Bug Summary

File:dev/usb/usb_subr.c
Warning:line 975, column 30
Array access (via field 'subdevs') results in a null pointer dereference

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name usb_subr.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model static -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -ffreestanding -mcmodel=kernel -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -target-feature -sse2 -target-feature -sse -target-feature -3dnow -target-feature -mmx -target-feature +save-args -disable-red-zone -no-implicit-float -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/sys/arch/amd64/compile/GENERIC.MP/obj -nostdsysteminc -nobuiltininc -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/sys -I /usr/src/sys/arch/amd64/compile/GENERIC.MP/obj -I /usr/src/sys/arch -I /usr/src/sys/dev/pci/drm/include -I /usr/src/sys/dev/pci/drm/include/uapi -I /usr/src/sys/dev/pci/drm/amd/include/asic_reg -I /usr/src/sys/dev/pci/drm/amd/include -I /usr/src/sys/dev/pci/drm/amd/amdgpu -I /usr/src/sys/dev/pci/drm/amd/display -I /usr/src/sys/dev/pci/drm/amd/display/include -I /usr/src/sys/dev/pci/drm/amd/display/dc -I /usr/src/sys/dev/pci/drm/amd/display/amdgpu_dm -I /usr/src/sys/dev/pci/drm/amd/pm/inc -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/smu11 -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/smu12 -I /usr/src/sys/dev/pci/drm/amd/pm/powerplay -I /usr/src/sys/dev/pci/drm/amd/pm/powerplay/hwmgr -I /usr/src/sys/dev/pci/drm/amd/pm/powerplay/smumgr -I /usr/src/sys/dev/pci/drm/amd/display/dc/inc -I /usr/src/sys/dev/pci/drm/amd/display/dc/inc/hw -I /usr/src/sys/dev/pci/drm/amd/display/dc/clk_mgr -I /usr/src/sys/dev/pci/drm/amd/display/modules/inc -I /usr/src/sys/dev/pci/drm/amd/display/modules/hdcp -I /usr/src/sys/dev/pci/drm/amd/display/dmub/inc -I /usr/src/sys/dev/pci/drm/i915 -D DDB -D DIAGNOSTIC -D KTRACE -D ACCOUNTING -D KMEMSTATS -D PTRACE -D POOL_DEBUG -D CRYPTO -D SYSVMSG -D SYSVSEM -D SYSVSHM -D UVM_SWAP_ENCRYPT -D FFS -D FFS2 -D FFS_SOFTUPDATES -D UFS_DIRHASH -D QUOTA -D EXT2FS -D MFS -D NFSCLIENT -D NFSSERVER -D CD9660 -D UDF -D MSDOSFS -D FIFO -D FUSE -D SOCKET_SPLICE -D TCP_ECN -D TCP_SIGNATURE -D INET6 -D IPSEC -D PPP_BSDCOMP -D PPP_DEFLATE -D PIPEX -D MROUTING -D MPLS -D BOOT_CONFIG -D USER_PCICONF -D APERTURE -D MTRR -D NTFS -D HIBERNATE -D PCIVERBOSE -D USBVERBOSE -D WSDISPLAY_COMPAT_USL -D WSDISPLAY_COMPAT_RAWKBD -D WSDISPLAY_DEFAULTSCREENS=6 -D X86EMU -D ONEWIREVERBOSE -D MULTIPROCESSOR -D MAXUSERS=80 -D _KERNEL -D CONFIG_DRM_AMD_DC_DCN3_0 -O2 -Wno-pointer-sign -Wno-address-of-packed-member -Wno-constant-conversion -Wno-unused-but-set-variable -Wno-gnu-folding-constant -fdebug-compilation-dir=/usr/src/sys/arch/amd64/compile/GENERIC.MP/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -o /usr/obj/sys/arch/amd64/compile/GENERIC.MP/scan-build/2022-01-12-131800-47421-1 -x c /usr/src/sys/dev/usb/usb_subr.c
1/* $OpenBSD: usb_subr.c,v 1.157 2022/01/09 05:43:02 jsg Exp $ */
2/* $NetBSD: usb_subr.c,v 1.103 2003/01/10 11:19:13 augustss Exp $ */
3/* $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $ */
4
5/*
6 * Copyright (c) 1998 The NetBSD Foundation, Inc.
7 * All rights reserved.
8 *
9 * This code is derived from software contributed to The NetBSD Foundation
10 * by Lennart Augustsson (lennart@augustsson.net) at
11 * Carlstedt Research & Technology.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
23 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
24 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
25 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
26 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
27 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
28 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
29 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
30 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
31 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32 * POSSIBILITY OF SUCH DAMAGE.
33 */
34
35#include <sys/param.h>
36#include <sys/systm.h>
37#include <sys/kernel.h>
38#include <sys/malloc.h>
39#include <sys/device.h>
40#include <sys/selinfo.h>
41#include <sys/rwlock.h>
42
43#include <machine/bus.h>
44
45#include <dev/usb/usb.h>
46
47#include <dev/usb/usbdi.h>
48#include <dev/usb/usbdi_util.h>
49#include <dev/usb/usbdivar.h>
50#include <dev/usb/usbdevs.h>
51#include <dev/usb/usb_quirks.h>
52
53#ifdef USB_DEBUG
54#define DPRINTF(x) do { if (usbdebug) printf x; } while (0)
55#define DPRINTFN(n,x) do { if (usbdebug>(n)) printf x; } while (0)
56extern int usbdebug;
57#else
58#define DPRINTF(x)
59#define DPRINTFN(n,x)
60#endif
61
62usbd_status usbd_set_config(struct usbd_device *, int);
63void usbd_devinfo(struct usbd_device *, int, char *, size_t);
64char *usbd_get_string(struct usbd_device *, int, char *, size_t);
65int usbd_getnewaddr(struct usbd_bus *);
66int usbd_print(void *, const char *);
67void usbd_free_iface_data(struct usbd_device *, int);
68int usbd_cache_devinfo(struct usbd_device *);
69usbd_status usbd_probe_and_attach(struct device *,
70 struct usbd_device *, int, int);
71
72int usbd_printBCD(char *cp, size_t len, int bcd);
73void usb_free_device(struct usbd_device *);
74int usbd_parse_idesc(struct usbd_device *, struct usbd_interface *);
75
76#ifdef USBVERBOSE1
77#include <dev/usb/usbdevs_data.h>
78#endif /* USBVERBOSE */
79
80const char * const usbd_error_strs[] = {
81 "NORMAL_COMPLETION",
82 "IN_PROGRESS",
83 "PENDING_REQUESTS",
84 "NOT_STARTED",
85 "INVAL",
86 "NOMEM",
87 "CANCELLED",
88 "BAD_ADDRESS",
89 "IN_USE",
90 "NO_ADDR",
91 "SET_ADDR_FAILED",
92 "NO_POWER",
93 "TOO_DEEP",
94 "IOERROR",
