mail archive of the barebox mailing list
 help / color / mirror / Atom feed
* [PATCH] usb: ehci: prevent bad PORTSC register access
@ 2015-08-25 12:59 Peter Mamonov
  2015-08-25 15:45 ` Antony Pavlov
  0 siblings, 1 reply; 4+ messages in thread
From: Peter Mamonov @ 2015-08-25 12:59 UTC (permalink / raw)
  To: barebox; +Cc: Peter Mamonov, Kuo-Jung Su

From: Kuo-Jung Su <dantesu@faraday-tech.com>

1. The 'index' of ehci_submit_root() is not always > 0.

   e.g.
   While it gets invoked from usb_get_descriptor(),
   the 'index' is always a '0'. (See ch.9 of USB2.0)

2. The PORTSC register is not always required, and thus it
   should only report a port error when necessary.
   It would cause a port scan failure if the ehci_submit_root()
   always gets terminated by a port error.

Signed-off-by: Kuo-Jung Su <dantesu@faraday-tech.com>
Signed-off-by: Peter Mamonov <pmamonov@gmail.com>
---
 drivers/usb/host/ehci-hcd.c | 38 ++++++++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 14 deletions(-)

diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
index 58c22db..1146b71 100644
--- a/drivers/usb/host/ehci-hcd.c
+++ b/drivers/usb/host/ehci-hcd.c
@@ -476,13 +476,8 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 	int len, srclen;
 	uint32_t reg;
 	uint32_t *status_reg;
+	int port = le16_to_cpu(req->index);
 
-	if (le16_to_cpu(req->index) >= CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) {
-		dev_err(ehci->dev, "The request port(%d) is not configured\n",
-			le16_to_cpu(req->index) - 1);
-		return -1;
-	}
-	status_reg = (uint32_t *)&ehci->hcor->or_portsc[le16_to_cpu(req->index) - 1];
 	srclen = 0;
 
 	dev_dbg(ehci->dev, "req=%u (%#x), type=%u (%#x), value=%u, index=%u\n",
@@ -493,6 +488,21 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 	typeReq = req->request | (req->requesttype << 8);
 
 	switch (typeReq) {
+	case USB_REQ_GET_STATUS | ((USB_RT_PORT | USB_DIR_IN) << 8):
+	case USB_REQ_SET_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8):
+	case USB_REQ_CLEAR_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8):
+		if (!port || port > CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) {
+			printf("The request port(%d) is not configured\n", port - 1);
+			return -1;
+		}
+		status_reg = (uint32_t *)&ehci->hcor->or_portsc[port - 1];
+		break;
+	default:
+		status_reg = NULL;
+		break;
+	}
+
+	switch (typeReq) {
 	case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
 		switch (le16_to_cpu(req->value) >> 8) {
 		case USB_DT_DEVICE:
@@ -571,7 +581,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 		if (reg & EHCI_PS_OCA)
 			tmpbuf[0] |= USB_PORT_STAT_OVERCURRENT;
 		if (reg & EHCI_PS_PR &&
-		    (ehci->portreset & (1 << le16_to_cpu(req->index)))) {
+		    (ehci->portreset & (1 << port))) {
 			int ret;
 			/* force reset to complete */
 			reg = reg & ~(EHCI_PS_PR | EHCI_PS_CLEAR);
@@ -581,7 +591,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 				tmpbuf[0] |= USB_PORT_STAT_RESET;
 			else
 				dev_err(ehci->dev, "port(%d) reset error\n",
-					le16_to_cpu(req->index) - 1);
+					port - 1);
 		}
 		if (reg & EHCI_PS_PP)
 			tmpbuf[1] |= USB_PORT_STAT_POWER >> 8;
@@ -608,7 +618,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 			tmpbuf[2] |= USB_PORT_STAT_C_ENABLE;
 		if (reg & EHCI_PS_OCC)
 			tmpbuf[2] |= USB_PORT_STAT_C_OVERCURRENT;
-		if (ehci->portreset & (1 << le16_to_cpu(req->index)))
+		if (ehci->portreset & (1 << port))
 			tmpbuf[2] |= USB_PORT_STAT_C_RESET;
 
 		srcptr = tmpbuf;
@@ -634,7 +644,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 			    EHCI_PS_IS_LOWSPEED(reg)) {
 				/* Low speed device, give up ownership. */
 				dev_dbg(ehci->dev, "port %d low speed --> companion\n",
-				      req->index - 1);
+				      port - 1);
 				reg |= EHCI_PS_PO;
 				ehci_writel(status_reg, reg);
 				break;
@@ -651,7 +661,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 				 */
 				ehci_powerup_fixup(ehci);
 				mdelay(50);
-				ehci->portreset |= 1 << le16_to_cpu(req->index);
+				ehci->portreset |= 1 << port;
 				/* terminate the reset */
 				ehci_writel(status_reg, reg & ~EHCI_PS_PR);
 				/*
@@ -663,10 +673,10 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 						2 * 1000);
 				if (!ret)
 					ehci->portreset |=
-						1 << le16_to_cpu(req->index);
+						1 << port;
 				else
 					dev_err(ehci->dev, "port(%d) reset error\n",
-						le16_to_cpu(req->index) - 1);
+						port - 1);
 
