From: Kuo-Jung Su Date: Wed, 15 May 2013 07:29:20 +0000 (+0800) Subject: usb: ehci: prevent bad PORTSC register access X-Git-Tag: v2025.01-rc5-pxa1908~16184^2~6 X-Git-Url: http://git.dujemihanovic.xyz/html/static/git-favicon.png?a=commitdiff_plain;h=9c6a9d7c8be40f58cf3faf0a4b8d9d33a21ca4f5;p=u-boot.git usb: ehci: prevent bad PORTSC register access 1. The 'index' of ehci_submit_root() is not always > 0. e.g. While it gets invoked from usb_get_descriptor(), the 'index' is always a '0'. (See ch.9 of USB2.0) 2. The PORTSC register is not always required, and thus it should only report a port error when necessary. It would cause a port scan failure if the ehci_submit_root() always gets terminated by a port error. Signed-off-by: Kuo-Jung Su CC: Marek Vasut --- diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c index 445759b9ac..443cc23134 100644 --- a/drivers/usb/host/ehci-hcd.c +++ b/drivers/usb/host/ehci-hcd.c @@ -616,11 +616,6 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, int port = le16_to_cpu(req->index) & 0xff; struct ehci_ctrl *ctrl = dev->controller; - if (port > CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) { - printf("The request port(%d) is not configured\n", port - 1); - return -1; - } - status_reg = (uint32_t *)&ctrl->hcor->or_portsc[port - 1]; srclen = 0; debug("req=%u (%#x), type=%u (%#x), value=%u, index=%u\n", @@ -630,6 +625,21 @@ ehci_submit_root(struct usb_device *dev, unsigned long pipe, void *buffer, typeReq = req->request | req->requesttype << 8; + switch (typeReq) { + case USB_REQ_GET_STATUS | ((USB_RT_PORT | USB_DIR_IN) << 8): + case USB_REQ_SET_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8): + case USB_REQ_CLEAR_FEATURE | ((USB_DIR_OUT | USB_RT_PORT) << 8): + if (!port || port > CONFIG_SYS_USB_EHCI_MAX_ROOT_PORTS) { + printf("The request port(%d) is not configured\n", port - 1); + return -1; + } + status_reg = (uint32_t *)&ctrl->hcor->or_portsc[port - 1]; + break; + default: + status_reg = NULL; + break; + } + switch (typeReq) { case DeviceRequest | USB_REQ_GET_DESCRIPTOR: switch (le16_to_cpu(req->value) >> 8) {