95 "NOT_CONFIGURED",
96 "TIMEOUT",
97 "SHORT_XFER",
98 "STALLED",
99 "INTERRUPTED",
100 "XXX",
101};
102
103const char *
104usbd_errstr(usbd_status err)
105{
106 static char buffer[5];
107
108 if (err < USBD_ERROR_MAX)
109 return (usbd_error_strs[err]);
110 else {
111 snprintf(buffer, sizeof(buffer), "%d", err);
112 return (buffer);
113 }
114}
115
116usbd_status
117usbd_get_string_desc(struct usbd_device *dev, int sindex, int langid,
118 usb_string_descriptor_t *sdesc, int *sizep)
119{
120 usb_device_request_t req;
121 usbd_status err;
122 int actlen;
123
124 req.bmRequestType = UT_READ_DEVICE(0x80 | 0x00 | 0x00);
125 req.bRequest = UR_GET_DESCRIPTOR0x06;
126 USETW2(req.wValue, UDESC_STRING, sindex)((req.wValue)[0] = (u_int8_t)(sindex), (req.wValue)[1] = (u_int8_t
)(0x03))
;
127 USETW(req.wIndex, langid)(*(u_int16_t *)(req.wIndex) = (langid));
128 USETW(req.wLength, 2)(*(u_int16_t *)(req.wLength) = (2)); /* size and descriptor type first */
129 err = usbd_do_request_flags(dev, &req, sdesc, USBD_SHORT_XFER_OK0x04,
130 &actlen, USBD_DEFAULT_TIMEOUT5000);
131 if (err)
132 return (err);
133
134 if (actlen < 2)
135 return (USBD_SHORT_XFER);
136
137 USETW(req.wLength, sdesc->bLength)(*(u_int16_t *)(req.wLength) = (sdesc->bLength)); /* the whole string */
138 err = usbd_do_request_flags(dev, &req, sdesc, USBD_SHORT_XFER_OK0x04,
139 &actlen, USBD_DEFAULT_TIMEOUT5000);
140 if (err)
141 return (err);
142
143 if (actlen != sdesc->bLength) {
144 DPRINTFN(-1, ("%s: expected %d, got %d\n", __func__,
145 sdesc->bLength, actlen));
146 }
147
148 *sizep = actlen;
149 return (USBD_NORMAL_COMPLETION);
150}
151
152char *
153usbd_get_string(struct usbd_device *dev, int si, char *buf, size_t buflen)
154{
155 int swap = dev->quirks->uq_flags & UQ_SWAP_UNICODE0x00000002;
156 usb_string_descriptor_t us;
157 char *s;
158 int i, n;
159 u_int16_t c;
160 usbd_status err;
161 int size;
162
163 if (si == 0)
45
Assuming 'si' is not equal to 0
46
Taking false branch
164 return (0);
165 if (dev->quirks->uq_flags & UQ_NO_STRINGS0x00000008)
47
Assuming the condition is true
48
Taking true branch
166 return (0);
49
Returning without writing to 'dev->subdevs'
167 if (dev->langid == USBD_NOLANG(-1)) {
168 /* Set up default language */
169 err = usbd_get_string_desc(dev, USB_LANGUAGE_TABLE0, 0, &us,
170 &size);
171 if (err || size < 4)
172 dev->langid = 0; /* Well, just pick English then */
173 else {
174 /* Pick the first language as the default. */
175 dev->langid = UGETW(us.bString[0])(*(u_int16_t *)(us.bString[0]));
176 }
177 }
178 err = usbd_get_string_desc(dev, si, dev->langid, &us, &size);
179 if (err)
180 return (0);
181 s = buf;
182 n = size / 2 - 1;
183 for (i = 0; i < n && i < buflen ; i++) {
184 c = UGETW(us.bString[i])(*(u_int16_t *)(us.bString[i]));
185 /* Convert from Unicode, handle buggy strings. */
186 if ((c & 0xff00) == 0)
187 *s++ = c;
188 else if ((c & 0x00ff) == 0 && swap)
189 *s++ = c >> 8;
190 else
191 *s++ = '?';
192 }
193 if (buflen > 0)
194 *s++ = 0;
195 return (buf);
196}
197
198static void
199usbd_trim_spaces(char *p)
200{
201 char *q, *e;
202
203 if (p == NULL((void *)0))
204 return;
205 q = e = p;
206 while (*q == ' ') /* skip leading spaces */
207 q++;
208 while ((*p = *q++)) /* copy string */
209 if (*p++ != ' ') /* remember last non-space */
210 e = p;
211 *e = 0; /* kill trailing spaces */
212}
213
214int
215usbd_cache_devinfo(struct usbd_device *dev)
216{
217 usb_device_descriptor_t *udd = &dev->ddesc;
218
219 dev->serial = malloc(USB_MAX_STRING_LEN127, M_USB101, M_NOWAIT0x0002);
220 if (dev->serial == NULL((void *)0))
36
Assuming field 'serial' is not equal to NULL
37
Taking false branch
221 return (ENOMEM12);
222
223 if (usbd_get_string(dev, udd->iSerialNumber, dev->serial, USB_MAX_STRING_LEN127) != NULL((void *)0)) {
38
Taking false branch
224 usbd_trim_spaces(dev->serial);
225 } else {
226 free(dev->serial, M_USB101, USB_MAX_STRING_LEN127);
227 dev->serial = NULL((void *)0);
228 }
229
230 dev->vendor = malloc(USB_MAX_STRING_LEN127, M_USB101, M_NOWAIT0x0002);
231 if (dev->vendor == NULL((void *)0))
39
Assuming field 'vendor' is not equal to NULL
40
Taking false branch
232 return (ENOMEM12);
233
234 if (usbd_get_string(dev, udd->iManufacturer, dev->vendor, USB_MAX_STRING_LEN127) != NULL((void *)0)) {
41
Taking true branch
235 usbd_trim_spaces(dev->vendor);
236 } else {
237#ifdef USBVERBOSE1
238 const struct usb_known_vendor *ukv;
239
240 for (ukv = usb_known_vendors; ukv->vendorname != NULL((void *)0); ukv++) {
241 if (ukv->vendor == UGETW(udd->idVendor)(*(u_int16_t *)(udd->idVendor))) {
242 strlcpy(dev->vendor, ukv->vendorname,
243 USB_MAX_STRING_LEN127);
244 break;
245 }
246 }
247 if (ukv->vendorname == NULL((void *)0))
248#endif
249 snprintf(dev->vendor, USB_MAX_STRING_LEN127, "vendor 0x%04x",
250 UGETW(udd->idVendor)(*(u_int16_t *)(udd->idVendor)));
251 }
252
253 dev->product = malloc(USB_MAX_STRING_LEN127, M_USB101, M_NOWAIT0x0002);
254 if (dev->product == NULL((void *)0))
42
Assuming field 'product' is not equal to NULL
43
Taking false branch
255 return (ENOMEM12);
256
257 if (usbd_get_string(dev, udd->iProduct, dev->product, USB_MAX_STRING_LEN127) != NULL((void *)0)) {
44
Calling 'usbd_get_string'
50
Returning from 'usbd_get_string'
51
Taking false branch
258 usbd_trim_spaces(dev->product);
259 } else {
260#ifdef USBVERBOSE1
261 const struct usb_known_product *ukp;
262
263 for (ukp = usb_known_products; ukp->productname != NULL((void *)0); ukp++) {
52
Assuming field 'productname' is equal to NULL
53
Loop condition is false. Execution continues on line 271
264 if (ukp->vendor == UGETW(udd->idVendor)(*(u_int16_t *)(udd->idVendor)) &&
