From: Peter Mamonov <pmamonov@gmail.com>
To: barebox@lists.infradead.org
Cc: Peter Mamonov <pmamonov@gmail.com>,
Kuo-Jung Su <dantesu@faraday-tech.com>
Subject: [PATCH] usb: ehci: prevent bad PORTSC register access
Date: Tue, 25 Aug 2015 15:59:58 +0300 [thread overview]
Message-ID: <1440507598-18050-1-git-send-email-pmamonov@gmail.com> (raw)
From: Kuo-Jung Su <dantesu@faraday-tech.com>
1. The 'index' of ehci_submit_root() is not always > 0.
e.g.
While it gets invoked from usb_get_descriptor(),
the 'index' is always a '0'. (See ch.9 of USB2.0)
2. The PORTSC register is not always required, and thus it
should only report a port error when necessary.
It would cause a port scan failure if the ehci_submit_root()
always gets terminated by a port error.
Signed-off-by: Kuo-Jung Su <dantesu@faraday-tech.com>
Signed-off-by: Peter Mamonov <pmamonov@gmail.com>
---
drivers/usb/host/ehci-hcd.c | 38 ++++++++++++++++++++++++--------------
1 file changed, 24 insertions(+), 14 deletions(-)
diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
index 58c22db..1146b71 100644
--- a/drivers/usb/host/ehci-hcd.c
+++ b/drivers/usb/host/ehci-hcd.c
@@ -476,13 +476,8 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
int len, srclen;
uint32_t reg;
uint32_t *status_reg;
+ int port = le16_to_cpu(req->index);
- if (le16_to_cpu(req->index) >= CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) {
- dev_err(ehci->dev, "The request port(%d) is not configured\n",
- le16_to_cpu(req->index) - 1);
- return -1;
- }
- status_reg = (uint32_t *)&ehci->hcor->or_portsc[le16_to_cpu(req->index) - 1];
srclen = 0;
dev_dbg(ehci->dev, "req=%u (%#x), type=%u (%#x), value=%u, index=%u\n",
@@ -493,6 +488,21 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
typeReq = req->request | (req->requesttype << 8);
switch (typeReq) {
+ case USB_REQ_GET_STATUS | ((USB_RT_PORT | USB_DIR_IN) << 8):
+ case USB_REQ_SET_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8):
+ case USB_REQ_CLEAR_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8):
+ if (!port || port > CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) {
+ printf("The request port(%d) is not configured\n", port - 1);
+ return -1;
+ }
+ status_reg = (uint32_t *)&ehci->hcor->or_portsc[port - 1];
+ break;
+ default:
+ status_reg = NULL;
+ break;
+ }
+
+ switch (typeReq) {
case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
switch (le16_to_cpu(req->value) >> 8) {
case USB_DT_DEVICE:
@@ -571,7 +581,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
if (reg & EHCI_PS_OCA)
tmpbuf[0] |= USB_PORT_STAT_OVERCURRENT;
if (reg & EHCI_PS_PR &&
- (ehci->portreset & (1 << le16_to_cpu(req->index)))) {
+ (ehci->portreset & (1 << port))) {
int ret;
/* force reset to complete */
reg = reg & ~(EHCI_PS_PR | EHCI_PS_CLEAR);
@@ -581,7 +591,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
tmpbuf[0] |= USB_PORT_STAT_RESET;
else
dev_err(ehci->dev, "port(%d) reset error\n",
- le16_to_cpu(req->index) - 1);
+ port - 1);
}
if (reg & EHCI_PS_PP)
tmpbuf[1] |= USB_PORT_STAT_POWER >> 8;
@@ -608,7 +618,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
tmpbuf[2] |= USB_PORT_STAT_C_ENABLE;
if (reg & EHCI_PS_OCC)
tmpbuf[2] |= USB_PORT_STAT_C_OVERCURRENT;
- if (ehci->portreset & (1 << le16_to_cpu(req->index)))
+ if (ehci->portreset & (1 << port))
tmpbuf[2] |= USB_PORT_STAT_C_RESET;
srcptr = tmpbuf;
@@ -634,7 +644,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
EHCI_PS_IS_LOWSPEED(reg)) {
/* Low speed device, give up ownership. */
dev_dbg(ehci->dev, "port %d low speed --> companion\n",
- req->index - 1);
+ port - 1);
reg |= EHCI_PS_PO;
ehci_writel(status_reg, reg);
break;
@@ -651,7 +661,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
*/
ehci_powerup_fixup(ehci);
mdelay(50);
- ehci->portreset |= 1 << le16_to_cpu(req->index);
+ ehci->portreset |= 1 << port;
/* terminate the reset */
ehci_writel(status_reg, reg & ~EHCI_PS_PR);
/*
@@ -663,10 +673,10 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
2 * 1000);
if (!ret)
ehci->portreset |=
- 1 << le16_to_cpu(req->index);
+ 1 << port;
else
dev_err(ehci->dev, "port(%d) reset error\n",
- le16_to_cpu(req->index) - 1);
+ port - 1);
}
break;
@@ -698,7 +708,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
reg |= EHCI_PS_OCC;
break;
case USB_PORT_FEAT_C_RESET:
- ehci->portreset &= ~(1 << le16_to_cpu(req->index));
+ ehci->portreset &= ~(1 << port);
break;
default:
dev_dbg(ehci->dev, "unknown feature %x\n", le16_to_cpu(req->value));
--
2.1.4
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next reply other threads:[~2015-08-25 12:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-25 12:59 Peter Mamonov [this message]
2015-08-25 15:45 ` Antony Pavlov
2015-08-26 12:23 ` Sascha Hauer
2015-08-26 17:16 ` Antony Pavlov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1440507598-18050-1-git-send-email-pmamonov@gmail.com \
--to=pmamonov@gmail.com \
--cc=barebox@lists.infradead.org \
--cc=dantesu@faraday-tech.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox