usb: usb_ep_get() fixes

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJcbTZcAAoJEEy22O7T6HE4VzIP/A0YgJA9qsRWiNeTjbXZz5Hm U7x3W9l+B8QZrzT1Ib9wXDKcMn7dolT9JIWZSOQHX6LJIaMUvLyM3eFye7sC3k4A 9TKeBDH7il+2YlhjGjQQodq/qNhK1krEKdit6Ttr/IAPLDXMsPOWMqlrlicH2sny EZvRiCiKNreR/Sn0BDpsnasVoNL9NvKbURTNG+EmZJWprYAE+IPKfL+Vcy5MvNKe rVPk8LvuzEBupcfbyZQBcCNi9rQGJUFEYSDt4bbUI/EZYGKeLIMHCuTiWj+T34wN FHZSKpOd8+uYuHLTQjRHdH/jjoRMXHAMIhE2JxbDYVKxDa9nhKlUtbw45z4S9Obl gdtDqum3WdP2OnnKGkl0gU2JDGPzavYWyn+ii3UUsFfXKhJnnlUNKxdn2KWu0jjf Z2mr76Hf7IsB9VBzhjrnLmINtuLoc51kIBFSJF9anU2bisfhRKe151hwaHnTtJH7 HaJWKhbrckny4Q9FyAeL3c/gthzJIOTPbMCghTJHbt2X7vO5XxDTTU61rnh47eSS wMtm8/7iJHol86mJJ/CgcuMHSe/PDHF3HeeF0thdYKZ8Sq9VyO/cRxqD6o8OuqqH pEI52C2PKiDUMxj2Q4CSZM8p0mt5zMLGGrej1fa1rDBm4As05f7LJNZ2ez2P+w7G AIBEfKcWtoIWB01x3Uqp =fahv -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/kraxel/tags/usb-20190220-pull-request' into staging usb: usb_ep_get() fixes # gpg: Signature made Wed 20 Feb 2019 11:13:32 GMT # gpg: using RSA key 4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full] # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full] # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full] # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/usb-20190220-pull-request: usb: remove unnecessary NULL device check from usb_ep_get() usb: add device checks before redirector calls to usb_ep_get() usb: check device is not NULL before calling usb_ep_get() uhci: check device is not NULL before calling usb_ep_get() ohci: check device is not NULL before calling usb_ep_get() ehci: check device is not NULL before calling usb_ep_get() xhci: check device is not NULL before calling usb_ep_get() xhci: add asserts to help with static code analysis usb: rearrange usb_ep_get() Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2019-02-21 09:41:11 +00:00 · 2019-02-21 09:41:11 +00:00 · 039e406603
parent 2e68b86206 7011baece2
commit 039e406603
7 changed files with 30 additions and 16 deletions
--- a/hw/usb/core.c
+++ b/hw/usb/core.c
@ -717,15 +717,13 @@ struct USBEndpoint *usb_ep_get(USBDevice *dev, int pid, int ep)
 {
    struct USBEndpoint *eps;

-    if (dev == NULL) {
-        return NULL;
-    }
-    eps = (pid == USB_TOKEN_IN) ? dev->ep_in : dev->ep_out;
+    assert(dev != NULL);
    if (ep == 0) {
        return &dev->ep_ctl;
    }
    assert(pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT);
    assert(ep > 0 && ep <= USB_MAX_ENDPOINTS);
+    eps = (pid == USB_TOKEN_IN) ? dev->ep_in : dev->ep_out;
    return eps + ep - 1;
 }

--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@ -1439,9 +1439,12 @@ static int ehci_process_itd(EHCIState *ehci,
                qemu_sglist_add(&ehci->isgl, ptr1 + off, len);
            }

-            pid = dir ? USB_TOKEN_IN : USB_TOKEN_OUT;
-
            dev = ehci_find_device(ehci, devaddr);
+            if (dev == NULL) {
+                ehci_trace_guest_bug(ehci, "no device found");
+                return -1;
+            }
+            pid = dir ? USB_TOKEN_IN : USB_TOKEN_OUT;
            ep = usb_ep_get(dev, pid, endp);
            if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) {
                usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false,
--- a/hw/usb/hcd-musb.c
+++ b/hw/usb/hcd-musb.c
@ -628,11 +628,11 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,

    /* A wild guess on the FADDR semantics... */
    dev = usb_find_device(&s->port, ep->faddr[idx]);
-    uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
-    id = pid;
-    if (uep) {
-        id |= (dev->addr << 16) | (uep->nr << 8);
+    if (dev == NULL) {
+        return;
    }
+    uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
+    id = pid | (dev->addr << 16) | (uep->nr << 8);
    usb_packet_setup(&ep->packey[dir].p, pid, uep, 0, id, false, true);
    usb_packet_addbuf(&ep->packey[dir].p, ep->buf[idx], len);
    ep->packey[dir].ep = ep;
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@ -848,6 +848,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
        bool int_req = relative_frame_number == frame_count &&
                       OHCI_BM(iso_td.flags, TD_DI) == 0;
        dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
+        if (dev == NULL) {
+            trace_usb_ohci_td_dev_error();
+            return 1;
+        }
        ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
        usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, false, int_req);
        usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, len);
@ -1071,6 +1075,10 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
            return 1;
        }
        dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
+        if (dev == NULL) {
+            trace_usb_ohci_td_dev_error();
+            return 1;
+        }
        ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
        usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, !flag_r,
                         OHCI_BM(td.flags, TD_DI) == 0);
--- a/hw/usb/hcd-uhci.c
+++ b/hw/usb/hcd-uhci.c
@ -858,13 +858,15 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr,

    /* Allocate new packet */
    if (q == NULL) {
-        USBDevice *dev = uhci_find_device(s, (td->token >> 8) & 0x7f);
-        USBEndpoint *ep = usb_ep_get(dev, pid, (td->token >> 15) & 0xf);
+        USBDevice *dev;
+        USBEndpoint *ep;

-        if (ep == NULL) {
+        dev = uhci_find_device(s, (td->token >> 8) & 0x7f);
+        if (dev == NULL) {
            return uhci_handle_td_error(s, td, td_addr, USB_RET_NODEV,
                                        int_mask);
        }
+        ep = usb_ep_get(dev, pid, (td->token >> 15) & 0xf);
        q = uhci_queue_new(s, qh_addr, td, ep);
    }
    async = uhci_async_alloc(q, td_addr);
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@ -2607,6 +2607,7 @@ static void xhci_port_update(XHCIPort *port, int is_detach)
 {
    uint32_t pls = PLS_RX_DETECT;

+    assert(port);
    port->portsc = PORTSC_PP;
    if (!is_detach && xhci_port_have_device(port)) {
        port->portsc |= PORTSC_CCS;
@ -3215,6 +3216,7 @@ static void xhci_wakeup(USBPort *usbport)
    XHCIState *xhci = usbport->opaque;
    XHCIPort *port = xhci_lookup_port(xhci, usbport);

+    assert(port);
    if (get_field(port->portsc, PORTSC_PLS) != PLS_U3) {
        return;
    }
@ -3274,10 +3276,10 @@ static USBEndpoint *xhci_epid_to_usbep(XHCIEPContext *epctx)
        return NULL;
    }
    uport = epctx->xhci->slots[epctx->slotid - 1].uport;
-    token = (epctx->epid & 1) ? USB_TOKEN_IN : USB_TOKEN_OUT;
-    if (!uport) {
+    if (!uport || !uport->dev) {
        return NULL;
    }
+    token = (epctx->epid & 1) ? USB_TOKEN_IN : USB_TOKEN_OUT;
    return usb_ep_get(uport->dev, token, epctx->epid >> 1);
 }

--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@ -1728,6 +1728,7 @@ static void usbredir_ep_info(void *priv,
    USBRedirDevice *dev = priv;
    int i;

+    assert(dev != NULL);
    for (i = 0; i < MAX_ENDPOINTS; i++) {
        dev->endpoint[i].type = ep_info->type[i];
        dev->endpoint[i].interval = ep_info->interval[i];
@ -2125,7 +2126,7 @@ static int usbredir_post_load(void *priv, int version_id)
 {
    USBRedirDevice *dev = priv;

-    if (dev->parser == NULL) {
+    if (dev == NULL || dev->parser == NULL) {
        return 0;
    }