 			}
 			break;
@@ -698,7 +708,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 			reg |= EHCI_PS_OCC;
 			break;
 		case USB_PORT_FEAT_C_RESET:
-			ehci->portreset &= ~(1 << le16_to_cpu(req->index));
+			ehci->portreset &= ~(1 << port);
 			break;
 		default:
 			dev_dbg(ehci->dev, "unknown feature %x\n", le16_to_cpu(req->value));
-- 
2.1.4


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] usb: ehci: prevent bad PORTSC register access
  2015-08-25 12:59 [PATCH] usb: ehci: prevent bad PORTSC register access Peter Mamonov
@ 2015-08-25 15:45 ` Antony Pavlov
  2015-08-26 12:23   ` Sascha Hauer
  0 siblings, 1 reply; 4+ messages in thread
From: Antony Pavlov @ 2015-08-25 15:45 UTC (permalink / raw)
  To: Peter Mamonov; +Cc: barebox, Kuo-Jung Su

On Tue, 25 Aug 2015 15:59:58 +0300
Peter Mamonov <pmamonov@gmail.com> wrote:

> From: Kuo-Jung Su <dantesu@faraday-tech.com>
> 
> 1. The 'index' of ehci_submit_root() is not always > 0.
> 
>    e.g.
>    While it gets invoked from usb_get_descriptor(),
>    the 'index' is always a '0'. (See ch.9 of USB2.0)
> 
> 2. The PORTSC register is not always required, and thus it
>    should only report a port error when necessary.
>    It would cause a port scan failure if the ehci_submit_root()
>    always gets terminated by a port error.
> 
> Signed-off-by: Kuo-Jung Su <dantesu@faraday-tech.com>
> Signed-off-by: Peter Mamonov <pmamonov@gmail.com>
> ---
>  drivers/usb/host/ehci-hcd.c | 38 ++++++++++++++++++++++++--------------
>  1 file changed, 24 insertions(+), 14 deletions(-)
> 
> diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
> index 58c22db..1146b71 100644
> --- a/drivers/usb/host/ehci-hcd.c
> +++ b/drivers/usb/host/ehci-hcd.c
> @@ -476,13 +476,8 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  	int len, srclen;
>  	uint32_t reg;
>  	uint32_t *status_reg;
> +	int port = le16_to_cpu(req->index);
>  
> -	if (le16_to_cpu(req->index) >= CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) {
> -		dev_err(ehci->dev, "The request port(%d) is not configured\n",
> -			le16_to_cpu(req->index) - 1);
> -		return -1;
> -	}
> -	status_reg = (uint32_t *)&ehci->hcor->or_portsc[le16_to_cpu(req->index) - 1];
>  	srclen = 0;
>  
>  	dev_dbg(ehci->dev, "req=%u (%#x), type=%u (%#x), value=%u, index=%u\n",
> @@ -493,6 +488,21 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  	typeReq = req->request | (req->requesttype << 8);
>  
>  	switch (typeReq) {
> +	case USB_REQ_GET_STATUS | ((USB_RT_PORT | USB_DIR_IN) << 8):
> +	case USB_REQ_SET_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8):
> +	case USB_REQ_CLEAR_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8):
> +		if (!port || port > CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) {
> +			printf("The request port(%d) is not configured\n", port - 1);
> +			return -1;
> +		}
> +		status_reg = (uint32_t *)&ehci->hcor->or_portsc[port - 1];
> +		break;
> +	default:
> +		status_reg = NULL;
> +		break;
> +	}
> +
> +	switch (typeReq) {
>  	case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
>  		switch (le16_to_cpu(req->value) >> 8) {
>  		case USB_DT_DEVICE:
