Message ID | 1470129584-27225-3-git-send-email-thuth@redhat.com |
---|---|
State | Superseded |
Headers | show |
Thomas Huth <thuth@redhat.com> writes: > SLOF should be able to support more than just four devices on > the four root hub ports. So we've got to increase the amount of > possible slot IDs. Since QEMU supports up to 44 devices (four > devices at the root ports + 5 tiers of hubs with 8 ports each), > this seems to be a good new value instead. And to make sure that > we do not accidentially get a buffer overflow when accessing the > xhcd->xdevs[slot_id] array, this patch also add a sanity check at > the beginning of the xhci_alloc_dev() function here. > > Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Nikunj A Dadhania <nikunj@linux.vnet.ibm.com> With one change below, i missed during my first review. > --- > lib/libusb/usb-xhci.c | 6 ++++++ > lib/libusb/usb-xhci.h | 2 +- > 2 files changed, 7 insertions(+), 1 deletion(-) > > diff --git a/lib/libusb/usb-xhci.c b/lib/libusb/usb-xhci.c > index b59fd40..eda5929 100644 > --- a/lib/libusb/usb-xhci.c > +++ b/lib/libusb/usb-xhci.c > @@ -539,6 +539,12 @@ static bool xhci_alloc_dev(struct xhci_hcd *xhcd, uint32_t slot_id, uint32_t por > uint16_t max_packet; > uint32_t newport; > > + if (slot_id > XHCI_CONFIG_MAX_SLOT) { > + dprintf("USB3 slot ID %d is too high (max is %d)\n", slot_id, This should be printf. > + XHCI_CONFIG_MAX_SLOT); > + return false; > + } > + > ctx_size = CTX_SIZE(xhcd->hcc_csz_64); > xdev = &xhcd->xdevs[slot_id]; > xdev->slot_id = slot_id; > diff --git a/lib/libusb/usb-xhci.h b/lib/libusb/usb-xhci.h > index b02fcbf..793f18c 100644 > --- a/lib/libusb/usb-xhci.h > +++ b/lib/libusb/usb-xhci.h > @@ -126,7 +126,7 @@ struct xhci_op_regs { > #define XHCI_DCBAAP_MAX_SIZE 2048 > > uint32_t config; /* Configure */ > -#define XHCI_CONFIG_MAX_SLOT 4 > +#define XHCI_CONFIG_MAX_SLOT 44 > > uint8_t reserved2[964]; /* 3C - 3FF */ > /* USB Port register set */ > -- > 1.8.3.1
diff --git a/lib/libusb/usb-xhci.c b/lib/libusb/usb-xhci.c index b59fd40..eda5929 100644 --- a/lib/libusb/usb-xhci.c +++ b/lib/libusb/usb-xhci.c @@ -539,6 +539,12 @@ static bool xhci_alloc_dev(struct xhci_hcd *xhcd, uint32_t slot_id, uint32_t por uint16_t max_packet; uint32_t newport; + if (slot_id > XHCI_CONFIG_MAX_SLOT) { + dprintf("USB3 slot ID %d is too high (max is %d)\n", slot_id, + XHCI_CONFIG_MAX_SLOT); + return false; + } + ctx_size = CTX_SIZE(xhcd->hcc_csz_64); xdev = &xhcd->xdevs[slot_id]; xdev->slot_id = slot_id; diff --git a/lib/libusb/usb-xhci.h b/lib/libusb/usb-xhci.h index b02fcbf..793f18c 100644 --- a/lib/libusb/usb-xhci.h +++ b/lib/libusb/usb-xhci.h @@ -126,7 +126,7 @@ struct xhci_op_regs { #define XHCI_DCBAAP_MAX_SIZE 2048 uint32_t config; /* Configure */ -#define XHCI_CONFIG_MAX_SLOT 4 +#define XHCI_CONFIG_MAX_SLOT 44 uint8_t reserved2[964]; /* 3C - 3FF */ /* USB Port register set */
SLOF should be able to support more than just four devices on the four root hub ports. So we've got to increase the amount of possible slot IDs. Since QEMU supports up to 44 devices (four devices at the root ports + 5 tiers of hubs with 8 ports each), this seems to be a good new value instead. And to make sure that we do not accidentially get a buffer overflow when accessing the xhcd->xdevs[slot_id] array, this patch also add a sanity check at the beginning of the xhci_alloc_dev() function here. Signed-off-by: Thomas Huth <thuth@redhat.com> --- lib/libusb/usb-xhci.c | 6 ++++++ lib/libusb/usb-xhci.h | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-)