265 (ukp->product == UGETW(udd->idProduct)(*(u_int16_t *)(udd->idProduct)))) {
266 strlcpy(dev->product, ukp->productname,
267 USB_MAX_STRING_LEN127);
268 break;
269 }
270 }
271 if (ukp->productname
53.1
Field 'productname' is equal to NULL
== NULL((void *)0))
54
Taking true branch
272#endif
273 snprintf(dev->product, USB_MAX_STRING_LEN127, "product 0x%04x",
274 UGETW(udd->idProduct)(*(u_int16_t *)(udd->idProduct)));
275 }
276
277 return (0);
278}
279
280int
281usbd_printBCD(char *cp, size_t len, int bcd)
282{
283 int l;
284
285 l = snprintf(cp, len, "%x.%02x", bcd >> 8, bcd & 0xff);
286 if (l == -1 || len == 0)
287 return (0);
288 if (l >= len)
289 return len - 1;
290 return (l);
291}
292
293void
294usbd_devinfo(struct usbd_device *dev, int showclass, char *base, size_t len)
295{
296 usb_device_descriptor_t *udd = &dev->ddesc;
297 char *cp = base;
298 int bcdDevice, bcdUSB;
299
300 snprintf(cp, len, "\"%s %s\"", dev->vendor, dev->product);
301 cp += strlen(cp);
302 if (showclass) {
303 snprintf(cp, base + len - cp, ", class %d/%d",
304 udd->bDeviceClass, udd->bDeviceSubClass);
305 cp += strlen(cp);
306 }
307 bcdUSB = UGETW(udd->bcdUSB)(*(u_int16_t *)(udd->bcdUSB));
308 bcdDevice = UGETW(udd->bcdDevice)(*(u_int16_t *)(udd->bcdDevice));
309 snprintf(cp, base + len - cp, " rev ");
310 cp += strlen(cp);
311 usbd_printBCD(cp, base + len - cp, bcdUSB);
312 cp += strlen(cp);
313 snprintf(cp, base + len - cp, "/");
314 cp += strlen(cp);
315 usbd_printBCD(cp, base + len - cp, bcdDevice);
316 cp += strlen(cp);
317 snprintf(cp, base + len - cp, " addr %d", dev->address);
318}
319
320/* Delay for a certain number of ms */
321void
322usb_delay_ms(struct usbd_bus *bus, u_int ms)
323{
324 static int usb_delay_wchan;
325
326 if (bus->use_polling || cold)
327 delay((ms+1) * 1000)(*delay_func)((ms+1) * 1000);
328 else
329 tsleep_nsec(&usb_delay_wchan, PRIBIO16, "usbdly",
330 MSEC_TO_NSEC(ms));
331}
332
333/* Delay given a device handle. */
334void
335usbd_delay_ms(struct usbd_device *dev, u_int ms)
336{
337 if (usbd_is_dying(dev))
338 return;
339
340 usb_delay_ms(dev->bus, ms);
341}
342
343usbd_status
344usbd_port_disown_to_1_1(struct usbd_device *dev, int port)
345{
346 usb_port_status_t ps;
347 usbd_status err;
348 int n;
349
350 err = usbd_set_port_feature(dev, port, UHF_PORT_DISOWN_TO_1_130);
351 DPRINTF(("%s: port %d disown request done, error=%s\n", __func__,
352 port, usbd_errstr(err)));
353 if (err)
354 return (err);
355 n = 10;
356 do {
357 /* Wait for device to recover from reset. */
358 usbd_delay_ms(dev, USB_PORT_RESET_DELAY50);
359 err = usbd_get_port_status(dev, port, &ps);
360 if (err) {
361 DPRINTF(("%s: get status failed %d\n", __func__, err));
362 return (err);
363 }
364 /* If the device disappeared, just give up. */
365 if (!(UGETW(ps.wPortStatus)(*(u_int16_t *)(ps.wPortStatus)) & UPS_CURRENT_CONNECT_STATUS0x0001))
366 return (USBD_NORMAL_COMPLETION);
367 } while ((UGETW(ps.wPortChange)(*(u_int16_t *)(ps.wPortChange)) & UPS_C_PORT_RESET0x0010) == 0 && --n > 0);
368 if (n == 0)
369 return (USBD_TIMEOUT);
370
371 return (err);
372}
373
374int
375usbd_reset_port(struct usbd_device *dev, int port)
376{
377 usb_port_status_t ps;
378 int n;
379
380 if (usbd_set_port_feature(dev, port, UHF_PORT_RESET4))
381 return (EIO5);
382 DPRINTF(("%s: port %d reset done\n", __func__, port));
383 n = 10;
384 do {
385 /* Wait for device to recover from reset. */
386 usbd_delay_ms(dev, USB_PORT_RESET_DELAY50);
387 if (usbd_get_port_status(dev, port, &ps)) {
388 DPRINTF(("%s: get status failed\n", __func__));
389 return (EIO5);
390 }
391 /* If the device disappeared, just give up. */
392 if (!(UGETW(ps.wPortStatus)(*(u_int16_t *)(ps.wPortStatus)) & UPS_CURRENT_CONNECT_STATUS0x0001))
393 return (0);
394 } while ((UGETW(ps.wPortChange)(*(u_int16_t *)(ps.wPortChange)) & UPS_C_PORT_RESET0x0010) == 0 && --n > 0);
395
396 /* Clear port reset even if a timeout occurred. */
397 if (usbd_clear_port_feature(dev, port, UHF_C_PORT_RESET20)) {
398 DPRINTF(("%s: clear port feature failed\n", __func__));
399 return (EIO5);
400 }
401
402 if (n == 0)
403 return (ETIMEDOUT60);
404
405 /* Wait for the device to recover from reset. */
406 usbd_delay_ms(dev, USB_PORT_RESET_RECOVERY250);
407 return (0);
408}
409
410usb_interface_descriptor_t *
411usbd_find_idesc(usb_config_descriptor_t *cd, int ifaceno, int altno)
412{
413 char *p = (char *)cd;
414 char *end = p + UGETW(cd->wTotalLength)(*(u_int16_t *)(cd->wTotalLength));
415 usb_interface_descriptor_t *d;
416 int curidx, lastidx, curaidx = 0;
417
418 for (curidx = lastidx = -1; p < end; ) {
419 d = (usb_interface_descriptor_t *)p;
420 DPRINTFN(4,("usbd_find_idesc: ifaceno=%d(%d) altno=%d(%d) "
421 "len=%d type=%d\n",
422 ifaceno, curidx, altno, curaidx,
423 d->bLength, d->bDescriptorType));
424 if (d->bLength == 0) /* bad descriptor */
425 break;
426 p += d->bLength;
427 if (p <= end && d->bDescriptorType == UDESC_INTERFACE0x04) {
428 if (d->bInterfaceNumber != lastidx) {
429 lastidx = d->bInterfaceNumber;
430 curidx++;
431 curaidx = 0;
432 } else
433 curaidx++;
434 if (ifaceno == curidx && altno == curaidx)
435 return (d);
436 }
437 }
438 return (NULL((void *)0));
439}
440
441usb_endpoint_descriptor_t *
442usbd_find_edesc(usb_config_descriptor_t *cd, int ifaceno, int altno,
443 int endptidx)
444{
445 char *p = (char *)cd;
446 char *end = p + UGETW(cd->wTotalLength)(*(u_int16_t *)(cd->wTotalLength));
447 usb_interface_descriptor_t *d;
448 usb_endpoint_descriptor_t *e;
449 int curidx;
450
451 d = usbd_find_idesc(cd, ifaceno, altno);
452 if (d == NULL((void *)0))
453 return (NULL((void *)0));