> @@ -571,7 +581,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  		if (reg & EHCI_PS_OCA)
>  			tmpbuf[0] |= USB_PORT_STAT_OVERCURRENT;
>  		if (reg & EHCI_PS_PR &&
> -		    (ehci->portreset & (1 << le16_to_cpu(req->index)))) {
> +		    (ehci->portreset & (1 << port))) {
>  			int ret;
>  			/* force reset to complete */
>  			reg = reg & ~(EHCI_PS_PR | EHCI_PS_CLEAR);
> @@ -581,7 +591,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  				tmpbuf[0] |= USB_PORT_STAT_RESET;
>  			else
>  				dev_err(ehci->dev, "port(%d) reset error\n",
> -					le16_to_cpu(req->index) - 1);
> +					port - 1);
>  		}
>  		if (reg & EHCI_PS_PP)
>  			tmpbuf[1] |= USB_PORT_STAT_POWER >> 8;
> @@ -608,7 +618,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  			tmpbuf[2] |= USB_PORT_STAT_C_ENABLE;
>  		if (reg & EHCI_PS_OCC)
>  			tmpbuf[2] |= USB_PORT_STAT_C_OVERCURRENT;
> -		if (ehci->portreset & (1 << le16_to_cpu(req->index)))
> +		if (ehci->portreset & (1 << port))
>  			tmpbuf[2] |= USB_PORT_STAT_C_RESET;
>  
>  		srcptr = tmpbuf;
> @@ -634,7 +644,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  			    EHCI_PS_IS_LOWSPEED(reg)) {
>  				/* Low speed device, give up ownership. */
>  				dev_dbg(ehci->dev, "port %d low speed --> companion\n",
> -				      req->index - 1);
> +				      port - 1);
>  				reg |= EHCI_PS_PO;
>  				ehci_writel(status_reg, reg);
>  				break;
> @@ -651,7 +661,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  				 */
>  				ehci_powerup_fixup(ehci);
>  				mdelay(50);
> -				ehci->portreset |= 1 << le16_to_cpu(req->index);
> +				ehci->portreset |= 1 << port;
>  				/* terminate the reset */
>  				ehci_writel(status_reg, reg & ~EHCI_PS_PR);
>  				/*
> @@ -663,10 +673,10 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  						2 * 1000);
>  				if (!ret)
>  					ehci->portreset |=
> -						1 << le16_to_cpu(req->index);
> +						1 << port;
>  				else
>  					dev_err(ehci->dev, "port(%d) reset error\n",
> -						le16_to_cpu(req->index) - 1);
> +						port - 1);
>  
>  			}
>  			break;
> @@ -698,7 +708,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  			reg |= EHCI_PS_OCC;
>  			break;
>  		case USB_PORT_FEAT_C_RESET:
> -			ehci->portreset &= ~(1 << le16_to_cpu(req->index));
> +			ehci->portreset &= ~(1 << port);
>  			break;
>  		default:
>  			dev_dbg(ehci->dev, "unknown feature %x\n", le16_to_cpu(req->value));
> -- 
> 2.1.4
> 


Actually this patch combines two U-boot patches:

  * usb: ehci: prevent bad PORTSC register access (http://lists.denx.de/pipermail/u-boot/2013-May/154319.html)
  * usb: Add new command to set USB 2.0 port test modes (http://lists.denx.de/pipermail/u-boot/2013-March/148104.html)

-- 
Best regards,
  Antony Pavlov

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] usb: ehci: prevent bad PORTSC register access
  2015-08-25 15:45 ` Antony Pavlov
@ 2015-08-26 12:23   ` Sascha Hauer
  2015-08-26 17:16     ` Antony Pavlov
  0 siblings, 1 reply; 4+ messages in thread
From: Sascha Hauer @ 2015-08-26 12:23 UTC (permalink / raw)
  To: Antony Pavlov; +Cc: barebox, Kuo-Jung Su, Peter Mamonov

