This bug initially manifested itself as an infinite loop printing the
message:
ERROR: usb2: ifno = 17 > USB_MAXINTERFACES = 16 !
Such a hang could equally happen if actual USB devices besides the root
hub report bogus descriptors. This was fixed by not trusting device-reported
sizes blindly in commit b6a510525e63 ("usb: Use well-known descriptor sizes
when parsing configuration").
The root cause remains though, which is that the xHCI root hub reported
an erroneous size for USB_DT_CONFIG descriptor:
The descriptor size of 0x19 seems to be a copy-paste left-over from
EHCI (USB_DT_CONFIG_SIZE + USB_DT_INTERFACE_SIZE + USB_DT_ENDPOINT_SIZE).
xHCI has an additional USB_DT_SS_EP_COMP_SIZE == 6 for SuperSpeed,
which gets us to 0x19 + 0x6 == 0x1f.
By using 0x19, the memcpy() in xhci_submit_root skipped over the last 6
bytes, but the descriptor itself still had a wTotalLength of 0x1f
leading to a read of 6 uninitialized bytes.
Fix this by using the correct size.
Fixes: 105b2eabd55a ("usb: Add U-Boot xhci driver")
Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
---
drivers/usb/host/xhci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index e7b8344181ee..bad247ff9e19 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -903,7 +903,7 @@ static int xhci_submit_root(struct usb_device *udev, unsigned long pipe,
case USB_DT_CONFIG:
dev_dbg(&udev->dev, "USB_DT_CONFIG config\n");
srcptr = &descriptor.config;
- srclen = 0x19;
+ srclen = 0x1f;
break;
case USB_DT_STRING:
dev_dbg(&udev->dev, "USB_DT_STRING config\n");
--
2.39.2