454 if (endptidx >= d->bNumEndpoints) /* quick exit */
455 return (NULL((void *)0));
456
457 curidx = -1;
458 for (p = (char *)d + d->bLength; p < end; ) {
459 e = (usb_endpoint_descriptor_t *)p;
460 if (e->bLength == 0) /* bad descriptor */
461 break;
462 p += e->bLength;
463 if (p <= end && e->bDescriptorType == UDESC_INTERFACE0x04)
464 return (NULL((void *)0));
465 if (p <= end && e->bDescriptorType == UDESC_ENDPOINT0x05) {
466 curidx++;
467 if (curidx == endptidx)
468 return (e);
469 }
470 }
471 return (NULL((void *)0));
472}
473
474usbd_status
475usbd_fill_iface_data(struct usbd_device *dev, int ifaceno, int altno)
476{
477 struct usbd_interface *ifc = &dev->ifaces[ifaceno];
478 usb_interface_descriptor_t *idesc;
479 int nendpt;
480
481 DPRINTFN(4,("%s: ifaceno=%d altno=%d\n", __func__, ifaceno, altno));
482
483 idesc = usbd_find_idesc(dev->cdesc, ifaceno, altno);
484 if (idesc == NULL((void *)0))
485 return (USBD_INVAL);
486
487 nendpt = idesc->bNumEndpoints;
488 DPRINTFN(4,("%s: found idesc nendpt=%d\n", __func__, nendpt));
489
490 ifc->device = dev;
491 ifc->idesc = idesc;
492 ifc->index = ifaceno;
493 ifc->altindex = altno;
494 ifc->endpoints = NULL((void *)0);
495 ifc->priv = NULL((void *)0);
496 LIST_INIT(&ifc->pipes)do { ((&ifc->pipes)->lh_first) = ((void *)0); } while
(0)
;
497 ifc->nendpt = nendpt;
498
499 if (nendpt != 0) {
500 ifc->endpoints = mallocarray(nendpt, sizeof(*ifc->endpoints),
501 M_USB101, M_NOWAIT0x0002 | M_ZERO0x0008);
502 if (ifc->endpoints == NULL((void *)0))
503 return (USBD_NOMEM);
504 }
505
506 if (usbd_parse_idesc(dev, ifc)) {
507 free(ifc->endpoints, M_USB101, nendpt * sizeof(*ifc->endpoints));
508 ifc->endpoints = NULL((void *)0);
509 return (USBD_INVAL);
510 }
511
512 return (USBD_NORMAL_COMPLETION);
513}
514
515int
516usbd_parse_idesc(struct usbd_device *dev, struct usbd_interface *ifc)
517{
518#define ed ((usb_endpoint_descriptor_t *)p)
519 char *p, *end;
520 int i;
521
522 p = (char *)ifc->idesc + ifc->idesc->bLength;
523 end = (char *)dev->cdesc + UGETW(dev->cdesc->wTotalLength)(*(u_int16_t *)(dev->cdesc->wTotalLength));
524
525 for (i = 0; i < ifc->idesc->bNumEndpoints; i++) {
526 for (; p < end; p += ed->bLength) {
527 if (p + ed->bLength <= end && ed->bLength != 0 &&
528 ed->bDescriptorType == UDESC_ENDPOINT0x05)
529 break;
530
531 if (ed->bLength == 0 ||
532 ed->bDescriptorType == UDESC_INTERFACE0x04)
533 return (-1);
534 }
535
536 if (p >= end)
537 return (-1);
538
539 if (dev->speed == USB_SPEED_HIGH3) {
540 unsigned int mps;
541
542 /* Control and bulk endpoints have max packet limits. */
543 switch (UE_GET_XFERTYPE(ed->bmAttributes)((ed->bmAttributes) & 0x03)) {
544 case UE_CONTROL0x00:
545 mps = USB_2_MAX_CTRL_PACKET64;
546 goto check;
547 case UE_BULK0x02:
548 mps = USB_2_MAX_BULK_PACKET512;
549 check:
550 if (UGETW(ed->wMaxPacketSize)(*(u_int16_t *)(ed->wMaxPacketSize)) != mps) {
551 USETW(ed->wMaxPacketSize, mps)(*(u_int16_t *)(ed->wMaxPacketSize) = (mps));
552 DPRINTF(("%s: bad max packet size\n",
553 __func__));
554 }
555 break;
556 default:
557 break;
558 }
559 }
560
561 ifc->endpoints[i].edesc = ed;
562 ifc->endpoints[i].refcnt = 0;
563 ifc->endpoints[i].savedtoggle = 0;
564 p += ed->bLength;
565 }
566
567 return (0);
568#undef ed
569}
570
571void
572usbd_free_iface_data(struct usbd_device *dev, int ifcno)
573{
574 struct usbd_interface *ifc = &dev->ifaces[ifcno];
575
576 free(ifc->endpoints, M_USB101, ifc->nendpt * sizeof(*ifc->endpoints));
577 ifc->endpoints = NULL((void *)0);
578}
579
580usbd_status
581usbd_set_config(struct usbd_device *dev, int conf)
582{
583 usb_device_request_t req;
584
585 req.bmRequestType = UT_WRITE_DEVICE(0x00 | 0x00 | 0x00);
586 req.bRequest = UR_SET_CONFIG0x09;
587 USETW(req.wValue, conf)(*(u_int16_t *)(req.wValue) = (conf));
588 USETW(req.wIndex, 0)(*(u_int16_t *)(req.wIndex) = (0));
589 USETW(req.wLength, 0)(*(u_int16_t *)(req.wLength) = (0));
590 return (usbd_do_request(dev, &req, 0));
591}
592
593usbd_status
594usbd_set_config_no(struct usbd_device *dev, int no, int msg)
595{
596 int index;
597 usb_config_descriptor_t cd;
598 usbd_status err;
599
600 DPRINTFN(5,("%s: %d\n", __func__, no));
601 /* Figure out what config index to use. */
602 for (index = 0; index < dev->ddesc.bNumConfigurations; index++) {
603 err = usbd_get_desc(dev, UDESC_CONFIG0x02, index,
604 USB_CONFIG_DESCRIPTOR_SIZE9, &cd);
605 if (err || cd.bDescriptorType != UDESC_CONFIG0x02)
606 return (err);
607 if (cd.bConfigurationValue == no)
608 return (usbd_set_config_index(dev, index, msg));
609 }
610 return (USBD_INVAL);
611}
612
613usbd_status
614usbd_set_config_index(struct usbd_device *dev, int index, int msg)
615{
616 usb_status_t ds;
617 usb_config_descriptor_t cd, *cdp;
618 usbd_status err;
619 int i, ifcidx, nifc, cdplen, selfpowered, power;
620
621 DPRINTFN(5,("%s: dev=%p index=%d\n", __func__, dev, index));
622
623 /* XXX check that all interfaces are idle */
624 if (dev->config != USB_UNCONFIG_NO0) {
63
Assuming field 'config' is equal to USB_UNCONFIG_NO
64
Taking false branch
625 DPRINTF(("%s: free old config\n", __func__));
626 /* Free all configuration data structures. */
627 nifc = dev->cdesc->bNumInterfaces;
628 for (ifcidx = 0; ifcidx < nifc; ifcidx++)
629 usbd_free_iface_data(dev, ifcidx);
630 free(dev->ifaces, M_USB101, nifc * sizeof(*dev->ifaces));
631 free(dev->cdesc, M_USB101, UGETW(dev->cdesc->wTotalLength)(*(u_int16_t *)(dev->cdesc->wTotalLength)));
632 dev->ifaces = NULL((void *)0);
633 dev->cdesc = NULL((void *)0);
634 dev->config = USB_UNCONFIG_NO0;
635 }
636
637 if (index == USB_UNCONFIG_INDEX(-1)) {
65
Taking false branch