On Tue, Aug 25, 2015 at 06:45:21PM +0300, Antony Pavlov wrote:
> On Tue, 25 Aug 2015 15:59:58 +0300
> Peter Mamonov <pmamonov@gmail.com> wrote:
> 
> > From: Kuo-Jung Su <dantesu@faraday-tech.com>
> > 
> > 1. The 'index' of ehci_submit_root() is not always > 0.
> > 
> >    e.g.
> >    While it gets invoked from usb_get_descriptor(),
> >    the 'index' is always a '0'. (See ch.9 of USB2.0)
> > 
> > 2. The PORTSC register is not always required, and thus it
> >    should only report a port error when necessary.
> >    It would cause a port scan failure if the ehci_submit_root()
> >    always gets terminated by a port error.
> > 
> > Signed-off-by: Kuo-Jung Su <dantesu@faraday-tech.com>
> > Signed-off-by: Peter Mamonov <pmamonov@gmail.com>
> > ---
> >  drivers/usb/host/ehci-hcd.c | 38 ++++++++++++++++++++++++--------------
> >  1 file changed, 24 insertions(+), 14 deletions(-)
> > 
> > diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
> > index 58c22db..1146b71 100644
> > --- a/drivers/usb/host/ehci-hcd.c
> > +++ b/drivers/usb/host/ehci-hcd.c
> > @@ -476,13 +476,8 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> >  	int len, srclen;
> >  	uint32_t reg;
> >  	uint32_t *status_reg;
> > +	int port = le16_to_cpu(req->index);
> >  
> > -	if (le16_to_cpu(req->index) >= CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) {
> > -		dev_err(ehci->dev, "The request port(%d) is not configured\n",
> > -			le16_to_cpu(req->index) - 1);
> > -		return -1;
> > -	}
> > -	status_reg = (uint32_t *)&ehci->hcor->or_portsc[le16_to_cpu(req->index) - 1];
> >  	srclen = 0;
> >  
> >  	dev_dbg(ehci->dev, "req=%u (%#x), type=%u (%#x), value=%u, index=%u\n",
> > @@ -493,6 +488,21 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> >  	typeReq = req->request | (req->requesttype << 8);
> >  
> >  	switch (typeReq) {
> > +	case USB_REQ_GET_STATUS | ((USB_RT_PORT | USB_DIR_IN) << 8):
> > +	case USB_REQ_SET_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8):
> > +	case USB_REQ_CLEAR_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8):
> > +		if (!port || port > CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) {
> > +			printf("The request port(%d) is not configured\n", port - 1);
> > +			return -1;
> > +		}
> > +		status_reg = (uint32_t *)&ehci->hcor->or_portsc[port - 1];
> > +		break;
> > +	default:
> > +		status_reg = NULL;
> > +		break;
> > +	}
> > +
> > +	switch (typeReq) {
> >  	case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
> >  		switch (le16_to_cpu(req->value) >> 8) {
> >  		case USB_DT_DEVICE:
> > @@ -571,7 +581,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> >  		if (reg & EHCI_PS_OCA)
> >  			tmpbuf[0] |= USB_PORT_STAT_OVERCURRENT;
> >  		if (reg & EHCI_PS_PR &&
> > -		    (ehci->portreset & (1 << le16_to_cpu(req->index)))) {
> > +		    (ehci->portreset & (1 << port))) {
> >  			int ret;
> >  			/* force reset to complete */
> >  			reg = reg & ~(EHCI_PS_PR | EHCI_PS_CLEAR);
> > @@ -581,7 +591,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> >  				tmpbuf[0] |= USB_PORT_STAT_RESET;
> >  			else
> >  				dev_err(ehci->dev, "port(%d) reset error\n",
> > -					le16_to_cpu(req->index) - 1);
> > +					port - 1);
> >  		}
> >  		if (reg & EHCI_PS_PP)
> >  			tmpbuf[1] |= USB_PORT_STAT_POWER >> 8;
> > @@ -608,7 +618,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> >  			tmpbuf[2] |= USB_PORT_STAT_C_ENABLE;
> >  		if (reg & EHCI_PS_OCC)
> >  			tmpbuf[2] |= USB_PORT_STAT_C_OVERCURRENT;
> > -		if (ehci->portreset & (1 << le16_to_cpu(req->index)))
> > +		if (ehci->portreset & (1 << port))
> >  			tmpbuf[2] |= USB_PORT_STAT_C_RESET;
> >  
> >  		srcptr = tmpbuf;
> > @@ -634,7 +644,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> >  			    EHCI_PS_IS_LOWSPEED(reg)) {
> >  				/* Low speed device, give up ownership. */
> >  				dev_dbg(ehci->dev, "port %d low speed --> companion\n",
> > -				      req->index - 1);
> > +				      port - 1);
> >  				reg |= EHCI_PS_PO;
> >  				ehci_writel(status_reg, reg);
> >  				break;
> > @@ -651,7 +661,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> >  				 */
> >  				ehci_powerup_fixup(ehci);
> >  				mdelay(50);
> > -				ehci->portreset |= 1 << le16_to_cpu(req->index);
> > +				ehci->portreset |= 1 << port;
> >  				/* terminate the reset */
> >  				ehci_writel(status_reg, reg & ~EHCI_PS_PR);
> >  				/*
> > @@ -663,10 +673,10 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> >  						2 * 1000);
> >  				if (!ret)
> >  					ehci->portreset |=
> > -						1 << le16_to_cpu(req->index);
> > +						1 << port;
> >  				else
> >  					dev_err(ehci->dev, "port(%d) reset error\n",
> > -						le16_to_cpu(req->index) - 1);
> > +						port - 1);
> >  
> >  			}
> >  			break;
> > @@ -698,7 +708,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> >  			reg |= EHCI_PS_OCC;
> >  			break;
> >  		case USB_PORT_FEAT_C_RESET:
> > -			ehci->portreset &= ~(1 << le16_to_cpu(req->index));
> > +			ehci->portreset &= ~(1 << port);
> >  			break;
> >  		default:
> >  			dev_dbg(ehci->dev, "unknown feature %x\n", le16_to_cpu(req->value));
> > -- 
> > 2.1.4
> > 
> 
> 
> Actually this patch combines two U-boot patches:
> 
>   * usb: ehci: prevent bad PORTSC register access (http://lists.denx.de/pipermail/u-boot/2013-May/154319.html)
>   * usb: Add new command to set USB 2.0 port test modes (http://lists.denx.de/pipermail/u-boot/2013-March/148104.html)

