[U-Boot,1/1] usb: musb-new: sunxi: Fix null pointer access

Message ID 20181205124945.22813-1-stefan@olimex.com
State New
Delegated to: Marek Vasut
Headers show
Series
  • [U-Boot,1/1] usb: musb-new: sunxi: Fix null pointer access
Related show

Commit Message

Stefan Mavrodiev Dec. 5, 2018, 12:49 p.m.
When the device is in peripheral mode there is no
struct usb_bus_priv allocated pointer, as the uclass driver
("usb_dev_generic") doesn't call per_device_auto_alloc_size.

This results in writing to the internal SDRAM at
	priv->desc_before_addr = true;

Signed-off-by: Stefan Mavrodiev <stefan@olimex.com>
---
 drivers/usb/musb-new/sunxi.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Comments

Marek Vasut Dec. 5, 2018, 12:57 p.m. | #1
On 12/05/2018 01:49 PM, Stefan Mavrodiev wrote:
> When the device is in peripheral mode

Can you have two devices, one in peripheral mode and one in host mode,
on the same system ?

> there is no
> struct usb_bus_priv allocated pointer, as the uclass driver
> ("usb_dev_generic") doesn't call per_device_auto_alloc_size.
> 
> This results in writing to the internal SDRAM at
> 	priv->desc_before_addr = true;
> 
> Signed-off-by: Stefan Mavrodiev <stefan@olimex.com>
> ---
>  drivers/usb/musb-new/sunxi.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/usb/musb-new/sunxi.c b/drivers/usb/musb-new/sunxi.c
> index 6cf9826cda..f3deb9bc66 100644
> --- a/drivers/usb/musb-new/sunxi.c
> +++ b/drivers/usb/musb-new/sunxi.c
> @@ -435,11 +435,14 @@ static int musb_usb_probe(struct udevice *dev)
>  {
>  	struct sunxi_glue *glue = dev_get_priv(dev);
>  	struct musb_host_data *host = &glue->mdata;
> -	struct usb_bus_priv *priv = dev_get_uclass_priv(dev);
>  	struct musb_hdrc_platform_data pdata;
>  	void *base = dev_read_addr_ptr(dev);
>  	int ret;
>  
> +#ifdef CONFIG_USB_MUSB_HOST
> +	struct usb_bus_priv *priv = dev_get_uclass_priv(dev);
> +#endif
> +
>  	if (!base)
>  		return -EINVAL;
>  
> @@ -459,7 +462,6 @@ static int musb_usb_probe(struct udevice *dev)
>  		return ret;
>  	}
>  
> -	priv->desc_before_addr = true;

See my question at the beginning, and if that can be the case, the fix
is to check if priv is not null here, eg.
if (priv)
 priv->...

Still, why is the priv data not allocated for device ?

>  	memset(&pdata, 0, sizeof(pdata));
>  	pdata.power = 250;
> @@ -467,6 +469,8 @@ static int musb_usb_probe(struct udevice *dev)
>  	pdata.config = glue->cfg->config;
>  
>  #ifdef CONFIG_USB_MUSB_HOST
> +	priv->desc_before_addr = true;
> +
>  	pdata.mode = MUSB_HOST;
>  	host->host = musb_init_controller(&pdata, &glue->dev, base);
>  	if (!host->host)
>
Stefan Mavrodiev Dec. 5, 2018, 1:06 p.m. | #2
On 12/5/18 2:57 PM, Marek Vasut wrote:
> On 12/05/2018 01:49 PM, Stefan Mavrodiev wrote:
>> When the device is in peripheral mode
> Can you have two devices, one in peripheral mode and one in host mode,
> on the same system ?

Not 100% sure, but I'm thinking there is only one OTG port for
all sunxi boards. The operation is decided in the Kconfig.

>
>> there is no
>> struct usb_bus_priv allocated pointer, as the uclass driver
>> ("usb_dev_generic") doesn't call per_device_auto_alloc_size.
>>
>> This results in writing to the internal SDRAM at
>> 	priv->desc_before_addr = true;
>>
>> Signed-off-by: Stefan Mavrodiev <stefan@olimex.com>
>> ---
>>   drivers/usb/musb-new/sunxi.c | 8 ++++++--
>>   1 file changed, 6 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/usb/musb-new/sunxi.c b/drivers/usb/musb-new/sunxi.c
>> index 6cf9826cda..f3deb9bc66 100644
>> --- a/drivers/usb/musb-new/sunxi.c
>> +++ b/drivers/usb/musb-new/sunxi.c
>> @@ -435,11 +435,14 @@ static int musb_usb_probe(struct udevice *dev)
>>   {
>>   	struct sunxi_glue *glue = dev_get_priv(dev);
>>   	struct musb_host_data *host = &glue->mdata;
>> -	struct usb_bus_priv *priv = dev_get_uclass_priv(dev);
>>   	struct musb_hdrc_platform_data pdata;
>>   	void *base = dev_read_addr_ptr(dev);
>>   	int ret;
>>   
>> +#ifdef CONFIG_USB_MUSB_HOST
>> +	struct usb_bus_priv *priv = dev_get_uclass_priv(dev);
>> +#endif
>> +
>>   	if (!base)
>>   		return -EINVAL;
>>   
>> @@ -459,7 +462,6 @@ static int musb_usb_probe(struct udevice *dev)
>>   		return ret;
>>   	}
>>   
>> -	priv->desc_before_addr = true;
> See my question at the beginning, and if that can be the case, the fix
> is to check if priv is not null here, eg.
> if (priv)
>   priv->...
>
> Still, why is the priv data not allocated for device ?

Depending on configuration, the device is registered ether as
UCLASS_USB_DEV_GENERIC or UCLASS_USB. There is no

    .per_device_auto_alloc_size = sizeof(struct usb_bus_priv),

for the second. (As seen in drivers/usb/host/usb-uclass.c)

>
>>   	memset(&pdata, 0, sizeof(pdata));
>>   	pdata.power = 250;
>> @@ -467,6 +469,8 @@ static int musb_usb_probe(struct udevice *dev)
>>   	pdata.config = glue->cfg->config;
>>   
>>   #ifdef CONFIG_USB_MUSB_HOST
>> +	priv->desc_before_addr = true;
>> +
>>   	pdata.mode = MUSB_HOST;
>>   	host->host = musb_init_controller(&pdata, &glue->dev, base);
>>   	if (!host->host)
>>
>
Maxime Ripard Dec. 5, 2018, 1:11 p.m. | #3
On Wed, Dec 05, 2018 at 01:57:14PM +0100, Marek Vasut wrote:
> On 12/05/2018 01:49 PM, Stefan Mavrodiev wrote:
> > When the device is in peripheral mode
> 
> Can you have two devices, one in peripheral mode and one in host mode,
> on the same system ?

No, or at least, on all of the SoCs that Allwinner ever produced,
there's only a single musb controller.

Maxime
Marek Vasut Dec. 5, 2018, 1:16 p.m. | #4
On 12/05/2018 02:06 PM, Stefan Mavrodiev wrote:
> 
> On 12/5/18 2:57 PM, Marek Vasut wrote:
>> On 12/05/2018 01:49 PM, Stefan Mavrodiev wrote:
>>> When the device is in peripheral mode
>> Can you have two devices, one in peripheral mode and one in host mode,
>> on the same system ?
> 
> Not 100% sure, but I'm thinking there is only one OTG port for
> all sunxi boards. The operation is decided in the Kconfig.

I'm rather sure I saw sunxi boards with more than one USB port.

>>> there is no
>>> struct usb_bus_priv allocated pointer, as the uclass driver
>>> ("usb_dev_generic") doesn't call per_device_auto_alloc_size.
>>>
>>> This results in writing to the internal SDRAM at
>>>     priv->desc_before_addr = true;
>>>
>>> Signed-off-by: Stefan Mavrodiev <stefan@olimex.com>
>>> ---
>>>   drivers/usb/musb-new/sunxi.c | 8 ++++++--
>>>   1 file changed, 6 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/usb/musb-new/sunxi.c b/drivers/usb/musb-new/sunxi.c
>>> index 6cf9826cda..f3deb9bc66 100644
>>> --- a/drivers/usb/musb-new/sunxi.c
>>> +++ b/drivers/usb/musb-new/sunxi.c
>>> @@ -435,11 +435,14 @@ static int musb_usb_probe(struct udevice *dev)
>>>   {
>>>       struct sunxi_glue *glue = dev_get_priv(dev);
>>>       struct musb_host_data *host = &glue->mdata;
>>> -    struct usb_bus_priv *priv = dev_get_uclass_priv(dev);
>>>       struct musb_hdrc_platform_data pdata;
>>>       void *base = dev_read_addr_ptr(dev);
>>>       int ret;
>>>   +#ifdef CONFIG_USB_MUSB_HOST
>>> +    struct usb_bus_priv *priv = dev_get_uclass_priv(dev);
>>> +#endif
>>> +
>>>       if (!base)
>>>           return -EINVAL;
>>>   @@ -459,7 +462,6 @@ static int musb_usb_probe(struct udevice *dev)
>>>           return ret;
>>>       }
>>>   -    priv->desc_before_addr = true;
>> See my question at the beginning, and if that can be the case, the fix
>> is to check if priv is not null here, eg.
>> if (priv)
>>   priv->...
>>
>> Still, why is the priv data not allocated for device ?
> 
> Depending on configuration, the device is registered ether as
> UCLASS_USB_DEV_GENERIC or UCLASS_USB. There is no
> 
>    .per_device_auto_alloc_size = sizeof(struct usb_bus_priv),
> 
> for the second. (As seen in drivers/usb/host/usb-uclass.c)

I see the code is rather horrible. I'd expect all that configuration to
come from DT otg-mode property instead of being hard-wired into the
code. Sigh.

Jagan, A-B ? I'd like to pick this .

>>
>>>       memset(&pdata, 0, sizeof(pdata));
>>>       pdata.power = 250;
>>> @@ -467,6 +469,8 @@ static int musb_usb_probe(struct udevice *dev)
>>>       pdata.config = glue->cfg->config;
>>>     #ifdef CONFIG_USB_MUSB_HOST
>>> +    priv->desc_before_addr = true;
>>> +
>>>       pdata.mode = MUSB_HOST;
>>>       host->host = musb_init_controller(&pdata, &glue->dev, base);
>>>       if (!host->host)
>>>
>>

Patch

diff --git a/drivers/usb/musb-new/sunxi.c b/drivers/usb/musb-new/sunxi.c
index 6cf9826cda..f3deb9bc66 100644
--- a/drivers/usb/musb-new/sunxi.c
+++ b/drivers/usb/musb-new/sunxi.c
@@ -435,11 +435,14 @@  static int musb_usb_probe(struct udevice *dev)
 {
 	struct sunxi_glue *glue = dev_get_priv(dev);
 	struct musb_host_data *host = &glue->mdata;
-	struct usb_bus_priv *priv = dev_get_uclass_priv(dev);
 	struct musb_hdrc_platform_data pdata;
 	void *base = dev_read_addr_ptr(dev);
 	int ret;
 
+#ifdef CONFIG_USB_MUSB_HOST
+	struct usb_bus_priv *priv = dev_get_uclass_priv(dev);
+#endif
+
 	if (!base)
 		return -EINVAL;
 
@@ -459,7 +462,6 @@  static int musb_usb_probe(struct udevice *dev)
 		return ret;
 	}
 
-	priv->desc_before_addr = true;
 
 	memset(&pdata, 0, sizeof(pdata));
 	pdata.power = 250;
@@ -467,6 +469,8 @@  static int musb_usb_probe(struct udevice *dev)
 	pdata.config = glue->cfg->config;
 
 #ifdef CONFIG_USB_MUSB_HOST
+	priv->desc_before_addr = true;
+
 	pdata.mode = MUSB_HOST;
 	host->host = musb_init_controller(&pdata, &glue->dev, base);
 	if (!host->host)