Changeset a6afb4c in mainline

Timestamp:

2018-01-23T14:02:35Z (6 years ago)

Author:

Ondřej Hlavatý <aearsis@…>

Branches:

lfn, master, serial, ticket/834-toolchain-update, topic/msim-upgrade, topic/simplify-dev-export

Children:

4db49344

Parents:

e7e1fd3

git-author:

Ondřej Hlavatý <aearsis@…> (2018-01-23 13:35:50)

git-committer:

Ondřej Hlavatý <aearsis@…> (2018-01-23 14:02:35)

Message:

usbhost: check validity of arguments, cleanup

Location:

uspace/lib

Files:

• drv/include/usbhc_iface.h (modified) (4 diffs)
• usb/include/usb/usb.h (modified) (6 diffs)
• usbhost/include/usb/host/bus.h (modified) (1 diff)
• usbhost/src/bus.c (modified) (13 diffs)
• usbhost/src/ddf_helpers.c (modified) (4 diffs)

uspace/lib/drv/include/usbhc_iface.h

@@ -60 +60 @@
  * Negative values could be used to indicate error.
  */
-typedef int16_t usb_endpoint_t;
+typedef uint16_t usb_endpoint_t;
 
 /** USB address type.
  * Negative values could be used to indicate error.
  */
-typedef int16_t usb_address_t;
+typedef uint16_t usb_address_t;
+
+/**
+ * USB Stream ID type.
+ */
+typedef uint16_t usb_stream_t;
 
 /** USB transfer type. */
@@ -72 +77 @@
         USB_TRANSFER_ISOCHRONOUS = 1,
         USB_TRANSFER_BULK = 2,
-        USB_TRANSFER_INTERRUPT = 3
+        USB_TRANSFER_INTERRUPT = 3,
 } usb_transfer_type_t;
+
+#define USB_TRANSFER_COUNT  (USB_TRANSFER_INTERRUPT + 1)
 
 /** USB data transfer direction. */
@@ -79 +86 @@
         USB_DIRECTION_IN,
         USB_DIRECTION_OUT,
-        USB_DIRECTION_BOTH
+        USB_DIRECTION_BOTH,
 } usb_direction_t;
+
+#define USB_DIRECTION_COUNT  (USB_DIRECTION_BOTH + 1)
 
 /** USB complete address type.
@@ -89 +98 @@
                 usb_address_t address;
                 usb_endpoint_t endpoint;
-                uint32_t stream;
+                usb_stream_t stream;
         } __attribute__((packed));
         uint64_t packed;

uspace/lib/usb/include/usb/usb.h

@@ -63 +63 @@
 }
 
+static inline bool usb_speed_is_valid(const usb_speed_t s)
+{
+        return (s >= USB_SPEED_LOW) && (s < USB_SPEED_MAX);
+}
+
 const char *usb_str_speed(usb_speed_t);
 
@@ -97 +102 @@
 static inline bool usb_address_is_valid(usb_address_t a)
 {
-        return (a >= USB_ADDRESS_DEFAULT) && (a <= USB11_ADDRESS_MAX);
+        return a <= USB11_ADDRESS_MAX;
 }
 
@@ -105 +110 @@
 /** Maximum endpoint number in USB */
 #define USB_ENDPOINT_MAX 16
+
+/** There might be two directions for every endpoint number (except 0) */
+#define USB_ENDPOINT_COUNT (2 * USB_ENDPOINT_MAX)
 
 /** Check USB endpoint for allowed values.
@@ -115 +123 @@
 static inline bool usb_endpoint_is_valid(usb_endpoint_t ep)
 {
-        return (ep >= USB_ENDPOINT_DEFAULT_CONTROL) &&
-            (ep < USB_ENDPOINT_MAX);
+        return ep < USB_ENDPOINT_MAX;
 }
 
-/** Check USB target for allowed values (address and endpoint).
+/**
+ * Check USB target for allowed values (address, endpoint, stream).
  *
  * @param target.
  * @return True, if values are wihtin limits, false otherwise.
  */
-static inline bool usb_target_is_valid(usb_target_t target)
+static inline bool usb_target_is_valid(usb_target_t *target)
 {
-        return usb_address_is_valid(target.address) &&
-            usb_endpoint_is_valid(target.endpoint);
+        return usb_address_is_valid(target->address) &&
+            usb_endpoint_is_valid(target->endpoint);
+
+        // A 16-bit Stream ID is always valid.
 }
 
@@ -136 +146 @@
  * @return Whether @p a and @p b points to the same pipe on the same device.
  */
-static inline int usb_target_same(usb_target_t a, usb_target_t b)
+static inline bool usb_target_same(usb_target_t a, usb_target_t b)
 {
         return (a.address == b.address)
@@ -142 +152 @@
 }
 
-/** General handle type.
- * Used by various USB functions as opaque handle.
- */
-typedef sysarg_t usb_handle_t;
+static inline bool usb_transfer_type_is_valid(usb_transfer_type_t type)
+{
+        return (type >= 0) && (type < USB_TRANSFER_COUNT);
+}
+
+static inline bool usb_direction_is_valid(usb_direction_t dir)
+{
+        return (dir >= 0) && (dir < USB_DIRECTION_COUNT);
+}
 
 /** USB packet identifier. */

uspace/lib/usbhost/include/usb/host/bus.h

@@ -84 +84 @@
         usb_speed_t speed;
         usb_address_t address;
-        endpoint_t *endpoints [2 * USB_ENDPOINT_MAX];
+        endpoint_t *endpoints [USB_ENDPOINT_COUNT];
 
         /* Managing bus */

uspace/lib/usbhost/src/bus.c

@@ -42 +42 @@
 #include <errno.h>
 #include <mem.h>
+#include <macros.h>
 #include <stdio.h>
 #include <str_error.h>
@@ -345 +346 @@
  * For different arguments, the result is stable but not defined.
  */
-static int bus_endpoint_index(usb_endpoint_t ep, usb_direction_t dir)
+static size_t bus_endpoint_index(usb_endpoint_t ep, usb_direction_t dir)
 {
         return 2 * ep + (dir == USB_DIRECTION_OUT);
@@ -384 +385 @@
         endpoint_add_ref(ep);
 
+        const size_t idx = bus_endpoint_index(ep->endpoint, ep->direction);
+        if (idx >= ARRAY_SIZE(device->endpoints)) {
+                usb_log_warning("Invalid endpoint description (ep no %u out of "
+                    "bounds)", ep->endpoint);
+                goto drop;
+        }
+
         if (ep->max_transfer_size == 0) {
                 usb_log_warning("Invalid endpoint description (mps %zu, "
                         "%u packets)", ep->max_packet_size, ep->packets_per_uframe);
-                /* Bus reference */
-                endpoint_del_ref(ep);
-                return EINVAL;
+                goto drop;
         }
 
@@ -397 +403 @@
             usb_str_direction(ep->direction),
             ep->max_transfer_size);
-
-        const int idx = bus_endpoint_index(ep->endpoint, ep->direction);
 
         fibril_mutex_lock(&device->guard);
@@ -423 +427 @@
 
         return EOK;
+drop:
+        /* Bus reference */
+        endpoint_del_ref(ep);
+        return EINVAL;
 }
 
@@ -428 +436 @@
  * Search for an endpoint. Returns a reference.
  */
-endpoint_t *bus_find_endpoint(device_t *device, usb_endpoint_t endpoint, usb_direction_t dir)
+endpoint_t *bus_find_endpoint(device_t *device, usb_endpoint_t endpoint,
+    usb_direction_t dir)
 {
         assert(device);
 
-        const int idx = bus_endpoint_index(endpoint, dir);
-        const int ctrl_idx = bus_endpoint_index(endpoint, USB_DIRECTION_BOTH);
+        const size_t idx = bus_endpoint_index(endpoint, dir);
+        const size_t ctrl_idx = bus_endpoint_index(endpoint, USB_DIRECTION_BOTH);
+
+        endpoint_t *ep = NULL;
 
         fibril_mutex_lock(&device->guard);
-        endpoint_t *ep = device->endpoints[idx];
+        if (idx < ARRAY_SIZE(device->endpoints))
+                ep = device->endpoints[idx];
         /*
          * If the endpoint was not found, it's still possible it is a control
          * endpoint having direction BOTH.
          */
-        if (!ep) {
+        if (!ep && ctrl_idx < ARRAY_SIZE(device->endpoints)) {
                 ep = device->endpoints[ctrl_idx];
                 if (ep && ep->transfer_type != USB_TRANSFER_CONTROL)
@@ -478 +490 @@
             ep->max_transfer_size);
 
-        const int idx = bus_endpoint_index(ep->endpoint, ep->direction);
+        const size_t idx = bus_endpoint_index(ep->endpoint, ep->direction);
+
+        if (idx >= ARRAY_SIZE(device->endpoints))
+                return EINVAL;
 
         fibril_mutex_lock(&device->guard);
@@ -495 +510 @@
 
 /**
- * Reserve the default address on the bus. Also, report the speed of the device
- * that is listening on the default address.
- *
- * The speed is then used for devices enumerated while the address is reserved.
+ * Reserve the default address on the bus for the specified device (hub).
  */
 int bus_reserve_default_address(bus_t *bus, device_t *dev)
@@ -564 +576 @@
         assert(ep->device == device);
 
-        const int err = endpoint_send_batch(ep, target, direction, data, size, setup_data,
-            on_complete, arg, name);
+        /*
+         * This method is already callable from HC only, so we can force these
+         * conditions harder.
+         * Invalid values from devices shall be caught on DDF interface already.
+         */
+        assert(usb_target_is_valid(&target));
+        assert(usb_direction_is_valid(direction));
+        assert(direction != USB_DIRECTION_BOTH);
+        assert(size == 0 || data != NULL);
+        assert(arg == NULL || on_complete != NULL);
+        assert(name);
+
+        const int err = endpoint_send_batch(ep, target, direction,
+            data, size, setup_data, on_complete, arg, name);
 
         /* Temporary reference */
@@ -573 +597 @@
 }
 
+/**
+ * A structure to pass data from the completion callback to the caller.
+ */
 typedef struct {
         fibril_mutex_t done_mtx;
         fibril_condvar_t done_cv;
-        unsigned done;
+        bool done;
 
         size_t transferred_size;
@@ -592 +619 @@
         d->error = error;
         fibril_mutex_lock(&d->done_mtx);
-        d->done = 1;
+        d->done = true;
         fibril_condvar_broadcast(&d->done_cv);
         fibril_mutex_unlock(&d->done_mtx);
@@ -599 +626 @@
 
 /**
- * Issue a transfer on the bus, wait for result.
+ * Issue a transfer on the bus, wait for the result.
  *
  * @param device Device for which to send the batch
@@ -613 +640 @@
     const char *name)
 {
-        sync_data_t sd = { .done = 0 };
+        sync_data_t sd = { .done = false };
         fibril_mutex_initialize(&sd.done_mtx);
         fibril_condvar_initialize(&sd.done_cv);
 
         const int ret = bus_device_send_batch(device, target, direction,
-            data, size, setup_data,
-            sync_transfer_complete, &sd, name);
+            data, size, setup_data, sync_transfer_complete, &sd, name);
         if (ret != EOK)
                 return ret;
 
+        /*
+         * Note: There are requests that are completed synchronously. It is not
+         *       therefore possible to just lock the mutex before and wait.
+         */
         fibril_mutex_lock(&sd.done_mtx);
-        while (!sd.done) {
+        while (!sd.done)
                 fibril_condvar_wait(&sd.done_cv, &sd.done_mtx);
-        }
         fibril_mutex_unlock(&sd.done_mtx);
 

uspace/lib/usbhost/src/ddf_helpers.c

@@ -154 +154 @@
         int err;
 
+        if (!usb_speed_is_valid(speed))
+                return EINVAL;
+
         usb_log_debug("Hub %d reported a new %s speed device on port: %u",
             hub->address, usb_str_speed(speed), port);
@@ -212 +215 @@
 
         if (!victim) {
-                usb_log_warning("Hub '%s' tried to remove non-existant"
+                usb_log_warning("Hub '%s' tried to remove non-existent"
                     " device.", ddf_fun_get_name(fun));
                 return ENOENT;
@@ -271 +274 @@
         target.address = dev->address;
 
+        if (!usb_target_is_valid(&target))
+                return EINVAL;
+
+        if (size > 0 && data == NULL)
+                return EBADMEM;
+
+        if (!callback && arg)
+                return EBADMEM;
+
         return bus_device_send_batch(dev, target, USB_DIRECTION_IN,
             data, size, setup_data,
@@ -295 +307 @@
 
         target.address = dev->address;
+
+        if (!usb_target_is_valid(&target))
+                return EINVAL;
+
+        if (size > 0 && data == NULL)
+                return EBADMEM;
+
+        if (!callback && arg)
+                return EBADMEM;
 
         return bus_device_send_batch(dev, target, USB_DIRECTION_OUT,