On Mon, Sep 19, 2016 at 11:47:40AM +0200, Martin Pieuchot wrote:
> On 19/09/16(Mon) 14:20, Jonathan Gray wrote:
> > On Sat, Sep 17, 2016 at 04:36:12PM +0200, Martin Pieuchot wrote:
> > > One of the non-checked value read from an untrusted descriptor is the
> > > "maximum packet size" of an endpoint. If a device reports an incorrect
> > > value most of our HC drivers wont work and if this value is 0 ehci(4)
> > > will crash the kernel.
> > >
> > > So here's a diff to validate the value read from the device descriptor
> > > which ends up being the value of the default endpoint.
> > >
> > > ok?
> >
> > This patch made vmware hang when attaching xhci uhubs.
> >
> > usbd_new_device bus=0xffff8000001e4000 port=0 depth=0 speed=4
> > usbd_new_device: adding unit addr=1, rev=300, class=9, subclass=0,
> > protocol=1, maxpacket=9, len=18, speed=4
> > usb2: root hub problem
> >
> > usbd_new_device mps 9 mps0 512
> >
> > It would appear that for superspeed devices maxpacketsize0 is a power
> > of 2? ie 2^9 is 512.
>
> You're correct, here's a fix.
Thanks, this patch works with the same setup. ok jsg@
I think the
- (mps != 8 || mps != 16 || mps != 32 || mps != 64)) {
+ (mps != 8 && mps != 16 && mps != 32 && mps != 64))
part of the one I sent sound go in as well?
>
> Index: usb_subr.c
> ===================================================================
> RCS file: /cvs/src/sys/dev/usb/usb_subr.c,v
> retrieving revision 1.129
> diff -u -p -r1.129 usb_subr.c
> --- usb_subr.c 18 Sep 2016 09:51:24 -0000 1.129
> +++ usb_subr.c 19 Sep 2016 09:42:58 -0000
> @@ -1175,8 +1175,12 @@ usbd_new_device(struct device *parent, s
> }
>
> mps = dd->bMaxPacketSize;
> - if (speed == USB_SPEED_SUPER && mps == 0xff)
> - mps = 512;
> + if (speed == USB_SPEED_SUPER) {
> + if (mps == 0xff)
> + mps = 9;
> + /* xHCI Section 4.8.2.1 */
> + mps = (1 << mps);
> + }
>
> if (mps != mps0) {
> if ((speed == USB_SPEED_LOW) ||
>
