* [PATCH] usb: ehci: prevent bad PORTSC register access @ 2015-08-25 12:59 Peter Mamonov 2015-08-25 15:45 ` Antony Pavlov 0 siblings, 1 reply; 4+ messages in thread From: Peter Mamonov @ 2015-08-25 12:59 UTC (permalink / raw) To: barebox; +Cc: Peter Mamonov, Kuo-Jung Su From: Kuo-Jung Su <dantesu@faraday-tech.com> 1. The 'index' of ehci_submit_root() is not always > 0. e.g. While it gets invoked from usb_get_descriptor(), the 'index' is always a '0'. (See ch.9 of USB2.0) 2. The PORTSC register is not always required, and thus it should only report a port error when necessary. It would cause a port scan failure if the ehci_submit_root() always gets terminated by a port error. Signed-off-by: Kuo-Jung Su <dantesu@faraday-tech.com> Signed-off-by: Peter Mamonov <pmamonov@gmail.com> --- drivers/usb/host/ehci-hcd.c | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c index 58c22db..1146b71 100644 --- a/drivers/usb/host/ehci-hcd.c +++ b/drivers/usb/host/ehci-hcd.c @@ -476,13 +476,8 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, int len, srclen; uint32_t reg; uint32_t *status_reg; + int port = le16_to_cpu(req->index); - if (le16_to_cpu(req->index) >= CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) { - dev_err(ehci->dev, "The request port(%d) is not configured\n", - le16_to_cpu(req->index) - 1); - return -1; - } - status_reg = (uint32_t *)&ehci->hcor->or_portsc[le16_to_cpu(req->index) - 1]; srclen = 0; dev_dbg(ehci->dev, "req=%u (%#x), type=%u (%#x), value=%u, index=%u\n", @@ -493,6 +488,21 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, typeReq = req->request | (req->requesttype << 8); switch (typeReq) { + case USB_REQ_GET_STATUS | ((USB_RT_PORT | USB_DIR_IN) << 8): + case USB_REQ_SET_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8): + case USB_REQ_CLEAR_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8): + if (!port || port > CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) { + printf("The request port(%d) is not configured\n", port - 1); + return -1; + } + status_reg = (uint32_t *)&ehci->hcor->or_portsc[port - 1]; + break; + default: + status_reg = NULL; + break; + } + + switch (typeReq) { case DeviceRequest | USB_REQ_GET_DESCRIPTOR: switch (le16_to_cpu(req->value) >> 8) { case USB_DT_DEVICE: @@ -571,7 +581,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, if (reg & EHCI_PS_OCA) tmpbuf[0] |= USB_PORT_STAT_OVERCURRENT; if (reg & EHCI_PS_PR && - (ehci->portreset & (1 << le16_to_cpu(req->index)))) { + (ehci->portreset & (1 << port))) { int ret; /* force reset to complete */ reg = reg & ~(EHCI_PS_PR | EHCI_PS_CLEAR); @@ -581,7 +591,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, tmpbuf[0] |= USB_PORT_STAT_RESET; else dev_err(ehci->dev, "port(%d) reset error\n", - le16_to_cpu(req->index) - 1); + port - 1); } if (reg & EHCI_PS_PP) tmpbuf[1] |= USB_PORT_STAT_POWER >> 8; @@ -608,7 +618,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, tmpbuf[2] |= USB_PORT_STAT_C_ENABLE; if (reg & EHCI_PS_OCC) tmpbuf[2] |= USB_PORT_STAT_C_OVERCURRENT; - if (ehci->portreset & (1 << le16_to_cpu(req->index))) + if (ehci->portreset & (1 << port)) tmpbuf[2] |= USB_PORT_STAT_C_RESET; srcptr = tmpbuf; @@ -634,7 +644,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, EHCI_PS_IS_LOWSPEED(reg)) { /* Low speed device, give up ownership. */ dev_dbg(ehci->dev, "port %d low speed --> companion\n", - req->index - 1); + port - 1); reg |= EHCI_PS_PO; ehci_writel(status_reg, reg); break; @@ -651,7 +661,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, */ ehci_powerup_fixup(ehci); mdelay(50); - ehci->portreset |= 1 << le16_to_cpu(req->index); + ehci->portreset |= 1 << port; /* terminate the reset */ ehci_writel(status_reg, reg & ~EHCI_PS_PR); /* @@ -663,10 +673,10 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, 2 * 1000); if (!ret) ehci->portreset |= - 1 << le16_to_cpu(req->index); + 1 << port; else dev_err(ehci->dev, "port(%d) reset error\n", - le16_to_cpu(req->index) - 1); + port - 1); } break; @@ -698,7 +708,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, reg |= EHCI_PS_OCC; break; case USB_PORT_FEAT_C_RESET: - ehci->portreset &= ~(1 << le16_to_cpu(req->index)); + ehci->portreset &= ~(1 << port); break; default: dev_dbg(ehci->dev, "unknown feature %x\n", le16_to_cpu(req->value)); -- 2.1.4 _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] usb: ehci: prevent bad PORTSC register access 2015-08-25 12:59 [PATCH] usb: ehci: prevent bad PORTSC register access Peter Mamonov @ 2015-08-25 15:45 ` Antony Pavlov 2015-08-26 12:23 ` Sascha Hauer 0 siblings, 1 reply; 4+ messages in thread From: Antony Pavlov @ 2015-08-25 15:45 UTC (permalink / raw) To: Peter Mamonov; +Cc: barebox, Kuo-Jung Su On Tue, 25 Aug 2015 15:59:58 +0300 Peter Mamonov <pmamonov@gmail.com> wrote: > From: Kuo-Jung Su <dantesu@faraday-tech.com> > > 1. The 'index' of ehci_submit_root() is not always > 0. > > e.g. > While it gets invoked from usb_get_descriptor(), > the 'index' is always a '0'. (See ch.9 of USB2.0) > > 2. The PORTSC register is not always required, and thus it > should only report a port error when necessary. > It would cause a port scan failure if the ehci_submit_root() > always gets terminated by a port error. > > Signed-off-by: Kuo-Jung Su <dantesu@faraday-tech.com> > Signed-off-by: Peter Mamonov <pmamonov@gmail.com> > --- > drivers/usb/host/ehci-hcd.c | 38 ++++++++++++++++++++++++-------------- > 1 file changed, 24 insertions(+), 14 deletions(-) > > diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c > index 58c22db..1146b71 100644 > --- a/drivers/usb/host/ehci-hcd.c > +++ b/drivers/usb/host/ehci-hcd.c > @@ -476,13 +476,8 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > int len, srclen; > uint32_t reg; > uint32_t *status_reg; > + int port = le16_to_cpu(req->index); > > - if (le16_to_cpu(req->index) >= CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) { > - dev_err(ehci->dev, "The request port(%d) is not configured\n", > - le16_to_cpu(req->index) - 1); > - return -1; > - } > - status_reg = (uint32_t *)&ehci->hcor->or_portsc[le16_to_cpu(req->index) - 1]; > srclen = 0; > > dev_dbg(ehci->dev, "req=%u (%#x), type=%u (%#x), value=%u, index=%u\n", > @@ -493,6 +488,21 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > typeReq = req->request | (req->requesttype << 8); > > switch (typeReq) { > + case USB_REQ_GET_STATUS | ((USB_RT_PORT | USB_DIR_IN) << 8): > + case USB_REQ_SET_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8): > + case USB_REQ_CLEAR_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8): > + if (!port || port > CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) { > + printf("The request port(%d) is not configured\n", port - 1); > + return -1; > + } > + status_reg = (uint32_t *)&ehci->hcor->or_portsc[port - 1]; > + break; > + default: > + status_reg = NULL; > + break; > + } > + > + switch (typeReq) { > case DeviceRequest | USB_REQ_GET_DESCRIPTOR: > switch (le16_to_cpu(req->value) >> 8) { > case USB_DT_DEVICE: > @@ -571,7 +581,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > if (reg & EHCI_PS_OCA) > tmpbuf[0] |= USB_PORT_STAT_OVERCURRENT; > if (reg & EHCI_PS_PR && > - (ehci->portreset & (1 << le16_to_cpu(req->index)))) { > + (ehci->portreset & (1 << port))) { > int ret; > /* force reset to complete */ > reg = reg & ~(EHCI_PS_PR | EHCI_PS_CLEAR); > @@ -581,7 +591,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > tmpbuf[0] |= USB_PORT_STAT_RESET; > else > dev_err(ehci->dev, "port(%d) reset error\n", > - le16_to_cpu(req->index) - 1); > + port - 1); > } > if (reg & EHCI_PS_PP) > tmpbuf[1] |= USB_PORT_STAT_POWER >> 8; > @@ -608,7 +618,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > tmpbuf[2] |= USB_PORT_STAT_C_ENABLE; > if (reg & EHCI_PS_OCC) > tmpbuf[2] |= USB_PORT_STAT_C_OVERCURRENT; > - if (ehci->portreset & (1 << le16_to_cpu(req->index))) > + if (ehci->portreset & (1 << port)) > tmpbuf[2] |= USB_PORT_STAT_C_RESET; > > srcptr = tmpbuf; > @@ -634,7 +644,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > EHCI_PS_IS_LOWSPEED(reg)) { > /* Low speed device, give up ownership. */ > dev_dbg(ehci->dev, "port %d low speed --> companion\n", > - req->index - 1); > + port - 1); > reg |= EHCI_PS_PO; > ehci_writel(status_reg, reg); > break; > @@ -651,7 +661,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > */ > ehci_powerup_fixup(ehci); > mdelay(50); > - ehci->portreset |= 1 << le16_to_cpu(req->index); > + ehci->portreset |= 1 << port; > /* terminate the reset */ > ehci_writel(status_reg, reg & ~EHCI_PS_PR); > /* > @@ -663,10 +673,10 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > 2 * 1000); > if (!ret) > ehci->portreset |= > - 1 << le16_to_cpu(req->index); > + 1 << port; > else > dev_err(ehci->dev, "port(%d) reset error\n", > - le16_to_cpu(req->index) - 1); > + port - 1); > > } > break; > @@ -698,7 +708,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > reg |= EHCI_PS_OCC; > break; > case USB_PORT_FEAT_C_RESET: > - ehci->portreset &= ~(1 << le16_to_cpu(req->index)); > + ehci->portreset &= ~(1 << port); > break; > default: > dev_dbg(ehci->dev, "unknown feature %x\n", le16_to_cpu(req->value)); > -- > 2.1.4 > Actually this patch combines two U-boot patches: * usb: ehci: prevent bad PORTSC register access (http://lists.denx.de/pipermail/u-boot/2013-May/154319.html) * usb: Add new command to set USB 2.0 port test modes (http://lists.denx.de/pipermail/u-boot/2013-March/148104.html) -- Best regards, Antony Pavlov _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] usb: ehci: prevent bad PORTSC register access 2015-08-25 15:45 ` Antony Pavlov @ 2015-08-26 12:23 ` Sascha Hauer 2015-08-26 17:16 ` Antony Pavlov 0 siblings, 1 reply; 4+ messages in thread From: Sascha Hauer @ 2015-08-26 12:23 UTC (permalink / raw) To: Antony Pavlov; +Cc: barebox, Kuo-Jung Su, Peter Mamonov On Tue, Aug 25, 2015 at 06:45:21PM +0300, Antony Pavlov wrote: > On Tue, 25 Aug 2015 15:59:58 +0300 > Peter Mamonov <pmamonov@gmail.com> wrote: > > > From: Kuo-Jung Su <dantesu@faraday-tech.com> > > > > 1. The 'index' of ehci_submit_root() is not always > 0. > > > > e.g. > > While it gets invoked from usb_get_descriptor(), > > the 'index' is always a '0'. (See ch.9 of USB2.0) > > > > 2. The PORTSC register is not always required, and thus it > > should only report a port error when necessary. > > It would cause a port scan failure if the ehci_submit_root() > > always gets terminated by a port error. > > > > Signed-off-by: Kuo-Jung Su <dantesu@faraday-tech.com> > > Signed-off-by: Peter Mamonov <pmamonov@gmail.com> > > --- > > drivers/usb/host/ehci-hcd.c | 38 ++++++++++++++++++++++++-------------- > > 1 file changed, 24 insertions(+), 14 deletions(-) > > > > diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c > > index 58c22db..1146b71 100644 > > --- a/drivers/usb/host/ehci-hcd.c > > +++ b/drivers/usb/host/ehci-hcd.c > > @@ -476,13 +476,8 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > int len, srclen; > > uint32_t reg; > > uint32_t *status_reg; > > + int port = le16_to_cpu(req->index); > > > > - if (le16_to_cpu(req->index) >= CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) { > > - dev_err(ehci->dev, "The request port(%d) is not configured\n", > > - le16_to_cpu(req->index) - 1); > > - return -1; > > - } > > - status_reg = (uint32_t *)&ehci->hcor->or_portsc[le16_to_cpu(req->index) - 1]; > > srclen = 0; > > > > dev_dbg(ehci->dev, "req=%u (%#x), type=%u (%#x), value=%u, index=%u\n", > > @@ -493,6 +488,21 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > typeReq = req->request | (req->requesttype << 8); > > > > switch (typeReq) { > > + case USB_REQ_GET_STATUS | ((USB_RT_PORT | USB_DIR_IN) << 8): > > + case USB_REQ_SET_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8): > > + case USB_REQ_CLEAR_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8): > > + if (!port || port > CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) { > > + printf("The request port(%d) is not configured\n", port - 1); > > + return -1; > > + } > > + status_reg = (uint32_t *)&ehci->hcor->or_portsc[port - 1]; > > + break; > > + default: > > + status_reg = NULL; > > + break; > > + } > > + > > + switch (typeReq) { > > case DeviceRequest | USB_REQ_GET_DESCRIPTOR: > > switch (le16_to_cpu(req->value) >> 8) { > > case USB_DT_DEVICE: > > @@ -571,7 +581,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > if (reg & EHCI_PS_OCA) > > tmpbuf[0] |= USB_PORT_STAT_OVERCURRENT; > > if (reg & EHCI_PS_PR && > > - (ehci->portreset & (1 << le16_to_cpu(req->index)))) { > > + (ehci->portreset & (1 << port))) { > > int ret; > > /* force reset to complete */ > > reg = reg & ~(EHCI_PS_PR | EHCI_PS_CLEAR); > > @@ -581,7 +591,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > tmpbuf[0] |= USB_PORT_STAT_RESET; > > else > > dev_err(ehci->dev, "port(%d) reset error\n", > > - le16_to_cpu(req->index) - 1); > > + port - 1); > > } > > if (reg & EHCI_PS_PP) > > tmpbuf[1] |= USB_PORT_STAT_POWER >> 8; > > @@ -608,7 +618,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > tmpbuf[2] |= USB_PORT_STAT_C_ENABLE; > > if (reg & EHCI_PS_OCC) > > tmpbuf[2] |= USB_PORT_STAT_C_OVERCURRENT; > > - if (ehci->portreset & (1 << le16_to_cpu(req->index))) > > + if (ehci->portreset & (1 << port)) > > tmpbuf[2] |= USB_PORT_STAT_C_RESET; > > > > srcptr = tmpbuf; > > @@ -634,7 +644,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > EHCI_PS_IS_LOWSPEED(reg)) { > > /* Low speed device, give up ownership. */ > > dev_dbg(ehci->dev, "port %d low speed --> companion\n", > > - req->index - 1); > > + port - 1); > > reg |= EHCI_PS_PO; > > ehci_writel(status_reg, reg); > > break; > > @@ -651,7 +661,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > */ > > ehci_powerup_fixup(ehci); > > mdelay(50); > > - ehci->portreset |= 1 << le16_to_cpu(req->index); > > + ehci->portreset |= 1 << port; > > /* terminate the reset */ > > ehci_writel(status_reg, reg & ~EHCI_PS_PR); > > /* > > @@ -663,10 +673,10 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > 2 * 1000); > > if (!ret) > > ehci->portreset |= > > - 1 << le16_to_cpu(req->index); > > + 