In cdnsp_endpoint_init(), cdnsp_ring_alloc() is assigned to pep->ring
and there is a dereference of it in cdnsp_endpoint_init(), which could
lead to a NULL pointer dereference on failure of cdnsp_ring_alloc().
Fix this bug by adding a check of pep->ring.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_USB_CDNSP_GADGET=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 3d82904559 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
Cc: stable <stable@vger.kernel.org>
Acked-by: Pawel Laszczak <pawell@cadence.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Link: https://lore.kernel.org/r/20211130172700.206650-1-zhou1615@umn.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb_endpoint_maxp() only returns the bit[10:0] of wMaxPacketSize
of endpoint descriptor, not include bit[12:11] anymore, so use
usb_endpoint_maxp_mult() instead.
Fixes: 3d82904559 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
Cc: stable@vger.kernel.org
Acked-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
Link: https://lore.kernel.org/r/1628836253-7432-4-git-send-email-chunfeng.yun@mediatek.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This code generates a Smatch warning:
drivers/usb/cdns3/cdnsp-mem.c:1085 cdnsp_mem_cleanup()
warn: variable dereferenced before check 'pdev->dcbaa' (see line 1067)
The unchecked dereference happens inside the function when we call:
cdnsp_free_priv_device(pdev);
But fortunately, the "pdev->dcbaa" pointer can never be NULL so it
does not lead to a runtime issue. We can just remove the NULL check
which silences the warning and makes the code consistent.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Link: https://lore.kernel.org/r/20210505055854.40240-1-pawell@gli-login.cadence.com
Signed-off-by: Peter Chen <peter.chen@kernel.org>
The variable ret is being initialized with a value that is
never read and it is being updated later with a new value. The
initialization is redundant and can be removed.
Addresses-Coverity: ("Unused value")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Pawel Laszczak <pawell@cadence.com>
Signed-off-by: Peter Chen <peter.chen@kernel.org>
dma_alloc_coherent already zeroes out memory, so memset is not needed.
Signed-off-by: Wang Qing <wangqing@vivo.com>
Reviewed-by: Pawel Laszczak <pawell@cadence.com>
Acked-by: Pawel Laszczak <pawell@cadence.com>
Signed-off-by: Peter Chen <peter.chen@kernel.org>
Patch fixes all sparse warnings in cdsnp driver.
It fixes the following warnings:
cdnsp-ring.c:1441: warning: incorrect type in assignment
cdnsp-ring.c:1444: warning: restricted __le32 degrades to integer
cdnsp-ring.c:2200: warning: dubious: x | !y
cdnsp-gadget.c:501: warning: incorrect type in assignment
cdnsp-gadget.c:504: warning: restricted __le32 degrades to integer
cdnsp-gadget.c:507: warning: restricted __le32 degrades to integer
cdnsp-gadget.c:508: warning: restricted __le32 degrades to integer
cdnsp-gadget.c:509: warning: invalid assignment: |=
cdnsp-gadget.c:510: warning: cast from restricted __le32
cdnsp-gadget.c:558: warning: incorrect type in assignment
cdnsp-gadget.c:561: warning: restricted __le32 degrades to integer
cdnsp-gadget.c:570: warning: restricted __le32 degrades to integer
cdnsp-gadget.c:1571: warning: incorrect type in argument 1
cdnsp-gadget.c:1602: warning: restricted __le32 degrades to integer
cdnsp-gadget.c:1760: warning: incorrect type in assignment
cdnsp-gadget.c:1762: warning: incorrect type in assignment
cdnsp-gadget.c:1763: warning: incorrect type in assignment
cdnsp-gadget.c:1764: warning: incorrect type in assignment
cdnsp-gadget.c:1765: warning: incorrect type in assignment
cdnsp-gadget.c:1766: warning: incorrect type in assignment
cdnsp-gadget.c:1767: warning: incorrect type in assignment
cdnsp-gadget.c:458: warning: cast truncates bits from constant value
(ffffffff07ffffff becomes 7ffffff)
cdnsp-gadget.c:666: warning: cast truncates bits from constant value
(ffffffff07ffffff becomes 7ffffff)
cdnsp-mem.c:762: warning: incorrect type in assignment
cdnsp-mem.c:763: warning: incorrect type in assignment
cdnsp-mem.c:928: warning: cast from restricted __le16
cdnsp-mem.c:1187: warning: incorrect type in assignment
cdnsp-mem.c:1191: warning: incorrect type in assignment
cdnsp-ep0.c:142: warning: incorrect type in assignment
cdnsp-ep0.c:144: warning: restricted __le32 degrades to integer
cdnsp-ep0.c:147: warning: restricted __le32 degrades to integer
cdnsp-ep0.c:148: warning: restricted __le32 degrades to integer
cdnsp-ep0.c:179: warning: incorrect type in argument 1
cdnsp-ep0.c:311: warning: incorrect type in argument 1
cdnsp-ep0.c:469: warning: incorrect type in assignment
cdnsp-trace.h:611:1: warning: cast from restricted __le32
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
This function uses "One Function Cleans up Everything" style and that's
basically impossible to do correctly. It's cleaner to write it with
"clean up the most recent allocation".
Patch fixes two isues:
1. If pdev->dcbaa = dma_alloc_coherent() fails then that leads to a NULL
dereference inside the cdnsp_free_priv_device() function.
2. if cdnsp_alloc_priv_device() fails that leads to a double free because
we free pdev->out_ctx.bytes in several places.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Tested-by: Pawel Laszczak <pawell@cadence.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
This patch removes 'flags' argument from some functions and use
indirect the correct GFP_XXX flag to fix the following warning:
'The patch d40a169aab24: "usb: cdnsp: cdns3 Add main part of Cadence
USBSSP DRD Driver" from Dec 7, 2020, leads to the following static
checker warning:
drivers/usb/cdns3/cdnsp-mem.c:1229 cdnsp_mem_init()
warn: use 'flags' here instead of GFP_XXX?
drivers/usb/cdns3/cdnsp-mem.c
1206 int cdnsp_mem_init(struct cdnsp_device *pdev, gfp_t flags);'
^^^^^^^^^^^
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Patch adds the series of tracepoints that can be used for
debugging issues detected in driver.
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Reviewed-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
This patch introduces the main part of Cadence USBSSP DRD driver
to Linux kernel.
To reduce the patch size a little bit, the header file gadget.h was
intentionally added as separate patch.
The Cadence USBSSP DRD Controller is a highly configurable IP Core which
can be instantiated as Dual-Role Device (DRD), Peripheral Only and
Host Only (XHCI)configurations.
The current driver has been validated with FPGA platform. We have
support for PCIe bus, which is used on FPGA prototyping.
The host side of USBSS DRD controller is compliant with XHCI.
The architecture for device side is almost the same as for host side,
and most of the XHCI specification can be used to understand how
this controller operates.
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
