From 366250d6009a093ad8843a3721148aad7b45b291 Mon Sep 17 00:00:00 2001 From: Jonathan Bell Date: Tue, 25 Oct 2022 10:50:10 +0100 Subject: [PATCH] drivers: usb: dwc_otg: fix reference passing when checking bandwidth The pointer (struct usb_host_endpoint *)->hcpriv should contain a reference to dwc_otg_qh_t if the driver has already seen a URB submitted to this endpoint. It then checks whether the qh exists and is already in a schedule in order to decide whether to allocate periodic bandwidth or not. Passing a pointer to an offset inside of struct usb_host_endpoint instead of just the pointer means it dereferences bogus addresses. Rationalise (delete) a variable while we're at it. See https://github.com/raspberrypi/linux/issues/5189 Signed-off-by: Jonathan Bell --- drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) --- a/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c +++ b/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c @@ -807,7 +807,6 @@ static int dwc_otg_urb_enqueue(struct us struct usb_host_endpoint *ep = urb->ep; #endif dwc_irqflags_t irqflags; - void **ref_ep_hcpriv = &ep->hcpriv; dwc_otg_hcd_t *dwc_otg_hcd = hcd_to_dwc_otg_hcd(hcd); dwc_otg_hcd_urb_t *dwc_otg_urb; int i; @@ -824,7 +823,7 @@ static int dwc_otg_urb_enqueue(struct us if ((usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) || (usb_pipetype(urb->pipe) == PIPE_INTERRUPT)) { if (!dwc_otg_hcd_is_bandwidth_allocated - (dwc_otg_hcd, ref_ep_hcpriv)) { + (dwc_otg_hcd, ep->hcpriv)) { alloc_bandwidth = 1; } } @@ -910,13 +909,12 @@ static int dwc_otg_urb_enqueue(struct us #endif { retval = dwc_otg_hcd_urb_enqueue(dwc_otg_hcd, dwc_otg_urb, - /*(dwc_otg_qh_t **)*/ - ref_ep_hcpriv, 1); + &ep->hcpriv, 1); if (0 == retval) { if (alloc_bandwidth) { allocate_bus_bandwidth(hcd, dwc_otg_hcd_get_ep_bandwidth( - dwc_otg_hcd, *ref_ep_hcpriv), + dwc_otg_hcd, ep->hcpriv), urb); } } else {