638 /* We are unconfiguring the device, so leave unallocated. */
639 DPRINTF(("%s: set config 0\n", __func__));
640 err = usbd_set_config(dev, USB_UNCONFIG_NO0);
641 if (err)
642 DPRINTF(("%s: setting config=0 failed, error=%s\n",
643 __func__, usbd_errstr(err)));
644 return (err);
645 }
646
647 /* Get the short descriptor. */
648 err = usbd_get_desc(dev, UDESC_CONFIG0x02, index,
649 USB_CONFIG_DESCRIPTOR_SIZE9, &cd);
650 if (err)
66
Assuming 'err' is 0
67
Taking false branch
651 return (err);
652 if (cd.bDescriptorType != UDESC_CONFIG0x02)
68
Assuming field 'bDescriptorType' is equal to UDESC_CONFIG
69
Taking false branch
653 return (USBD_INVAL);
654 cdplen = UGETW(cd.wTotalLength)(*(u_int16_t *)(cd.wTotalLength));
655 cdp = malloc(cdplen, M_USB101, M_NOWAIT0x0002);
656 if (cdp == NULL((void *)0))
70
Assuming 'cdp' is not equal to NULL
71
Taking false branch
657 return (USBD_NOMEM);
658 /* Get the full descriptor. */
659 for (i = 0; i < 3; i++) {
72
Loop condition is true. Entering loop body
660 err = usbd_get_desc(dev, UDESC_CONFIG0x02, index, cdplen, cdp);
661 if (!err)
73
Assuming 'err' is 0, which participates in a condition later
74
Taking true branch
662 break;
75
Execution continues on line 665
663 usbd_delay_ms(dev, 200);
664 }
665 if (err
75.1
'err' is 0
)
76
Taking false branch
666 goto bad;
667
668 if (cdp->bDescriptorType != UDESC_CONFIG0x02) {
77
Assuming field 'bDescriptorType' is equal to UDESC_CONFIG
78
Taking false branch
669 DPRINTFN(-1,("%s: bad desc %d\n", __func__,
670 cdp->bDescriptorType));
671 err = USBD_INVAL;
672 goto bad;
673 }
674
675 /* Figure out if the device is self or bus powered. */
676 selfpowered = 0;
677 if (!(dev->quirks->uq_flags & UQ_BUS_POWERED0x00000020) &&
79
Assuming the condition is false
678 (cdp->bmAttributes & UC_SELF_POWERED0x40)) {
679 /* May be self powered. */
680 if (cdp->bmAttributes & UC_BUS_POWERED0x80) {
681 /* Must ask device. */
682 if (dev->quirks->uq_flags & UQ_POWER_CLAIM0x00000200) {
683 /*
684 * Hub claims to be self powered, but isn't.
685 * It seems that the power status can be
686 * determined by the hub characteristics.
687 */
688 usb_hub_descriptor_t hd;
689 usb_device_request_t req;
690 req.bmRequestType = UT_READ_CLASS_DEVICE(0x80 | 0x20 | 0x00);
691 req.bRequest = UR_GET_DESCRIPTOR0x06;
692 USETW(req.wValue, 0)(*(u_int16_t *)(req.wValue) = (0));
693 USETW(req.wIndex, 0)(*(u_int16_t *)(req.wIndex) = (0));
694 USETW(req.wLength, USB_HUB_DESCRIPTOR_SIZE)(*(u_int16_t *)(req.wLength) = (8));
695 err = usbd_do_request(dev, &req, &hd);
696 if (!err &&
697 (UGETW(hd.wHubCharacteristics)(*(u_int16_t *)(hd.wHubCharacteristics)) &
698 UHD_PWR_INDIVIDUAL0x0001))
699 selfpowered = 1;
700 DPRINTF(("%s: charac=0x%04x, error=%s\n",
701 __func__, UGETW(hd.wHubCharacteristics),
702 usbd_errstr(err)));
703 } else {
704 err = usbd_get_device_status(dev, &ds);
705 if (!err &&
706 (UGETW(ds.wStatus)(*(u_int16_t *)(ds.wStatus)) & UDS_SELF_POWERED0x0001))
707 selfpowered = 1;
708 DPRINTF(("%s: status=0x%04x, error=%s\n",
709 __func__, UGETW(ds.wStatus),
710 usbd_errstr(err)));
711 }
712 } else
713 selfpowered = 1;
714 }
715 DPRINTF(("%s: (addr %d) cno=%d attr=0x%02x, selfpowered=%d, power=%d\n",
716 __func__, dev->address, cdp->bConfigurationValue, cdp->bmAttributes,
717 selfpowered, cdp->bMaxPower * 2));
718
719 /* Check if we have enough power. */
720#ifdef USB_DEBUG
721 if (dev->powersrc == NULL((void *)0)) {
722 DPRINTF(("%s: No power source?\n", __func__));
723 err = USBD_IOERROR;
724 goto bad;
725 }
726#endif
727 power = cdp->bMaxPower * 2;
728 if (power > dev->powersrc->power) {
80
Assuming 'power' is <= field 'power'
81
Taking false branch
729 DPRINTF(("power exceeded %d %d\n", power,dev->powersrc->power));
730 /* XXX print nicer message. */
731 if (msg)
732 printf("%s: device addr %d (config %d) exceeds power "
733 "budget, %d mA > %d mA\n",
734 dev->bus->bdev.dv_xname, dev->address,
735 cdp->bConfigurationValue,
736 power, dev->powersrc->power);
737 err = USBD_NO_POWER;
738 goto bad;
739 }
740 dev->power = power;
741 dev->self_powered = selfpowered;
742
743 /* Set the actual configuration value. */
744 DPRINTF(("%s: set config %d\n", __func__, cdp->bConfigurationValue));
745 err = usbd_set_config(dev, cdp->bConfigurationValue);
746 if (err) {
82
Assuming 'err' is 0
83
Taking false branch
747 DPRINTF(("%s: setting config=%d failed, error=%s\n", __func__,
748 cdp->bConfigurationValue, usbd_errstr(err)));
749 goto bad;
750 }
751
752 /* Allocate and fill interface data. */
753 nifc = cdp->bNumInterfaces;
754 dev->ifaces = mallocarray(nifc, sizeof(*dev->ifaces), M_USB101,
755 M_NOWAIT0x0002 | M_ZERO0x0008);
756 if (dev->ifaces == NULL((void *)0)) {
84
Assuming field 'ifaces' is not equal to NULL
85
Taking false branch
757 err = USBD_NOMEM;
758 goto bad;
759 }
760 DPRINTFN(5,("%s: dev=%p cdesc=%p\n", __func__, dev, cdp));
761 dev->cdesc = cdp;
762 dev->config = cdp->bConfigurationValue;
763 for (ifcidx = 0; ifcidx < nifc; ifcidx++) {
86
Assuming 'ifcidx' is >= 'nifc'
87
Loop condition is false. Execution continues on line 769
764 err = usbd_fill_iface_data(dev, ifcidx, 0);
765 if (err)
766 return (err);
767 }
768
769 return (USBD_NORMAL_COMPLETION);
88
Returning zero, which participates in a condition later
770
771 bad:
772 free(cdp, M_USB101, cdplen);
773 return (err);
774}
775
776/* XXX add function for alternate settings */
777
778usbd_status
779usbd_setup_pipe(struct usbd_device *dev, struct usbd_interface *iface,
780 struct usbd_endpoint *ep, int ival, struct usbd_pipe **pipe)
781{
782 struct usbd_pipe *p;
783 usbd_status err;
784
