drivers: usb: dwc_otg: fix reference passing when checking bandwidth

The pointer (struct usb_host_endpoint *)->hcpriv should contain a
reference to dwc_otg_qh_t if the driver has already seen a URB submitted
to this endpoint.

It then checks whether the qh exists and is already in a schedule in
order to decide whether to allocate periodic bandwidth or not. Passing a
pointer to an offset inside of struct usb_host_endpoint instead of just
the pointer means it dereferences bogus addresses.

Rationalise (delete) a variable while we're at it.

See https://github.com/raspberrypi/linux/issues/5189

Signed-off-by: Jonathan Bell <jonathan@raspberrypi.com>

diff --git a/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c b/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c
index 022488f..ca64686 100644 (file)
--- a/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c
+++ b/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c
@@ -807,7 +807,6 @@ static int dwc_otg_urb_enqueue(struct usb_hcd *hcd,
        struct usb_host_endpoint *ep = urb->ep;
 #endif
        dwc_irqflags_t irqflags;
-        void **ref_ep_hcpriv = &ep->hcpriv;
        dwc_otg_hcd_t *dwc_otg_hcd = hcd_to_dwc_otg_hcd(hcd);
        dwc_otg_hcd_urb_t *dwc_otg_urb;
        int i;
@@ -824,7 +823,7 @@ static int dwc_otg_urb_enqueue(struct usb_hcd *hcd,
        if ((usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS)
            || (usb_pipetype(urb->pipe) == PIPE_INTERRUPT)) {
                if (!dwc_otg_hcd_is_bandwidth_allocated
-                   (dwc_otg_hcd, ref_ep_hcpriv)) {
+                   (dwc_otg_hcd, ep->hcpriv)) {
                        alloc_bandwidth = 1;
                }
        }
@@ -910,13 +909,12 @@ static int dwc_otg_urb_enqueue(struct usb_hcd *hcd,
 #endif
        {
                retval = dwc_otg_hcd_urb_enqueue(dwc_otg_hcd, dwc_otg_urb,
-                                               /*(dwc_otg_qh_t **)*/
-                                               ref_ep_hcpriv, 1);
+                                               &ep->hcpriv, 1);
                if (0 == retval) {
                        if (alloc_bandwidth) {
                                allocate_bus_bandwidth(hcd,
                                                dwc_otg_hcd_get_ep_bandwidth(
-                                                       dwc_otg_hcd, *ref_ep_hcpriv),
+                                                       dwc_otg_hcd, ep->hcpriv),
                                                urb);
                        }
                } else {