Not really. This patch contains only the parts of "usb: Add new command
to set USB 2.0 port test modes" which are necessary to make this one
apply. I splitted this up to two patches while applying with the patch
below.

Sascha

-----------------------------8<-----------------------

From 484a1fb56890fee13a73070e0d868a3349a47c19 Mon Sep 17 00:00:00 2001
From: Kuo-Jung Su <dantesu@faraday-tech.com>
Date: Tue, 25 Aug 2015 15:59:58 +0300
Subject: [PATCH 2/3] usb: ehci: replace multiple use of
 le16_to_cpu(req->index) with variable

This is part of U-Boot commit:

7d9aa8f usb: Add new command to set USB 2.0 port test modes

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 drivers/usb/host/ehci-hcd.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
index 0e7c595..8a6bbc9 100644
--- a/drivers/usb/host/ehci-hcd.c
+++ b/drivers/usb/host/ehci-hcd.c
@@ -475,10 +475,11 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 	int len, srclen;
 	uint32_t reg;
 	uint32_t *status_reg;
+	int port = le16_to_cpu(req->index);
 
 	if (le16_to_cpu(req->index) >= CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) {
 		dev_err(ehci->dev, "The request port(%d) is not configured\n",
-			le16_to_cpu(req->index) - 1);
+				port - 1);
 		return -1;
 	}
 	status_reg = (uint32_t *)&ehci->hcor->or_portsc[le16_to_cpu(req->index) - 1];
@@ -570,7 +571,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 		if (reg & EHCI_PS_OCA)
 			tmpbuf[0] |= USB_PORT_STAT_OVERCURRENT;
 		if (reg & EHCI_PS_PR &&
-		    (ehci->portreset & (1 << le16_to_cpu(req->index)))) {
+		    (ehci->portreset & (1 << port))) {
 			int ret;
 			/* force reset to complete */
 			reg = reg & ~(EHCI_PS_PR | EHCI_PS_CLEAR);
@@ -580,7 +581,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 				tmpbuf[0] |= USB_PORT_STAT_RESET;
 			else
 				dev_err(ehci->dev, "port(%d) reset error\n",
-					le16_to_cpu(req->index) - 1);
+					port - 1);
 		}
 		if (reg & EHCI_PS_PP)
 			tmpbuf[1] |= USB_PORT_STAT_POWER >> 8;
@@ -607,7 +608,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 			tmpbuf[2] |= USB_PORT_STAT_C_ENABLE;
 		if (reg & EHCI_PS_OCC)
 			tmpbuf[2] |= USB_PORT_STAT_C_OVERCURRENT;
-		if (ehci->portreset & (1 << le16_to_cpu(req->index)))
+		if (ehci->portreset & (1 << port))
 			tmpbuf[2] |= USB_PORT_STAT_C_RESET;
 
 		srcptr = tmpbuf;
@@ -633,7 +634,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 			    EHCI_PS_IS_LOWSPEED(reg)) {
 				/* Low speed device, give up ownership. */
 				dev_dbg(ehci->dev, "port %d low speed --> companion\n",
-				      req->index - 1);
+				      port - 1);
 				reg |= EHCI_PS_PO;
 				ehci_writel(status_reg, reg);
 				break;
@@ -650,7 +651,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 				 */
 				ehci_powerup_fixup(ehci);
 				mdelay(50);
-				ehci->portreset |= 1 << le16_to_cpu(req->index);
+				ehci->portreset |= 1 << port;
 				/* terminate the reset */
 				ehci_writel(status_reg, reg & ~EHCI_PS_PR);
 				/*
@@ -662,10 +663,10 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 						2 * 1000);
 				if (!ret)
 					ehci->portreset |=
-						1 << le16_to_cpu(req->index);
+						1 << port;
 				else
 					dev_err(ehci->dev, "port(%d) reset error\n",
-						le16_to_cpu(req->index) - 1);
+						port - 1);
 