785 DPRINTF(("%s: dev=%p iface=%p ep=%p pipe=%p\n", __func__,
786 dev, iface, ep, pipe));
787 p = malloc(dev->bus->pipe_size, M_USB101, M_NOWAIT0x0002|M_ZERO0x0008);
788 if (p == NULL((void *)0))
9
Assuming 'p' is not equal to NULL
10
Taking false branch
789 return (USBD_NOMEM);
790 p->pipe_size = dev->bus->pipe_size;
791 p->device = dev;
792 p->iface = iface;
793 p->endpoint = ep;
794 ep->refcnt++;
795 p->interval = ival;
796 SIMPLEQ_INIT(&p->queue)do { (&p->queue)->sqh_first = ((void *)0); (&p->
queue)->sqh_last = &(&p->queue)->sqh_first; }
while (0)
;
11
Loop condition is false. Exiting loop
797 err = dev->bus->methods->open_pipe(p);
798 if (err) {
12
Assuming 'err' is 0
13
Taking false branch
799 DPRINTF(("%s: endpoint=0x%x failed, error=%s\n", __func__,
800 ep->edesc->bEndpointAddress, usbd_errstr(err)));
801 free(p, M_USB101, dev->bus->pipe_size);
802 return (err);
803 }
804 *pipe = p;
805 return (USBD_NORMAL_COMPLETION);
806}
807
808int
809usbd_set_address(struct usbd_device *dev, int addr)
810{
811 usb_device_request_t req;
812
813 req.bmRequestType = UT_WRITE_DEVICE(0x00 | 0x00 | 0x00);
814 req.bRequest = UR_SET_ADDRESS0x05;
815 USETW(req.wValue, addr)(*(u_int16_t *)(req.wValue) = (addr));
816 USETW(req.wIndex, 0)(*(u_int16_t *)(req.wIndex) = (0));
817 USETW(req.wLength, 0)(*(u_int16_t *)(req.wLength) = (0));
818 if (usbd_do_request(dev, &req, 0))
819 return (1);
820
821 /* Allow device time to set new address */
822 usbd_delay_ms(dev, USB_SET_ADDRESS_SETTLE10);
823
824 return (0);
825}
826
827int
828usbd_getnewaddr(struct usbd_bus *bus)
829{
830 int addr;
831
832 for (addr = 1; addr < USB_MAX_DEVICES128; addr++)
833 if (bus->devices[addr] == NULL((void *)0))
834 return (addr);
835 return (-1);
836}
837
838usbd_status
839usbd_probe_and_attach(struct device *parent, struct usbd_device *dev, int port,
840 int addr)
841{
842 struct usb_attach_arg uaa;
843 usb_device_descriptor_t *dd = &dev->ddesc;
844 int i, confi, nifaces;
845 usbd_status err;
846 struct device *dv;
847 struct usbd_interface **ifaces;
848 extern struct rwlock usbpalock;
849
850 rw_enter_write(&usbpalock);
851
852 uaa.device = dev;
853 uaa.iface = NULL((void *)0);
854 uaa.ifaces = NULL((void *)0);
855 uaa.nifaces = 0;
856 uaa.usegeneric = 0;
857 uaa.port = port;
858 uaa.configno = UHUB_UNK_CONFIGURATION-1;
859 uaa.ifaceno = UHUB_UNK_INTERFACE-1;
860 uaa.vendor = UGETW(dd->idVendor)(*(u_int16_t *)(dd->idVendor));
861 uaa.product = UGETW(dd->idProduct)(*(u_int16_t *)(dd->idProduct));
862 uaa.release = UGETW(dd->bcdDevice)(*(u_int16_t *)(dd->bcdDevice));
863
864 /* First try with device specific drivers. */
865 DPRINTF(("usbd_probe_and_attach trying device specific drivers\n"));
866 dv = config_found(parent, &uaa, usbd_print)config_found_sm((parent), (&uaa), (usbd_print), ((void *)
0))
;
867 if (dv) {
58
Assuming 'dv' is null
59
Taking false branch
868 dev->subdevs = mallocarray(2, sizeof dv, M_USB101, M_NOWAIT0x0002);
869 if (dev->subdevs == NULL((void *)0)) {
870 err = USBD_NOMEM;
871 goto fail;
872 }
873 dev->nsubdev = 2;
874 dev->subdevs[dev->ndevs++] = dv;
875 dev->subdevs[dev->ndevs] = 0;
876 err = USBD_NORMAL_COMPLETION;
877 goto fail;
878 }
879
880 DPRINTF(("%s: no device specific driver found\n", __func__));
881
882 DPRINTF(("%s: looping over %d configurations\n", __func__,
883 dd->bNumConfigurations));
884 /* Next try with interface drivers. */
885 for (confi = 0; confi < dd->bNumConfigurations; confi++) {
60
Assuming 'confi' is < field 'bNumConfigurations'
61
Loop condition is true. Entering loop body
100
Assuming 'confi' is >= field 'bNumConfigurations'
101
Loop condition is false. Execution continues on line 953
886 DPRINTFN(1,("%s: trying config idx=%d\n", __func__,
887 confi));
888 err = usbd_set_config_index(dev, confi, 1);
62
Calling 'usbd_set_config_index'
89
Returning from 'usbd_set_config_index'
889 if (err
89.1
'err' is 0
) {
90
Taking false branch
890#ifdef USB_DEBUG
891 DPRINTF(("%s: port %d, set config at addr %d failed, "
892 "error=%s\n", parent->dv_xname, port,
893 addr, usbd_errstr(err)));
894#else
895 printf("%s: port %d, set config %d at addr %d failed\n",
896 parent->dv_xname, port, confi, addr);
897#endif
898
899 goto fail;
900 }
901 nifaces = dev->cdesc->bNumInterfaces;
902 uaa.configno = dev->cdesc->bConfigurationValue;
903 ifaces = mallocarray(nifaces, sizeof(*ifaces), M_USB101, M_NOWAIT0x0002);
904 if (ifaces == NULL((void *)0)) {
91
Assuming 'ifaces' is not equal to NULL
92
Taking false branch
905 err = USBD_NOMEM;
906 goto fail;
907 }
908 for (i = 0; i < nifaces; i++)
93
Loop condition is false. Execution continues on line 910
909 ifaces[i] = &dev->ifaces[i];
910 uaa.ifaces = ifaces;
911 uaa.nifaces = nifaces;
912
913 /* add 1 for possible ugen and 1 for NULL terminator */
914 dev->subdevs = mallocarray(nifaces + 2, sizeof(dv), M_USB101,
915 M_NOWAIT0x0002 | M_ZERO0x0008);
916 if (dev->subdevs == NULL((void *)0)) {
94
Assuming field 'subdevs' is not equal to NULL
95
Taking false branch
917 free(ifaces, M_USB101, nifaces * sizeof(*ifaces));
918 err = USBD_NOMEM;
919 goto fail;
920 }
921 dev->nsubdev = nifaces + 2;
922
923 for (i = 0; i < nifaces; i++) {
96
Loop condition is false. Execution continues on line 934
924 if (usbd_iface_claimed(dev, i))
925 continue;
926 uaa.iface = ifaces[i];
927 uaa.ifaceno = ifaces[i]->idesc->bInterfaceNumber;
928 dv = config_found(parent, &uaa, usbd_print)config_found_sm((parent), (&uaa), (usbd_print), ((void *)
0))
;
929 if (dv != NULL((void *)0)) {
930 dev->subdevs[dev->ndevs++] = dv;
931 usbd_claim_iface(dev, i);
932 }
933 }
934 free(ifaces, M_USB101, nifaces * sizeof(*ifaces));
935
936 if (dev->ndevs > 0) {
97
Assuming field 'ndevs' is <= 0
98
Taking false branch
937 for (i = 0; i < nifaces; i++) {
938 if (!usbd_iface_claimed(dev, i))
939 break;
940 }
941 if (i < nifaces)
942 goto generic;
943 else
944 goto fail;
945 }
946
947 free(dev->subdevs, M_USB101, dev->nsubdev * sizeof(*dev->subdevs));
948 dev->subdevs = NULL((void *)0);
99
Null pointer value stored to field 'subdevs'
949 dev->nsubdev = 0;
950 }
951 /* No interfaces were attached in any of the configurations. */
952
953 if (dd->bNumConfigurations
101.1
Field 'bNumConfigurations' is <= 1
> 1) /* don't change if only 1 config */
102
Taking false branch
954 usbd_set_config_index(dev, 0, 0);
955
956 DPRINTF(("%s: no interface drivers found\n", __func__));
957
958generic:
959 /* Finally try the generic driver. */
960 uaa.iface = NULL((void *)0);
961 uaa.usegeneric = 1;
962 uaa.configno = dev->ndevs == 0 ? UHUB_UNK_CONFIGURATION-1 :
103
Assuming field 'ndevs' is not equal to 0
104
'?' condition is false
963 dev->cdesc->bConfigurationValue;
964 uaa.ifaceno = UHUB_UNK_INTERFACE-1;
965 dv = config_found(parent, &uaa, usbd_print)config_found_sm((parent), (&uaa), (usbd_print), ((void *)
0))
;
966 if (dv != NULL((void *)0)) {
105
Assuming 'dv' is not equal to NULL
106
Taking true branch
967 if (dev->ndevs
106.1
Field 'ndevs' is not equal to 0
== 0) {
107
Taking false branch
968 dev->subdevs = mallocarray(2, sizeof dv, M_USB101, M_NOWAIT0x0002);
969 if (dev->subdevs == NULL((void *)0)) {
970 err = USBD_NOMEM;
971 goto fail;
972 }
973 dev->nsubdev = 2;
974 }
975 dev->subdevs[dev->ndevs++] = dv;
108
Array access (via field 'subdevs') results in a null pointer dereference
976 dev->subdevs[dev->ndevs] = 0;
977 err = USBD_NORMAL_COMPLETION;
978 goto fail;
979 }
980
981 /*
982 * The generic attach failed, but leave the device as it is.
983 * We just did not find any drivers, that's all. The device is
984 * fully operational and not harming anyone.
985 */
986 DPRINTF(("%s: generic attach failed\n", __func__));
987 err = USBD_NORMAL_COMPLETION;
988fail:
989 rw_exit_write(&usbpalock);
990 return (err);
991}
992
993
994/*
995 * Called when a new device has been put in the powered state,
996 * but not yet in the addressed state.
997 * Get initial descriptor, set the address, get full descriptor,
998 * and attach a driver.
999 */
1000usbd_status
1001usbd_new_device(struct device *parent, struct usbd_bus *bus, int depth,
1002 int speed, int port, struct usbd_port *up)
1003{
1004 struct usbd_device *dev, *adev, *hub;
1005 usb_device_descriptor_t *dd;
1006 usbd_status err;
1007 uint32_t mps, mps0;
1008 int addr, i, p;
1009
1010 DPRINTF(("%s: bus=%p port=%d depth=%d speed=%d\n", __func__,
1011 bus, port, depth, speed));
1012
1013 /*
1014 * Fixed size for ep0 max packet, FULL device variable size is
1015 * handled below.
1016 */
1017 switch (speed) {
1
Control jumps to 'case 4:' at line 1025
1018 case USB_SPEED_LOW1:
1019 mps0 = 8;
1020 break;
1021 case USB_SPEED_HIGH3:
1022 case USB_SPEED_FULL2:
1023 mps0 = 64;
1024 break;
1025 case USB_SPEED_SUPER4:
1026 mps0 = 512;
1027 break;
2
Execution continues on line 1032
1028 default:
1029 return (USBD_INVAL);
1030 }
1031
1032 addr = usbd_getnewaddr(bus);
1033 if (addr
2.1
'addr' is >= 0
< 0) {
3
Taking false branch
1034 printf("%s: No free USB addresses, new device ignored.\n",
1035 bus->bdev.dv_xname);
1036 return (USBD_NO_ADDR);
1037 }
1038
1039 dev = malloc(sizeof *dev, M_USB101, M_NOWAIT0x0002 | M_ZERO0x0008);
1040 if (dev == NULL((void *)0))
4
Assuming 'dev' is not equal to NULL
5
Taking false branch
1041 return (USBD_NOMEM);
1042
1043 dev->bus = bus;
1044
1045 /* Set up default endpoint handle. */
1046 dev->def_ep.edesc = &dev->def_ep_desc;
1047
1048 /* Set up default endpoint descriptor. */
1049 dev->def_ep_desc.bLength = USB_ENDPOINT_DESCRIPTOR_SIZE7;
1050 dev->def_ep_desc.bDescriptorType = UDESC_ENDPOINT0x05;
1051 dev->def_ep_desc.bEndpointAddress = USB_CONTROL_ENDPOINT0;
1052 dev->def_ep_desc.bmAttributes = UE_CONTROL0x00;
1053 dev->def_ep_desc.bInterval = 0;
1054 USETW(dev->def_ep_desc.wMaxPacketSize, mps0)(*(u_int16_t *)(dev->def_ep_desc.wMaxPacketSize) = (mps0));
1055
1056 dev->quirks = &usbd_no_quirk;
1057 dev->address = USB_START_ADDR0;
1058 dev->ddesc.bMaxPacketSize = 0;
1059 dev->depth = depth;
1060 dev->powersrc = up;
1061 dev->myhub = up->parent;
1062 dev->speed = speed;
1063 dev->langid = USBD_NOLANG(-1);
1064
1065 up->device = dev;
1066
1067 /* Locate port on upstream high speed hub */
1068 for (adev = dev, hub = up->parent;
1069 hub != NULL((void *)0) && hub->speed != USB_SPEED_HIGH3;
6
Assuming 'hub' is equal to NULL
1070 adev = hub, hub = hub->myhub)
1071 ;
1072 if (hub
6.1
'hub' is null
) {
7
Taking false branch
1073 for (p = 0; p < hub->hub->nports; p++) {
1074 if (hub->hub->ports[p].device == adev) {
1075 dev->myhsport = &hub->hub->ports[p];
1076 goto found;
1077 }
1078 }
1079 panic("usbd_new_device: cannot find HS port");
1080 found:
1081 DPRINTFN(1,("%s: high speed port %d\n", __func__, p));
1082 } else {
1083 dev->myhsport = NULL((void *)0);
1084 }
1085
1086 /* Establish the default pipe. */
1087 err = usbd_setup_pipe(dev, 0, &dev->def_ep, USBD_DEFAULT_INTERVAL(-1),
8
Calling 'usbd_setup_pipe'
14
Returning from 'usbd_setup_pipe'
1088 &dev->default_pipe);
1089 if (err
14.1
'err' is 0
)
15
Taking false branch
1090 goto fail;
1091
1092 dd = &dev->ddesc;
1093
1094 /* Try to get device descriptor */
1095 /*
1096 * some device will need small size query at first (XXX: out of spec)
1097 * we will get full size descriptor later, just determine the maximum
1098 * packet size of the control pipe at this moment.
