Commit Graph

10 Commits

Author SHA1 Message Date
Zhou Qingyang 37307f7020 usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()
In cdnsp_endpoint_init(), cdnsp_ring_alloc() is assigned to pep->ring
and there is a dereference of it in cdnsp_endpoint_init(), which could
lead to a NULL pointer dereference on failure of cdnsp_ring_alloc().

Fix this bug by adding a check of pep->ring.

This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.

Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.

Builds with CONFIG_USB_CDNSP_GADGET=y show no new warnings,
and our static analyzer no longer warns about this code.

Fixes: 3d82904559 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
Cc: stable <stable@vger.kernel.org>
Acked-by: Pawel Laszczak <pawell@cadence.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Link: https://lore.kernel.org/r/20211130172700.206650-1-zhou1615@umn.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-03 13:57:45 +01:00
Chunfeng Yun e9ab75f26e usb: cdnsp: fix the wrong mult value for HS isoc or intr
usb_endpoint_maxp() only returns the bit[10:0] of wMaxPacketSize
of endpoint descriptor, not include bit[12:11] anymore, so use
usb_endpoint_maxp_mult() instead.

Fixes: 3d82904559 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
Cc: stable@vger.kernel.org
Acked-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
Link: https://lore.kernel.org/r/1628836253-7432-4-git-send-email-chunfeng.yun@mediatek.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-08-13 13:05:50 +02:00
Pawel Laszczak 4ae08bc23e usb: cdnsp: Useless condition has been removed
This code generates a Smatch warning:

drivers/usb/cdns3/cdnsp-mem.c:1085 cdnsp_mem_cleanup()
warn: variable dereferenced before check 'pdev->dcbaa' (see line 1067)

The unchecked dereference happens inside the function when we call:

cdnsp_free_priv_device(pdev);

But fortunately, the "pdev->dcbaa" pointer can never be NULL so it
does not lead to a runtime issue. We can just remove the NULL check
which silences the warning and makes the code consistent.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Link: https://lore.kernel.org/r/20210505055854.40240-1-pawell@gli-login.cadence.com
Signed-off-by: Peter Chen <peter.chen@kernel.org>
2021-05-11 14:12:54 +08:00
Colin Ian King 9ecc3eb03c
usb: cdnsp: remove redundant initialization of variable ret
The variable ret is being initialized with a value that is
never read and it is being updated later with a new value.  The
initialization is redundant and can be removed.

Addresses-Coverity: ("Unused value")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Pawel Laszczak <pawell@cadence.com>
Signed-off-by: Peter Chen <peter.chen@kernel.org>
2021-04-12 20:19:22 +08:00
Wang Qing 8079ebf5ff
usb: cdns3: delete repeated clear operations
dma_alloc_coherent already zeroes out memory, so memset is not needed.

Signed-off-by: Wang Qing <wangqing@vivo.com>
Reviewed-by: Pawel Laszczak <pawell@cadence.com>
Acked-by: Pawel Laszczak <pawell@cadence.com>
Signed-off-by: Peter Chen <peter.chen@kernel.org>
2021-04-12 20:19:22 +08:00
Pawel Laszczak 16e3610154
usb: cdnsp: Fixes for sparse warnings
Patch fixes all sparse warnings in cdsnp driver.

It fixes the following warnings:
cdnsp-ring.c:1441: warning: incorrect type in assignment
cdnsp-ring.c:1444: warning: restricted __le32 degrades to integer
cdnsp-ring.c:2200: warning: dubious: x | !y
cdnsp-gadget.c:501: warning: incorrect type in assignment
cdnsp-gadget.c:504: warning: restricted __le32 degrades to integer
cdnsp-gadget.c:507: warning: restricted __le32 degrades to integer
cdnsp-gadget.c:508: warning: restricted __le32 degrades to integer
cdnsp-gadget.c:509: warning: invalid assignment: |=
cdnsp-gadget.c:510: warning: cast from restricted __le32
cdnsp-gadget.c:558: warning: incorrect type in assignment
cdnsp-gadget.c:561: warning: restricted __le32 degrades to integer
cdnsp-gadget.c:570: warning: restricted __le32 degrades to integer
cdnsp-gadget.c:1571: warning: incorrect type in argument 1
cdnsp-gadget.c:1602: warning: restricted __le32 degrades to integer
cdnsp-gadget.c:1760: warning: incorrect type in assignment
cdnsp-gadget.c:1762: warning: incorrect type in assignment
cdnsp-gadget.c:1763: warning: incorrect type in assignment
cdnsp-gadget.c:1764: warning: incorrect type in assignment
cdnsp-gadget.c:1765: warning: incorrect type in assignment
cdnsp-gadget.c:1766: warning: incorrect type in assignment
cdnsp-gadget.c:1767: warning: incorrect type in assignment
cdnsp-gadget.c:458: warning: cast truncates bits from constant value
                    (ffffffff07ffffff becomes 7ffffff)
cdnsp-gadget.c:666: warning: cast truncates bits from constant value
                    (ffffffff07ffffff becomes 7ffffff)
cdnsp-mem.c:762: warning: incorrect type in assignment
cdnsp-mem.c:763: warning: incorrect type in assignment
cdnsp-mem.c:928: warning: cast from restricted __le16
cdnsp-mem.c:1187: warning: incorrect type in assignment
cdnsp-mem.c:1191: warning: incorrect type in assignment
cdnsp-ep0.c:142: warning: incorrect type in assignment
cdnsp-ep0.c:144: warning: restricted __le32 degrades to integer
cdnsp-ep0.c:147: warning: restricted __le32 degrades to integer
cdnsp-ep0.c:148: warning: restricted __le32 degrades to integer
cdnsp-ep0.c:179: warning: incorrect type in argument 1
cdnsp-ep0.c:311: warning: incorrect type in argument 1
cdnsp-ep0.c:469: warning: incorrect type in assignment
cdnsp-trace.h:611:1: warning: cast from restricted __le32

Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
2020-12-29 12:36:13 +08:00
Pawel Laszczak e2d60f8c47
usb: cdnsp: fix error handling in cdnsp_mem_init()
This function uses "One Function Cleans up Everything" style and that's
basically impossible to do correctly. It's cleaner to write it with
"clean up the most recent allocation".

Patch fixes two isues:
1. If pdev->dcbaa = dma_alloc_coherent() fails then that leads to a NULL
   dereference inside the cdnsp_free_priv_device() function.
2. if cdnsp_alloc_priv_device() fails that leads to a double free because
   we free pdev->out_ctx.bytes in several places.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Tested-by: Pawel Laszczak <pawell@cadence.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
2020-12-29 12:36:13 +08:00
Pawel Laszczak dc68ba6c72
usb: cdnsp: Removes some not useful function arguments
This patch removes 'flags' argument from some functions and use
indirect the correct GFP_XXX flag to fix the following warning:

'The patch d40a169aab24: "usb: cdnsp: cdns3 Add main part of Cadence
USBSSP DRD Driver" from Dec 7, 2020, leads to the following static
checker warning:

	drivers/usb/cdns3/cdnsp-mem.c:1229 cdnsp_mem_init()
	warn: use 'flags' here instead of GFP_XXX?

drivers/usb/cdns3/cdnsp-mem.c
  1206  int cdnsp_mem_init(struct cdnsp_device *pdev, gfp_t flags);'
                                                      ^^^^^^^^^^^
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
2020-12-29 12:36:13 +08:00
Pawel Laszczak 118b2a3237
usb: cdnsp: Add tracepoints for CDNSP driver
Patch adds the series of tracepoints that can be used for
debugging issues detected in driver.

Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Reviewed-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
2020-12-29 12:36:13 +08:00
Pawel Laszczak 3d82904559
usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver
This patch introduces the main part of Cadence USBSSP DRD driver
to Linux kernel.
To reduce the patch size a little bit, the header file gadget.h was
intentionally added as separate patch.

The Cadence USBSSP DRD Controller is a highly configurable IP Core which
can be instantiated as Dual-Role Device (DRD), Peripheral Only and
Host Only (XHCI)configurations.

The current driver has been validated with FPGA platform. We have
support for PCIe bus, which is used on FPGA prototyping.

The host side of USBSS DRD controller is compliant with XHCI.
The architecture for device side is almost the same as for host side,
and most of the XHCI specification can be used to understand how
this controller operates.

Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
2020-12-29 12:36:13 +08:00