 			}
 			break;
@@ -697,7 +698,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
 			reg |= EHCI_PS_OCC;
 			break;
 		case USB_PORT_FEAT_C_RESET:
-			ehci->portreset &= ~(1 << le16_to_cpu(req->index));
+			ehci->portreset &= ~(1 << port);
 			break;
 		default:
 			dev_dbg(ehci->dev, "unknown feature %x\n", le16_to_cpu(req->value));
-- 
2.5.0

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] usb: ehci: prevent bad PORTSC register access
  2015-08-26 12:23   ` Sascha Hauer
@ 2015-08-26 17:16     ` Antony Pavlov
  0 siblings, 0 replies; 4+ messages in thread
From: Antony Pavlov @ 2015-08-26 17:16 UTC (permalink / raw)
  To: Sascha Hauer; +Cc: barebox, Kuo-Jung Su, Peter Mamonov

On Wed, 26 Aug 2015 14:23:13 +0200
Sascha Hauer <s.hauer@pengutronix.de> wrote:

> On Tue, Aug 25, 2015 at 06:45:21PM +0300, Antony Pavlov wrote:
> > On Tue, 25 Aug 2015 15:59:58 +0300
> > Peter Mamonov <pmamonov@gmail.com> wrote:
> > 
> > > From: Kuo-Jung Su <dantesu@faraday-tech.com>
> > > 
> > > 1. The 'index' of ehci_submit_root() is not always > 0.
> > > 
> > >    e.g.
> > >    While it gets invoked from usb_get_descriptor(),
> > >    the 'index' is always a '0'. (See ch.9 of USB2.0)
> > > 
> > > 2. The PORTSC register is not always required, and thus it
> > >    should only report a port error when necessary.
> > >    It would cause a port scan failure if the ehci_submit_root()
> > >    always gets terminated by a port error.
> > > 
> > > Signed-off-by: Kuo-Jung Su <dantesu@faraday-tech.com>
> > > Signed-off-by: Peter Mamonov <pmamonov@gmail.com>
> > > ---
> > >  drivers/usb/host/ehci-hcd.c | 38 ++++++++++++++++++++++++--------------
> > >  1 file changed, 24 insertions(+), 14 deletions(-)
> > > 
> > > diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
> > > index 58c22db..1146b71 100644
> > > --- a/drivers/usb/host/ehci-hcd.c
> > > +++ b/drivers/usb/host/ehci-hcd.c
> > > @@ -476,13 +476,8 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> > >  	int len, srclen;
> > >  	uint32_t reg;
> > >  	uint32_t *status_reg;
> > > +	int port = le16_to_cpu(req->index);
> > >  
> > > -	if (le16_to_cpu(req->index) >= CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) {
> > > -		dev_err(ehci->dev, "The request port(%d) is not configured\n",
> > > -			le16_to_cpu(req->index) - 1);
> > > -		return -1;
> > > -	}
> > > -	status_reg = (uint32_t *)&ehci->hcor->or_portsc[le16_to_cpu(req->index) - 1];
> > >  	srclen = 0;
> > >  
> > >  	dev_dbg(ehci->dev, "req=%u (%#x), type=%u (%#x), value=%u, index=%u\n",
> > > @@ -493,6 +488,21 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> > >  	typeReq = req->request | (req->requesttype << 8);
> > >  
> > >  	switch (typeReq) {
> > > +	case USB_REQ_GET_STATUS | ((USB_RT_PORT | USB_DIR_IN) << 8):
> > > +	case USB_REQ_SET_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8):
> > > +	case USB_REQ_CLEAR_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8):
> > > +		if (!port || port > CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) {
> > > +			printf("The request port(%d) is not configured\n", port - 1);
> > > +			return -1;
> > > +		}
> > > +		status_reg = (uint32_t *)&ehci->hcor->or_portsc[port - 1];
> > > +		break;
> > > +	default:
> > > +		status_reg = NULL;
> > > +		break;
> > > +	}
> > > +
> > > +	switch (typeReq) {
> > >  	case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
> > >  		switch (le16_to_cpu(req->value) >> 8) {
> > >  		case USB_DT_DEVICE:
> > > @@ -571,7 +581,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> > >  		if (reg & EHCI_PS_OCA)
> > >  			tmpbuf[0] |= USB_PORT_STAT_OVERCURRENT;
> > >  		if (reg & EHCI_PS_PR &&
> > > -		    (ehci->portreset & (1 << le16_to_cpu(req->index)))) {
> > > +		    (ehci->portreset & (1 << port))) {
> > >  			int ret;
> > >  			/* force reset to complete */
> > >  			reg = reg & ~(EHCI_PS_PR | EHCI_PS_CLEAR);
> > > @@ -581,7 +591,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> > >  				tmpbuf[0] |= USB_PORT_STAT_RESET;
> > >  			else
> > >  				dev_err(ehci->dev, "port(%d) reset error\n",
> > > -					le16_to_cpu(req->index) - 1);
> > > +					port - 1);
> > >  		}
> > >  		if (reg & EHCI_PS_PP)
> > >  			tmpbuf[1] |= USB_PORT_STAT_POWER >> 8;
> > > @@ -608,7 +618,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> > >  			tmpbuf[2] |= USB_PORT_STAT_C_ENABLE;
> > >  		if (reg & EHCI_PS_OCC)
> > >  			tmpbuf[2] |= USB_PORT_STAT_C_OVERCURRENT;
> > > -		if (ehci->portreset & (1 << le16_to_cpu(req->index)))
> > > +		if (ehci->portreset & (1 << port))
> > >  			tmpbuf[2] |= USB_PORT_STAT_C_RESET;
> > >  
> > >  		srcptr = tmpbuf;
> > > @@ -634,7 +644,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> > >  			    EHCI_PS_IS_LOWSPEED(reg)) {
> > >  				/* Low speed device, give up ownership. */
> > >  				dev_dbg(ehci->dev, "port %d low speed --> companion\n",
> > > -				      req->index - 1);
> > > +				      port - 1);
> > >  				reg |= EHCI_PS_PO;
> > >  				ehci_writel(status_reg, reg);
> > >  				break;
> > > @@ -651,7 +661,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> > >  				 */
> > >  				ehci_powerup_fixup(ehci);
> > >  				mdelay(50);
> > > -				ehci->portreset |= 1 << le16_to_cpu(req->index);
> > > +				ehci->portreset |= 1 << port;
> > >  				/* terminate the reset */
> > >  				ehci_writel(status_reg, reg & ~EHCI_PS_PR);
> > >  				/*
> > > @@ -663,10 +673,10 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> > >  						2 * 1000);
> > >  				if (!ret)
> > >  					ehci->portreset |=
> > > -						1 << le16_to_cpu(req->index);
> > > +						1 << port;
> > >  				else
> > >  					dev_err(ehci->dev, "port(%d) reset error\n",
> > > -						le16_to_cpu(req->index) - 1);
> > > +						port - 1);
> > >  
> > >  			}
> > >  			break;
> > > @@ -698,7 +708,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
> > >  			reg |= EHCI_PS_OCC;
> > >  			break;
> > >  		case USB_PORT_FEAT_C_RESET:
> > > -			ehci->portreset &= ~(1 << le16_to_cpu(req->index));
> > > +			ehci->portreset &= ~(1 << port);
> > >  			break;
> > >  		default:
> > >  			dev_dbg(ehci->dev, "unknown feature %x\n", le16_to_cpu(req->value));
> > > -- 
> > > 2.1.4
> > > 
> > 
> > 
> > Actually this patch combines two U-boot patches:
> > 
> >   * usb: ehci: prevent bad PORTSC register access (http://lists.denx.de/pipermail/u-boot/2013-May/154319.html)
> >   * usb: Add new command to set USB 2.0 port test modes (http://lists.denx.de/pipermail/u-boot/2013-March/148104.html)
> 
> Not really. This patch contains only the parts of "usb: Add new command
> to set USB 2.0 port test modes" which are necessary to make this one
> apply. I splitted this up to two patches while applying with the patch
> below.
> 
> Sascha
> 
> -----------------------------8<-----------------------
> 
> From 484a1fb56890fee13a73070e0d868a3349a47c19 Mon Sep 17 00:00:00 2001
> From: Kuo-Jung Su <dantesu@faraday-tech.com>