1 << port; > > else > > dev_err(ehci->dev, "port(%d) reset error\n", > > - le16_to_cpu(req->index) - 1); > > + port - 1); > > > > } > > break; > > @@ -698,7 +708,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > reg |= EHCI_PS_OCC; > > break; > > case USB_PORT_FEAT_C_RESET: > > - ehci->portreset &= ~(1 << le16_to_cpu(req->index)); > > + ehci->portreset &= ~(1 << port); > > break; > > default: > > dev_dbg(ehci->dev, "unknown feature %x\n", le16_to_cpu(req->value)); > > -- > > 2.1.4 > > > > > Actually this patch combines two U-boot patches: > > * usb: ehci: prevent bad PORTSC register access (http://lists.denx.de/pipermail/u-boot/2013-May/154319.html) > * usb: Add new command to set USB 2.0 port test modes (http://lists.denx.de/pipermail/u-boot/2013-March/148104.html) Not really. This patch contains only the parts of "usb: Add new command to set USB 2.0 port test modes" which are necessary to make this one apply. I splitted this up to two patches while applying with the patch below. Sascha -----------------------------8<----------------------- From 484a1fb56890fee13a73070e0d868a3349a47c19 Mon Sep 17 00:00:00 2001 From: Kuo-Jung Su <dantesu@faraday-tech.com> Date: Tue, 25 Aug 2015 15:59:58 +0300 Subject: [PATCH 2/3] usb: ehci: replace multiple use of le16_to_cpu(req->index) with variable This is part of U-Boot commit: 7d9aa8f usb: Add new command to set USB 2.0 port test modes Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> --- drivers/usb/host/ehci-hcd.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c index 0e7c595..8a6bbc9 100644 --- a/drivers/usb/host/ehci-hcd.c +++ b/drivers/usb/host/ehci-hcd.c @@ -475,10 +475,11 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, int len, srclen; uint32_t reg; uint32_t *status_reg; + int port = le16_to_cpu(req->index); if (le16_to_cpu(req->index) >= CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) { dev_err(ehci->dev, "The request port(%d) is not configured\n", - le16_to_cpu(req->index) - 1); + port - 1); return -1; } status_reg = (uint32_t *)&ehci->hcor->or_portsc[le16_to_cpu(req->index) - 1]; @@ -570,7 +571,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, if (reg & EHCI_PS_OCA) tmpbuf[0] |= USB_PORT_STAT_OVERCURRENT; if (reg & EHCI_PS_PR && - (ehci->portreset & (1 << le16_to_cpu(req->index)))) { + (ehci->portreset & (1 << port))) { int ret; /* force reset to complete */ reg = reg & ~(EHCI_PS_PR | EHCI_PS_CLEAR); @@ -580,7 +581,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, tmpbuf[0] |= USB_PORT_STAT_RESET; else dev_err(ehci->dev, "port(%d) reset error\n", - le16_to_cpu(req->index) - 1); + port - 1); } if (reg & EHCI_PS_PP) tmpbuf[1] |= USB_PORT_STAT_POWER >> 8; @@ -607,7 +608,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, tmpbuf[2] |= USB_PORT_STAT_C_ENABLE; if (reg & EHCI_PS_OCC) tmpbuf[2] |= USB_PORT_STAT_C_OVERCURRENT; - if (ehci->portreset & (1 << le16_to_cpu(req->index))) + if (ehci->portreset & (1 << port)) tmpbuf[2] |= USB_PORT_STAT_C_RESET; srcptr = tmpbuf; @@ -633,7 +634,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, EHCI_PS_IS_LOWSPEED(reg)) { /* Low speed device, give up ownership. */ dev_dbg(ehci->dev, "port %d low speed --> companion\n", - req->index - 1); + port - 1); reg |= EHCI_PS_PO; ehci_writel(status_reg, reg); break; @@ -650,7 +651,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, */ ehci_powerup_fixup(ehci); mdelay(50); - ehci->portreset |= 1 << le16_to_cpu(req->index); + ehci->portreset |= 1 << port; /* terminate the reset */ ehci_writel(status_reg, reg & ~EHCI_PS_PR); /* @@ -662,10 +663,10 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, 2 * 1000); if (!ret) ehci->portreset |= - 1 << le16_to_cpu(req->index); + 1 << port; else dev_err(ehci->dev, "port(%d) reset error\n", - le16_to_cpu(req->index) - 1); + port - 1); } break; @@ -697,7 +698,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, reg |= EHCI_PS_OCC; break; case USB_PORT_FEAT_C_RESET: - ehci->portreset &= ~(1 << le16_to_cpu(req->index)); + ehci->portreset &= ~(1 << port); break; default: dev_dbg(ehci->dev, "unknown feature %x\n", le16_to_cpu(req->value)); -- 2.5.0 -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] usb: ehci: prevent bad PORTSC register access 2015-08-26 12:23 ` Sascha Hauer @ 2015-08-26 17:16 ` Antony Pavlov 0 siblings, 0 replies; 4+ messages in thread From: Antony Pavlov @ 2015-08-26 17:16 UTC (permalink / raw) To: Sascha Hauer; +Cc: barebox, Kuo-Jung Su, Peter Mamonov On Wed, 26 Aug 2015 14:23:13 +0200 Sascha Hauer <s.hauer@pengutronix.de> wrote: > On Tue, Aug 25, 2015 at 06:45:21PM +0300, Antony Pavlov wrote: > > On Tue, 25 Aug 2015 15:59:58 +0300 > > Peter Mamonov <pmamonov@gmail.com> wrote: > > > > > From: Kuo-Jung Su <dantesu@faraday-tech.com> > > > > > > 1. The 'index' of ehci_submit_root() is not always > 0. > > > > > > e.g. > > > While it gets invoked from usb_get_descriptor(), > > > the 'index' is always a '0'. (See ch.9 of USB2.0) > > > > > > 2. The PORTSC register is not always required, and thus it > > > should only report a port error when necessary. > > > It would cause a port scan failure if the ehci_submit_root() > > > always gets terminated by a port error. > > > > > > Signed-off-by: Kuo-Jung Su <dantesu@faraday-tech.com> > > > Signed-off-by: Peter Mamonov <pmamonov@gmail.com> > > > --- > > > drivers/usb/host/ehci-hcd.c | 38 ++++++++++++++++++++++++-------------- > > > 1 file changed, 24 insertions(+), 14 deletions(-) > > > > > > diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c > > > index 58c22db..1146b71 100644 > > > --- a/drivers/usb/host/ehci-hcd.c > > > +++ b/drivers/usb/host/ehci-hcd.c > > > @@ -476,13 +476,8 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > > int len, srclen; > > > uint32_t reg; > > > uint32_t *status_reg; > > > + int port = le16_to_cpu(req->index); > > > > > > - if (le16_to_cpu(req->index) >= CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) { > > > - dev_err(ehci->dev, "The request port(%d) is not configured\n", > > > - le16_to_cpu(req->index) - 1); > > > - return -1; > > > - } > > > - status_reg = (uint32_t *)&ehci->hcor->or_portsc[le16_to_cpu(req->index) - 1]; > > > srclen = 0; > > > > > > dev_dbg(ehci->dev, "req=%u (%#x), type=%u (%#x), value=%u, index=%u\n", > > > @@ -493,6 +488,21 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > > typeReq = req->request | (req->requesttype << 8); > > > > > > switch (typeReq) { > > > + case USB_REQ_GET_STATUS | ((USB_RT_PORT | USB_DIR_IN) << 8): > > > + case USB_REQ_SET_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8): > > > + case USB_REQ_CLEAR_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8): > > > + if (!port || port > CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) { > > > + printf("The request port(%d) is not configured\n", port - 1); > > > + return -1; > > > + } > > > + status_reg = (uint32_t *)&ehci->hcor->or_portsc[port - 1]; > > > + break; > > > + default: > > > + status_reg = NULL; > > > + break; > > > + } > > > + > > > + switch (typeReq) { > > > case