diff mbox

[v2,2/5] usb: Increase amount of maximum slot IDs and add a sanity check

Message ID 1470129584-27225-3-git-send-email-thuth@redhat.com
State Superseded
Headers show

Commit Message

Thomas Huth Aug. 2, 2016, 9:19 a.m. UTC
SLOF should be able to support more than just four devices on
the four root hub ports. So we've got to increase the amount of
possible slot IDs. Since QEMU supports up to 44 devices (four
devices at the root ports + 5 tiers of hubs with 8 ports each),
this seems to be a good new value instead. And to make sure that
we do not accidentially get a buffer overflow when accessing the
xhcd->xdevs[slot_id] array, this patch also add a sanity check at
the beginning of the xhci_alloc_dev() function here.

Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 lib/libusb/usb-xhci.c | 6 ++++++
 lib/libusb/usb-xhci.h | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

Comments

Nikunj A Dadhania Aug. 2, 2016, 9:50 a.m. UTC | #1
Thomas Huth <thuth@redhat.com> writes:

> SLOF should be able to support more than just four devices on
> the four root hub ports. So we've got to increase the amount of
> possible slot IDs. Since QEMU supports up to 44 devices (four
> devices at the root ports + 5 tiers of hubs with 8 ports each),
> this seems to be a good new value instead. And to make sure that
> we do not accidentially get a buffer overflow when accessing the
> xhcd->xdevs[slot_id] array, this patch also add a sanity check at
> the beginning of the xhci_alloc_dev() function here.
>
> Signed-off-by: Thomas Huth <thuth@redhat.com>

Reviewed-by: Nikunj A Dadhania <nikunj@linux.vnet.ibm.com>

With one change below, i missed during my first review.

> ---
>  lib/libusb/usb-xhci.c | 6 ++++++
>  lib/libusb/usb-xhci.h | 2 +-
>  2 files changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/lib/libusb/usb-xhci.c b/lib/libusb/usb-xhci.c
> index b59fd40..eda5929 100644
> --- a/lib/libusb/usb-xhci.c
> +++ b/lib/libusb/usb-xhci.c
> @@ -539,6 +539,12 @@ static bool xhci_alloc_dev(struct xhci_hcd *xhcd, uint32_t slot_id, uint32_t por
>  	uint16_t max_packet;
>  	uint32_t newport;
>
> +	if (slot_id > XHCI_CONFIG_MAX_SLOT) {
> +		dprintf("USB3 slot ID %d is too high (max is %d)\n", slot_id,

This should be printf.

> +			XHCI_CONFIG_MAX_SLOT);
> +		return false;
> +	}
> +
>  	ctx_size = CTX_SIZE(xhcd->hcc_csz_64);
>  	xdev = &xhcd->xdevs[slot_id];
>  	xdev->slot_id = slot_id;
> diff --git a/lib/libusb/usb-xhci.h b/lib/libusb/usb-xhci.h
> index b02fcbf..793f18c 100644
> --- a/lib/libusb/usb-xhci.h
> +++ b/lib/libusb/usb-xhci.h
> @@ -126,7 +126,7 @@ struct xhci_op_regs {
>  #define XHCI_DCBAAP_MAX_SIZE      2048
>
>  	uint32_t config;         /* Configure */
> -#define XHCI_CONFIG_MAX_SLOT      4
> +#define XHCI_CONFIG_MAX_SLOT      44
>
>  	uint8_t reserved2[964]; /* 3C - 3FF */
>  	/* USB Port register set */
> -- 
> 1.8.3.1
diff mbox

Patch

diff --git a/lib/libusb/usb-xhci.c b/lib/libusb/usb-xhci.c
index b59fd40..eda5929 100644
--- a/lib/libusb/usb-xhci.c
+++ b/lib/libusb/usb-xhci.c
@@ -539,6 +539,12 @@  static bool xhci_alloc_dev(struct xhci_hcd *xhcd, uint32_t slot_id, uint32_t por
 	uint16_t max_packet;
 	uint32_t newport;
 
+	if (slot_id > XHCI_CONFIG_MAX_SLOT) {
+		dprintf("USB3 slot ID %d is too high (max is %d)\n", slot_id,
+			XHCI_CONFIG_MAX_SLOT);
+		return false;
+	}
+
 	ctx_size = CTX_SIZE(xhcd->hcc_csz_64);
 	xdev = &xhcd->xdevs[slot_id];
 	xdev->slot_id = slot_id;
diff --git a/lib/libusb/usb-xhci.h b/lib/libusb/usb-xhci.h
index b02fcbf..793f18c 100644
--- a/lib/libusb/usb-xhci.h
+++ b/lib/libusb/usb-xhci.h
@@ -126,7 +126,7 @@  struct xhci_op_regs {
 #define XHCI_DCBAAP_MAX_SIZE      2048
 
 	uint32_t config;         /* Configure */
-#define XHCI_CONFIG_MAX_SLOT      4
+#define XHCI_CONFIG_MAX_SLOT      44
 
 	uint8_t reserved2[964]; /* 3C - 3FF */
 	/* USB Port register set */