Author: Julius Werner <jwerner@chromium.org>



> Date: Tue, 25 Aug 2015 15:59:58 +0300
> Subject: [PATCH 2/3] usb: ehci: replace multiple use of
>  le16_to_cpu(req->index) with variable
> 
> This is part of U-Boot commit:
> 
> 7d9aa8f usb: Add new command to set USB 2.0 port test modes
> 
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ---
>  drivers/usb/host/ehci-hcd.c | 19 ++++++++++---------
>  1 file changed, 10 insertions(+), 9 deletions(-)
> 
> diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
> index 0e7c595..8a6bbc9 100644
> --- a/drivers/usb/host/ehci-hcd.c
> +++ b/drivers/usb/host/ehci-hcd.c
> @@ -475,10 +475,11 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  	int len, srclen;
>  	uint32_t reg;
>  	uint32_t *status_reg;
> +	int port = le16_to_cpu(req->index);
>  
>  	if (le16_to_cpu(req->index) >= CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) {
>  		dev_err(ehci->dev, "The request port(%d) is not configured\n",
> -			le16_to_cpu(req->index) - 1);
> +				port - 1);
>  		return -1;
>  	}
>  	status_reg = (uint32_t *)&ehci->hcor->or_portsc[le16_to_cpu(req->index) - 1];
> @@ -570,7 +571,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  		if (reg & EHCI_PS_OCA)
>  			tmpbuf[0] |= USB_PORT_STAT_OVERCURRENT;
>  		if (reg & EHCI_PS_PR &&
> -		    (ehci->portreset & (1 << le16_to_cpu(req->index)))) {
> +		    (ehci->portreset & (1 << port))) {
>  			int ret;
>  			/* force reset to complete */
>  			reg = reg & ~(EHCI_PS_PR | EHCI_PS_CLEAR);
> @@ -580,7 +581,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  				tmpbuf[0] |= USB_PORT_STAT_RESET;
>  			else
>  				dev_err(ehci->dev, "port(%d) reset error\n",
> -					le16_to_cpu(req->index) - 1);
> +					port - 1);
>  		}
>  		if (reg & EHCI_PS_PP)
>  			tmpbuf[1] |= USB_PORT_STAT_POWER >> 8;
> @@ -607,7 +608,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  			tmpbuf[2] |= USB_PORT_STAT_C_ENABLE;
>  		if (reg & EHCI_PS_OCC)
>  			tmpbuf[2] |= USB_PORT_STAT_C_OVERCURRENT;
> -		if (ehci->portreset & (1 << le16_to_cpu(req->index)))
> +		if (ehci->portreset & (1 << port))
>  			tmpbuf[2] |= USB_PORT_STAT_C_RESET;
>  
>  		srcptr = tmpbuf;
> @@ -633,7 +634,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  			    EHCI_PS_IS_LOWSPEED(reg)) {
>  				/* Low speed device, give up ownership. */
>  				dev_dbg(ehci->dev, "port %d low speed --> companion\n",
> -				      req->index - 1);
> +				      port - 1);
>  				reg |= EHCI_PS_PO;
>  				ehci_writel(status_reg, reg);
>  				break;
> @@ -650,7 +651,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  				 */
>  				ehci_powerup_fixup(ehci);
>  				mdelay(50);
> -				ehci->portreset |= 1 << le16_to_cpu(req->index);
> +				ehci->portreset |= 1 << port;
>  				/* terminate the reset */
>  				ehci_writel(status_reg, reg & ~EHCI_PS_PR);
>  				/*
> @@ -662,10 +663,10 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  						2 * 1000);
>  				if (!ret)
>  					ehci->portreset |=
> -						1 << le16_to_cpu(req->index);
> +						1 << port;
>  				else
>  					dev_err(ehci->dev, "port(%d) reset error\n",
> -						le16_to_cpu(req->index) - 1);
> +						port - 1);
>  
>  			}
>  			break;
> @@ -697,7 +698,7 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer,
>  			reg |= EHCI_PS_OCC;
>  			break;
>  		case USB_PORT_FEAT_C_RESET:
> -			ehci->portreset &= ~(1 << le16_to_cpu(req->index));
> +			ehci->portreset &= ~(1 << port);
>  			break;
>  		default:
>  			dev_dbg(ehci->dev, "unknown feature %x\n", le16_to_cpu(req->value));
> -- 
> 2.5.0
> 
> -- 
> Pengutronix e.K.                           |                             |
> Industrial Linux Solutions                 | http://www.pengutronix.de/  |
> Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |


-- 
-- 
Best regards,
  Antony Pavlov

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2015-08-26 17:08 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-08-25 12:59 [PATCH] usb: ehci: prevent bad PORTSC register access Peter Mamonov
2015-08-25 15:45 ` Antony Pavlov
2015-08-26 12:23   ` Sascha Hauer
2015-08-26 17:16     ` Antony Pavlov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox