch, I can easily meet a Kernel panic issue
> if connect a low-speed USB mouse with the max port of FE2.1
> multi-tt hub (1a40:0201) on rk3288 platform.
>
> Signed-off-by: William Wu <william.wu@xxxxxxxxxxxxxx>
> ---
> drivers/usb/dwc2/hcd_queue.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/dwc2/hcd_queue.c b/drivers/usb/dwc2/hcd_queue.c
> index d7c3d6c..9c55d1a 100644
> --- a/drivers/usb/dwc2/hcd_queue.c
> +++ b/drivers/usb/dwc2/hcd_queue.c
> @@ -383,7 +383,7 @@ static unsigned long *dwc2_get_ls_map(struct dwc2_hsotg *hsotg,
> /* Get the map and adjust if this is a multi_tt hub */
> map = qh->dwc_tt->periodic_bitmaps;
> if (qh->dwc_tt->usb_tt->multi)
> - map += DWC2_ELEMENTS_PER_LS_BITMAP * qh->ttport;
> + map += DWC2_ELEMENTS_PER_LS_BITMAP * (qh->ttport - 1);
Oops, thanks for the fix.
Fixes: 9f9f09b048f5 ("usb: dwc2: host: Totally redo the microframe scheduler")
Cc: stable@xxxxxxxxxxxxxxx
Reviewed-by: Douglas Anderson <dianders@xxxxxxxxxxxx>
-Doug