DeviceRequest | USB_REQ_GET_DESCRIPTOR: > > > switch (le16_to_cpu(req->value) >> 8) { > > > case USB_DT_DEVICE: > > > @@ -571,7 +581,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > > if (reg & EHCI_PS_OCA) > > > tmpbuf[0] |= USB_PORT_STAT_OVERCURRENT; > > > if (reg & EHCI_PS_PR && > > > - (ehci->portreset & (1 << le16_to_cpu(req->index)))) { > > > + (ehci->portreset & (1 << port))) { > > > int ret; > > > /* force reset to complete */ > > > reg = reg & ~(EHCI_PS_PR | EHCI_PS_CLEAR); > > > @@ -581,7 +591,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > > tmpbuf[0] |= USB_PORT_STAT_RESET; > > > else > > > dev_err(ehci->dev, "port(%d) reset error\n", > > > - le16_to_cpu(req->index) - 1); > > > + port - 1); > > > } > > > if (reg & EHCI_PS_PP) > > > tmpbuf[1] |= USB_PORT_STAT_POWER >> 8; > > > @@ -608,7 +618,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > > tmpbuf[2] |= USB_PORT_STAT_C_ENABLE; > > > if (reg & EHCI_PS_OCC) > > > tmpbuf[2] |= USB_PORT_STAT_C_OVERCURRENT; > > > - if (ehci->portreset & (1 << le16_to_cpu(req->index))) > > > + if (ehci->portreset & (1 << port)) > > > tmpbuf[2] |= USB_PORT_STAT_C_RESET; > > > > > > srcptr = tmpbuf; > > > @@ -634,7 +644,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > > EHCI_PS_IS_LOWSPEED(reg)) { > > > /* Low speed device, give up ownership. */ > > > dev_dbg(ehci->dev, "port %d low speed --> companion\n", > > > - req->index - 1); > > > + port - 1); > > > reg |= EHCI_PS_PO; > > > ehci_writel(status_reg, reg); > > > break; > > > @@ -651,7 +661,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > > */ > > > ehci_powerup_fixup(ehci); > > > mdelay(50); > > > - ehci->portreset |= 1 << le16_to_cpu(req->index); > > > + ehci->portreset |= 1 << port; > > > /* terminate the reset */ > > > ehci_writel(status_reg, reg & ~EHCI_PS_PR); > > > /* > > > @@ -663,10 +673,10 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > > 2 * 1000); > > > if (!ret) > > > ehci->portreset |= > > > - 1 << le16_to_cpu(req->index); > > > + 1 << port; > > > else > > > dev_err(ehci->dev, "port(%d) reset error\n", > > > - le16_to_cpu(req->index) - 1); > > > + port - 1); > > > > > > } > > > break; > > > @@ -698,7 +708,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > > > reg |= EHCI_PS_OCC; > > > break; > > > case USB_PORT_FEAT_C_RESET: > > > - ehci->portreset &= ~(1 << le16_to_cpu(req->index)); > > > + ehci->portreset &= ~(1 << port); > > > break; > > > default: > > > dev_dbg(ehci->dev, "unknown feature %x\n", le16_to_cpu(req->value)); > > > -- > > > 2.1.4 > > > > > > > > > Actually this patch combines two U-boot patches: > > > > * usb: ehci: prevent bad PORTSC register access (http://lists.denx.de/pipermail/u-boot/2013-May/154319.html) > > * usb: Add new command to set USB 2.0 port test modes (http://lists.denx.de/pipermail/u-boot/2013-March/148104.html) > > Not really. This patch contains only the parts of "usb: Add new command > to set USB 2.0 port test modes" which are necessary to make this one > apply. I splitted this up to two patches while applying with the patch > below. > > Sascha > > -----------------------------8<----------------------- > > From 484a1fb56890fee13a73070e0d868a3349a47c19 Mon Sep 17 00:00:00 2001 > From: Kuo-Jung Su <dantesu@faraday-tech.com> Author: Julius Werner <jwerner@chromium.org> > Date: Tue, 25 Aug 2015 15:59:58 +0300 > Subject: [PATCH 2/3] usb: ehci: replace multiple use of > le16_to_cpu(req->index) with variable > > This is part of U-Boot commit: > > 7d9aa8f usb: Add new command to set USB 2.0 