On 19/09/16(Mon) 14:20, Jonathan Gray wrote:
> On Sat, Sep 17, 2016 at 04:36:12PM +0200, Martin Pieuchot wrote:
> > One of the non-checked value read from an untrusted descriptor is the
> > "maximum packet size" of an endpoint. If a device reports an incorrect
> > value most of our HC drivers wont work and if this value is 0 ehci(4)
> > will crash the kernel.
> >
> > So here's a diff to validate the value read from the device descriptor
> > which ends up being the value of the default endpoint.
> >
> > ok?
>
> This patch made vmware hang when attaching xhci uhubs.
>
> usbd_new_device bus=0xffff8000001e4000 port=0 depth=0 speed=4
> usbd_new_device: adding unit addr=1, rev=300, class=9, subclass=0,
> protocol=1, maxpacket=9, len=18, speed=4
> usb2: root hub problem
>
> usbd_new_device mps 9 mps0 512
>
> It would appear that for superspeed devices maxpacketsize0 is a power
> of 2? ie 2^9 is 512.
You're correct, here's a fix.
Index: usb_subr.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/usb_subr.c,v
retrieving revision 1.129
diff -u -p -r1.129 usb_subr.c
--- usb_subr.c 18 Sep 2016 09:51:24 -0000 1.129
+++ usb_subr.c 19 Sep 2016 09:42:58 -0000
@@ -1175,8 +1175,12 @@ usbd_new_device(struct device *parent, s
}
mps = dd->bMaxPacketSize;
- if (speed == USB_SPEED_SUPER && mps == 0xff)
- mps = 512;
+ if (speed == USB_SPEED_SUPER) {
+ if (mps == 0xff)
+ mps = 9;
+ /* xHCI Section 4.8.2.1 */
+ mps = (1 << mps);
+ }
if (mps != mps0) {
if ((speed == USB_SPEED_LOW) ||
