linux-stable.git/drivers/usb/isp1760, branch linux-5.15.y Linux kernel stable tree usb: isp1760: Fix out-of-bounds array access 2022-06-09T08:22:27+00:00 Linus Walleij linus.walleij@linaro.org 2022-05-16T09:14:24+00:00 bf2558bbdce3ab1d6bcba09f354914e4515d0a2b commit 26ae2c942b5702f2e43d36b2a4389cfb7d616b6a upstream. Running the driver through kasan gives an interesting splat: BUG: KASAN: global-out-of-bounds in isp1760_register+0x180/0x70c Read of size 20 at addr f1db2e64 by task swapper/0/1 (...) isp1760_register from isp1760_plat_probe+0x1d8/0x220 (...) This happens because the loop reading the regmap fields for the different ISP1760 variants look like this: for (i = 0; i < HC_FIELD_MAX; i++) { ... } Meaning it expects the arrays to be at least HC_FIELD_MAX - 1 long. However the arrays isp1760_hc_reg_fields[], isp1763_hc_reg_fields[], isp1763_hc_volatile_ranges[] and isp1763_dc_volatile_ranges[] are dynamically sized during compilation. Fix this by putting an empty assignment to the [HC_FIELD_MAX] and [DC_FIELD_MAX] array member at the end of each array. This will make the array one member longer than it needs to be, but avoids the risk of overwriting whatever is inside [HC_FIELD_MAX - 1] and is simple and intuitive to read. Also add comments explaining what is going on. Fixes: 1da9e1c06873 ("usb: isp1760: move to regmap for register access") Cc: stable@vger.kernel.org Cc: Rui Miguel Silva <rui.silva@linaro.org> Cc: Dietmar Eggemann <dietmar.eggemann@arm.com> Reviewed-by: Rui Miguel Silva <rui.silva@linaro.org> Signed-off-by: Linus Walleij <linus.walleij@linaro.org> Link: https://lore.kernel.org/r/20220516091424.391209-1-linus.walleij@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 26ae2c942b5702f2e43d36b2a4389cfb7d616b6a upstream.

Running the driver through kasan gives an interesting splat:

  BUG: KASAN: global-out-of-bounds in isp1760_register+0x180/0x70c
  Read of size 20 at addr f1db2e64 by task swapper/0/1
  (...)
  isp1760_register from isp1760_plat_probe+0x1d8/0x220
  (...)

This happens because the loop reading the regmap fields for the
different ISP1760 variants look like this:

  for (i = 0; i < HC_FIELD_MAX; i++) { ... }

Meaning it expects the arrays to be at least HC_FIELD_MAX - 1 long.

However the arrays isp1760_hc_reg_fields[], isp1763_hc_reg_fields[],
isp1763_hc_volatile_ranges[] and isp1763_dc_volatile_ranges[] are
dynamically sized during compilation.

Fix this by putting an empty assignment to the [HC_FIELD_MAX]
and [DC_FIELD_MAX] array member at the end of each array.
This will make the array one member longer than it needs to be,
but avoids the risk of overwriting whatever is inside
[HC_FIELD_MAX - 1] and is simple and intuitive to read. Also
add comments explaining what is going on.

Fixes: 1da9e1c06873 ("usb: isp1760: move to regmap for register access")
Cc: stable@vger.kernel.org
Cc: Rui Miguel Silva <rui.silva@linaro.org>
Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
Reviewed-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20220516091424.391209-1-linus.walleij@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: isp1760: otg control register access 2021-08-27T14:11:39+00:00 Rui Miguel Silva rui.silva@linaro.org 2021-08-27T13:11:54+00:00 9c1587d99f9305aa4f10b47fcf1981012aa5381f The set/clear of the otg control values is done writing to two different 16bit registers, however we setup the regmap width for isp1760/61 to 32bit value bits. So, just access the clear register address (0x376)as the high part of the otg control register set (0x374), and write the values in one go to make sure they get clear/set. Reported-by: Dietmar Eggemann <dietmar.eggemann@arm.com> Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com> Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> Link: https://lore.kernel.org/r/20210827131154.4151862-6-rui.silva@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The set/clear of the otg control values is done writing to
two different 16bit registers, however we setup the regmap
width for isp1760/61 to 32bit value bits.

So, just access the clear register address (0x376)as the high
part of the otg control register set (0x374), and write the
values in one go to make sure they get clear/set.

Reported-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Link: https://lore.kernel.org/r/20210827131154.4151862-6-rui.silva@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: isp1760: use the right irq status bit 2021-08-27T14:11:39+00:00 Rui Miguel Silva rui.silva@linaro.org 2021-08-27T13:11:53+00:00 955d0fb590f18ec5c3a4085c7d0e39b6abde0dd6 Instead of using the fields enum values to check interrupts trigged, use the correct bit values. Reported-by: Dietmar Eggemann <dietmar.eggemann@arm.com> Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com> Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> Link: https://lore.kernel.org/r/20210827131154.4151862-5-rui.silva@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Instead of using the fields enum values to check interrupts
trigged, use the correct bit values.

Reported-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Link: https://lore.kernel.org/r/20210827131154.4151862-5-rui.silva@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: isp1760: write to status and address register 2021-08-27T14:11:39+00:00 Rui Miguel Silva rui.silva@linaro.org 2021-08-27T13:11:52+00:00 36815a4a0763bb405ebd776c45553005c1ef7a15 We were already writing directly the port status register to trigger changes in isp1763. The same is needed in other IP from the family, including also to setup the read address before reading from device. Reported-by: Dietmar Eggemann <dietmar.eggemann@arm.com> Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com> Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> Link: https://lore.kernel.org/r/20210827131154.4151862-4-rui.silva@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
We were already writing directly the port status register to
trigger changes in isp1763. The same is needed in other IP
from the family, including also to setup the read address
before reading from device.

Reported-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Link: https://lore.kernel.org/r/20210827131154.4151862-4-rui.silva@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: isp1760: fix qtd fill length 2021-08-27T14:11:38+00:00 Rui Miguel Silva rui.silva@linaro.org 2021-08-27T13:11:51+00:00 cbfa3effdf5c2d411c9ce9820f3d33d77bc4697d When trying to send bulks bigger than the biggest block size we need to split them over several qtd. Fix this limiting the maximum qtd size to largest block size. Reported-by: Dietmar Eggemann <dietmar.eggemann@arm.com> Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com> Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> Link: https://lore.kernel.org/r/20210827131154.4151862-3-rui.silva@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
When trying to send bulks bigger than the biggest block size
we need to split them over several qtd. Fix this limiting the
maximum qtd size to largest block size.

Reported-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Link: https://lore.kernel.org/r/20210827131154.4151862-3-rui.silva@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: isp1760: fix memory pool initialization 2021-08-27T14:11:38+00:00 Rui Miguel Silva rui.silva@linaro.org 2021-08-27T13:11:50+00:00 f757f9291f920e1da4c6cfd4064c6bf59639983e The loops to setup the memory pool were skipping some blocks, that was not visible on the ISP1763 because it has fewer blocks than the ISP1761. But won testing on that IP from the family that would be an issue. Reported-by: Dietmar Eggemann <dietmar.eggemann@arm.com> Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com> Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> Link: https://lore.kernel.org/r/20210827131154.4151862-2-rui.silva@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The loops to setup the memory pool were skipping some
blocks, that was not visible on the ISP1763 because it has
fewer blocks than the ISP1761. But won testing on that IP
from the family that would be an issue.

Reported-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Link: https://lore.kernel.org/r/20210827131154.4151862-2-rui.silva@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: isp1760: clean never read udc_enabled warning 2021-08-26T11:30:39+00:00 Rui Miguel Silva rui.silva@linaro.org 2021-08-19T18:09:29+00:00 de940244e8987a76d73fb2b0057ecd494cbfeefd When CONFIG_USB_ISP1761_UDC is not enabled the udc_enabled variable is never used since it is short circuited before in the logic operations. This would trigger the following warning by clang analyzer: drivers/usb/isp1760/isp1760-core.c:490:2: warning: Value stored to 'udc_enabled' is never read [clang-analyzer-deadcode.DeadStores] udc_enabled = ((devflags & ISP1760_FLAG_ISP1763) || ^ drivers/usb/isp1760/isp1760-core.c:490:2: note: Value stored to 'udc_enabled' is never read Just swap the other of the operands in the logic operations. Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> Link: https://lore.kernel.org/r/20210819180929.1327349-6-rui.silva@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
When CONFIG_USB_ISP1761_UDC is not enabled the udc_enabled variable is
never used since it is short circuited before in the logic operations.

This would trigger the following warning by clang analyzer:

drivers/usb/isp1760/isp1760-core.c:490:2: warning: Value stored to 'udc_enabled' is never read [clang-analyzer-deadcode.DeadStores]
        udc_enabled = ((devflags & ISP1760_FLAG_ISP1763) ||
        ^
drivers/usb/isp1760/isp1760-core.c:490:2: note: Value stored to 'udc_enabled' is never read

Just swap the other of the operands in the logic operations.

Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Link: https://lore.kernel.org/r/20210819180929.1327349-6-rui.silva@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: isp1760: do not shift in uninitialized slot 2021-08-26T11:30:39+00:00 Rui Miguel Silva rui.silva@linaro.org 2021-08-19T18:09:28+00:00 7d1d3882fd9da1ee42fe3ad3a5ffd41fb8204380 Even though it is not expected, and would trigger a WARN_ON, killing a transfer in a uninitialized slot this sequence is warned by clang analyzer, twice: drivers/usb/isp1760/isp1760-hcd.c:1976:18: warning: The result of the left shift is undefined because the right operand is negative [clang-analyzer-core.UndefinedBinaryOperatorResult] skip_map |= (1 << qh->slot); drivers/usb/isp1760/isp1760-hcd.c:1983:18: warning: The result of the left shift is undefined because the right operand is negative [clang-analyzer-core.UndefinedBinaryOperatorResult] skip_map |= (1 << qh->slot); Only set skip map if slot is active. Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> Link: https://lore.kernel.org/r/20210819180929.1327349-5-rui.silva@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Even though it is not expected, and would trigger a WARN_ON, killing a
transfer in a uninitialized slot this sequence is warned by clang
analyzer, twice:

drivers/usb/isp1760/isp1760-hcd.c:1976:18: warning: The result of the left shift is undefined because the right operand is negative [clang-analyzer-core.UndefinedBinaryOperatorResult]
                skip_map |= (1 << qh->slot);
drivers/usb/isp1760/isp1760-hcd.c:1983:18: warning: The result of the left shift is undefined because the right operand is negative [clang-analyzer-core.UndefinedBinaryOperatorResult]
                skip_map |= (1 << qh->slot);

Only set skip map if slot is active.

Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Link: https://lore.kernel.org/r/20210819180929.1327349-5-rui.silva@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: isp1760: do not reset retval 2021-08-26T11:30:39+00:00 Rui Miguel Silva rui.silva@linaro.org 2021-08-19T18:09:27+00:00 5e4cd1b6556302fe6a457e525c256cbef3563543 We do not really need to reset retval before get used bellow. This will avoid the clang-analyzer warning: drivers/usb/isp1760/isp1760-hcd.c:1919:2: warning: Value stored to 'retval' is never read [clang-analyzer-deadcode.DeadStores] retval = 0; Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> Link: https://lore.kernel.org/r/20210819180929.1327349-4-rui.silva@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
We do not really need to reset retval before get used bellow.
This will avoid the clang-analyzer warning:

drivers/usb/isp1760/isp1760-hcd.c:1919:2: warning: Value stored to 'retval' is never read [clang-analyzer-deadcode.DeadStores]
        retval = 0;

Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Link: https://lore.kernel.org/r/20210819180929.1327349-4-rui.silva@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: isp1760: check maxpacketsize before using it 2021-08-26T11:30:39+00:00 Rui Miguel Silva rui.silva@linaro.org 2021-08-19T18:09:26+00:00 8e58b7710d6634ed46ae26fedb8459f84f08fd51 When checking if we need one more packet on a bulk pipe we may, even though not probable at all, get there with a zero maxpacketsize. In that case for sure no packet, no even a one more, will be allocated. This will clean the clang-analyzer warning: drivers/usb/isp1760/isp1760-hcd.c:1856:38: warning: Division by zero [clang-analyzer-core.DivideZero] && !(urb->transfer_buffer_length % Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> Link: https://lore.kernel.org/r/20210819180929.1327349-3-rui.silva@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
When checking if we need one more packet on a bulk pipe we may, even
though not probable at all, get there with a zero maxpacketsize.
In that case for sure no packet, no even a one more, will be
allocated.

This will clean the clang-analyzer warning:
drivers/usb/isp1760/isp1760-hcd.c:1856:38: warning: Division by zero [clang-analyzer-core.DivideZero]
                                && !(urb->transfer_buffer_length %

Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Link: https://lore.kernel.org/r/20210819180929.1327349-3-rui.silva@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>