| Message ID | 1526897520-9340-1-git-send-email-william.wu@rock-chips.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Hi, On Mon, May 21, 2018 at 3:12 AM, William Wu <william.wu@rock-chips.com> wrote: > The dwc2_get_ls_map() use ttport to reference into the > bitmap if we're on a multi_tt hub. But the bitmaps index > from 0 to (hub->maxchild - 1), while the ttport index from > 1 to hub->maxchild. This will cause invalid memory access > when the number of ttport is hub->maxchild. > > Without this patch, I can easily meet a Kernel panic issue > if connect a low-speed USB mouse with the max port of FE2.1 > multi-tt hub (1a40:0201) on rk3288 platform. > > Signed-off-by: William Wu <william.wu@rock-chips.com> > --- > drivers/usb/dwc2/hcd_queue.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/dwc2/hcd_queue.c b/drivers/usb/dwc2/hcd_queue.c > index d7c3d6c..9c55d1a 100644 > --- a/drivers/usb/dwc2/hcd_queue.c > +++ b/drivers/usb/dwc2/hcd_queue.c > @@ -383,7 +383,7 @@ static unsigned long *dwc2_get_ls_map(struct dwc2_hsotg *hsotg, > /* Get the map and adjust if this is a multi_tt hub */ > map = qh->dwc_tt->periodic_bitmaps; > if (qh->dwc_tt->usb_tt->multi) > - map += DWC2_ELEMENTS_PER_LS_BITMAP * qh->ttport; > + map += DWC2_ELEMENTS_PER_LS_BITMAP * (qh->ttport - 1); Oops, thanks for the fix. Fixes: 9f9f09b048f5 ("usb: dwc2: host: Totally redo the microframe scheduler") Cc: stable@vger.kernel.org Reviewed-by: Douglas Anderson <dianders@chromium.org> -Doug
Acked-by Minas Harutyunyan hminas@synopsys.com> On 5/21/2018 2:13 PM, William Wu wrote: > The dwc2_get_ls_map() use ttport to reference into the > bitmap if we're on a multi_tt hub. But the bitmaps index > from 0 to (hub->maxchild - 1), while the ttport index from > 1 to hub->maxchild. This will cause invalid memory access > when the number of ttport is hub->maxchild. > > Without this patch, I can easily meet a Kernel panic issue > if connect a low-speed USB mouse with the max port of FE2.1 > multi-tt hub (1a40:0201) on rk3288 platform. > > Signed-off-by: William Wu <william.wu@rock-chips.com> > --- > drivers/usb/dwc2/hcd_queue.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/dwc2/hcd_queue.c b/drivers/usb/dwc2/hcd_queue.c > index d7c3d6c..9c55d1a 100644 > --- a/drivers/usb/dwc2/hcd_queue.c > +++ b/drivers/usb/dwc2/hcd_queue.c > @@ -383,7 +383,7 @@ static unsigned long *dwc2_get_ls_map(struct dwc2_hsotg *hsotg, > /* Get the map and adjust if this is a multi_tt hub */ > map = qh->dwc_tt->periodic_bitmaps; > if (qh->dwc_tt->usb_tt->multi) > - map += DWC2_ELEMENTS_PER_LS_BITMAP * qh->ttport; > + map += DWC2_ELEMENTS_PER_LS_BITMAP * (qh->ttport - 1); > > return map; > } >
diff --git a/drivers/usb/dwc2/hcd_queue.c b/drivers/usb/dwc2/hcd_queue.c index d7c3d6c..9c55d1a 100644 --- a/drivers/usb/dwc2/hcd_queue.c +++ b/drivers/usb/dwc2/hcd_queue.c @@ -383,7 +383,7 @@ static unsigned long *dwc2_get_ls_map(struct dwc2_hsotg *hsotg, /* Get the map and adjust if this is a multi_tt hub */ map = qh->dwc_tt->periodic_bitmaps; if (qh->dwc_tt->usb_tt->multi) - map += DWC2_ELEMENTS_PER_LS_BITMAP * qh->ttport; + map += DWC2_ELEMENTS_PER_LS_BITMAP * (qh->ttport - 1); return map; }
The dwc2_get_ls_map() use ttport to reference into the bitmap if we're on a multi_tt hub. But the bitmaps index from 0 to (hub->maxchild - 1), while the ttport index from 1 to hub->maxchild. This will cause invalid memory access when the number of ttport is hub->maxchild. Without this patch, I can easily meet a Kernel panic issue if connect a low-speed USB mouse with the max port of FE2.1 multi-tt hub (1a40:0201) on rk3288 platform. Signed-off-by: William Wu <william.wu@rock-chips.com> --- drivers/usb/dwc2/hcd_queue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)