port test modes > > Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> > --- > drivers/usb/host/ehci-hcd.c | 19 ++++++++++--------- > 1 file changed, 10 insertions(+), 9 deletions(-) > > diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c > index 0e7c595..8a6bbc9 100644 > --- a/drivers/usb/host/ehci-hcd.c > +++ b/drivers/usb/host/ehci-hcd.c > @@ -475,10 +475,11 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > int len, srclen; > uint32_t reg; > uint32_t *status_reg; > + int port = le16_to_cpu(req->index); > > if (le16_to_cpu(req->index) >= CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) { > dev_err(ehci->dev, "The request port(%d) is not configured\n", > - le16_to_cpu(req->index) - 1); > + port - 1); > return -1; > } > status_reg = (uint32_t *)&ehci->hcor->or_portsc[le16_to_cpu(req->index) - 1]; > @@ -570,7 +571,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > if (reg & EHCI_PS_OCA) > tmpbuf[0] |= USB_PORT_STAT_OVERCURRENT; > if (reg & EHCI_PS_PR && > - (ehci->portreset & (1 << le16_to_cpu(req->index)))) { > + (ehci->portreset & (1 << port))) { > int ret; > /* force reset to complete */ > reg = reg & ~(EHCI_PS_PR | EHCI_PS_CLEAR); > @@ -580,7 +581,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > tmpbuf[0] |= USB_PORT_STAT_RESET; > else > dev_err(ehci->dev, "port(%d) reset error\n", > - le16_to_cpu(req->index) - 1); > + port - 1); > } > if (reg & EHCI_PS_PP) > tmpbuf[1] |= USB_PORT_STAT_POWER >> 8; > @@ -607,7 +608,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > tmpbuf[2] |= USB_PORT_STAT_C_ENABLE; > if (reg & EHCI_PS_OCC) > tmpbuf[2] |= USB_PORT_STAT_C_OVERCURRENT; > - if (ehci->portreset & (1 << le16_to_cpu(req->index))) > + if (ehci->portreset & (1 << port)) > tmpbuf[2] |= USB_PORT_STAT_C_RESET; > > srcptr = tmpbuf; > @@ -633,7 +634,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > EHCI_PS_IS_LOWSPEED(reg)) { > /* Low speed device, give up ownership. */ > dev_dbg(ehci->dev, "port %d low speed --> companion\n", > - req->index - 1); > + port - 1); > reg |= EHCI_PS_PO; > ehci_writel(status_reg, reg); > break; > @@ -650,7 +651,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > */ > ehci_powerup_fixup(ehci); > mdelay(50); > - ehci->portreset |= 1 << le16_to_cpu(req->index); > + ehci->portreset |= 1 << port; > /* terminate the reset */ > ehci_writel(status_reg, reg & ~EHCI_PS_PR); > /* > @@ -662,10 +663,10 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > 2 * 1000); > if (!ret) > ehci->portreset |= > - 1 << le16_to_cpu(req->index); > + 1 << port; > else > dev_err(ehci->dev, "port(%d) reset error\n", > - le16_to_cpu(req->index) - 1); > + port - 1); > > } > break; > @@ -697,7 +698,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, > reg |= EHCI_PS_OCC; > break; > case USB_PORT_FEAT_C_RESET: > - ehci->portreset &= ~(1 << le16_to_cpu(req->index)); > + ehci->portreset &= ~(1 << port); > break; > default: > dev_dbg(ehci->dev, "unknown feature %x\n", le16_to_cpu(req->value)); > -- > 2.5.0 > > -- > Pengutronix e.K. | | > Industrial Linux Solutions | http://www.pengutronix.de/ | > Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | -- -- Best regards, Antony Pavlov _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-08-26 17:08 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-08-25 12:59 [PATCH] usb: ehci: prevent bad PORTSC register access Peter Mamonov 2015-08-25 15:45 ` Antony Pavlov 2015-08-26 12:23 ` Sascha Hauer 2015-08-26 17:16 ` Antony Pavlov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox