On 19/09/16(Mon) 14:20, Jonathan Gray wrote:
> On Sat, Sep 17, 2016 at 04:36:12PM +0200, Martin Pieuchot wrote:
> > One of the non-checked value read from an untrusted descriptor is the
> > "maximum packet size" of an endpoint.  If a device reports an incorrect
> > value most of our HC drivers wont work and if this value is 0 ehci(4)
> > will crash the kernel.
> > 
> > So here's a diff to validate the value read from the device descriptor
> > which ends up being the value of the default endpoint.
> > 
> > ok?
> 
> This patch made vmware hang when attaching xhci uhubs.
> 
> usbd_new_device bus=0xffff8000001e4000 port=0 depth=0 speed=4
> usbd_new_device: adding unit addr=1, rev=300, class=9, subclass=0, 
> protocol=1, maxpacket=9, len=18, speed=4
> usb2: root hub problem
> 
> usbd_new_device mps 9 mps0 512
> 
> It would appear that for superspeed devices maxpacketsize0 is a power
> of 2?  ie 2^9 is 512.

You're correct, here's a fix.

Index: usb_subr.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/usb_subr.c,v
retrieving revision 1.129
diff -u -p -r1.129 usb_subr.c
--- usb_subr.c  18 Sep 2016 09:51:24 -0000      1.129
+++ usb_subr.c  19 Sep 2016 09:42:58 -0000
@@ -1175,8 +1175,12 @@ usbd_new_device(struct device *parent, s
        }
 
        mps = dd->bMaxPacketSize;
-       if (speed == USB_SPEED_SUPER && mps == 0xff)
-               mps = 512;
+       if (speed == USB_SPEED_SUPER) {
+               if (mps == 0xff)
+                       mps = 9;
+               /* xHCI Section 4.8.2.1 */
+               mps = (1 << mps);
+       }
 
        if (mps != mps0) {
                if ((speed == USB_SPEED_LOW) ||

Reply via email to