1099 */
1100 for (i = 0; i < 3; i++) {
16
Loop condition is true. Entering loop body
1101 /* Get the first 8 bytes of the device descriptor. */
1102 /* 8 byte is magic size, some device only return 8 byte for 1st
1103 * query (XXX: out of spec) */
1104 err = usbd_get_desc(dev, UDESC_DEVICE0x01, 0, USB_MAX_IPACKET8, dd);
1105 if (!err)
17
Assuming 'err' is 0
18
Taking true branch
1106 break;
19
Execution continues on line 1113
1107 if (err == USBD_TIMEOUT)
1108 goto fail;
1109 usbd_delay_ms(dev, 100+50*i);
1110 }
1111
1112 /* some device need actual size request for the query. try again */
1113 if (err
19.1
'err' is 0
) {
20
Taking false branch
1114 USETW(dev->def_ep_desc.wMaxPacketSize,(*(u_int16_t *)(dev->def_ep_desc.wMaxPacketSize) = (18))
1115 USB_DEVICE_DESCRIPTOR_SIZE)(*(u_int16_t *)(dev->def_ep_desc.wMaxPacketSize) = (18));
1116 usbd_reset_port(up->parent, port);
1117 for (i = 0; i < 3; i++) {
1118 err = usbd_get_desc(dev, UDESC_DEVICE0x01, 0,
1119 USB_DEVICE_DESCRIPTOR_SIZE18, dd);
1120 if (!err)
1121 break;
1122 if (err == USBD_TIMEOUT)
1123 goto fail;
1124 usbd_delay_ms(dev, 100+50*i);
1125 }
1126 }
1127
1128 /* XXX some devices need more time to wake up */
1129 if (err
20.1
'err' is 0
) {
21
Taking false branch
1130 USETW(dev->def_ep_desc.wMaxPacketSize, USB_MAX_IPACKET)(*(u_int16_t *)(dev->def_ep_desc.wMaxPacketSize) = (8));
1131 usbd_reset_port(up->parent, port);
1132 usbd_delay_ms(dev, 500);
1133 err = usbd_get_desc(dev, UDESC_DEVICE0x01, 0,
1134 USB_MAX_IPACKET8, dd);
1135 }
1136
1137 if (err
21.1
'err' is 0
)
22
Taking false branch
1138 goto fail;
1139
1140 DPRINTF(("%s: adding unit addr=%d, rev=%02x, class=%d, subclass=%d, "
1141 "protocol=%d, maxpacket=%d, len=%d, speed=%d\n", __func__,
1142 addr,UGETW(dd->bcdUSB), dd->bDeviceClass, dd->bDeviceSubClass,
1143 dd->bDeviceProtocol, dd->bMaxPacketSize, dd->bLength,
1144 dev->speed));
1145
1146 if ((dd->bDescriptorType != UDESC_DEVICE0x01) ||
23
Assuming field 'bDescriptorType' is equal to UDESC_DEVICE
25
Taking false branch
1147 (dd->bLength < USB_DEVICE_DESCRIPTOR_SIZE18)) {
24
Assuming field 'bLength' is >= USB_DEVICE_DESCRIPTOR_SIZE
1148 err = USBD_INVAL;
1149 goto fail;
1150 }
1151
1152 mps = dd->bMaxPacketSize;
1153 if (speed
25.1
'speed' is equal to USB_SPEED_SUPER
== USB_SPEED_SUPER4) {
26
Taking true branch
1154 if (mps == 0xff)
27
Assuming 'mps' is not equal to 255
28
Taking false branch
1155 mps = 9;
1156 /* xHCI Section 4.8.2.1 */
1157 mps = (1 << mps);
1158 }
1159
1160 if (mps != mps0) {
29
Assuming 'mps' is equal to 'mps0'
30
Taking false branch
1161 if ((speed == USB_SPEED_LOW1) ||
1162 (mps != 8 && mps != 16 && mps != 32 && mps != 64)) {
1163 err = USBD_INVAL;
1164 goto fail;
1165 }
1166 USETW(dev->def_ep_desc.wMaxPacketSize, mps)(*(u_int16_t *)(dev->def_ep_desc.wMaxPacketSize) = (mps));
1167 }
1168
1169
1170 /* Set the address if the HC didn't do it already. */
1171 if (bus->methods->dev_setaddr != NULL((void *)0) &&
31
Assuming field 'dev_setaddr' is equal to NULL
1172 bus->methods->dev_setaddr(dev, addr)) {
1173 err = USBD_SET_ADDR_FAILED;
1174 goto fail;
1175 }
1176
1177 /* Wait for device to settle before reloading the descriptor. */
1178 usbd_delay_ms(dev, 10);
1179
1180 /*
1181 * If this device is attached to an xHCI controller, this
1182 * address does not correspond to the hardware one.
1183 */
1184 dev->address = addr;
1185
1186 err = usbd_reload_device_desc(dev);
1187 if (err
31.1
'err' is 0
)
32
Taking false branch
1188 goto fail;
1189
1190 /* send disown request to handover 2.0 to 1.1. */
1191 if (dev->quirks->uq_flags & UQ_EHCI_NEEDTO_DISOWN0x00020000) {
33
Assuming the condition is false
34
Taking false branch
1192 /* only effective when the target device is on ehci */
1193 if (dev->bus->usbrev == USBREV_2_04) {
1194 DPRINTF(("%s: disown request issues to dev:%p on usb2.0 bus\n",
1195 __func__, dev));
1196 usbd_port_disown_to_1_1(dev->myhub, port);
1197 /* reset_port required to finish disown request */
1198 usbd_reset_port(dev->myhub, port);
1199 return (USBD_NORMAL_COMPLETION);
1200 }
1201 }
1202
1203 /* Assume 100mA bus powered for now. Changed when configured. */
1204 dev->power = USB_MIN_POWER100;
1205 dev->self_powered = 0;
1206
1207 DPRINTF(("%s: new dev (addr %d), dev=%p, parent=%p\n", __func__,
1208 addr, dev, parent));
1209
1210 /* Get device info and cache it */
1211 err = usbd_cache_devinfo(dev);
35
Calling 'usbd_cache_devinfo'
55
Returning from 'usbd_cache_devinfo'
1212 if (err
55.1
'err' is 0
)
56
Taking false branch
1213 goto fail;
1214
1215 bus->devices[addr] = dev;
1216
1217 err = usbd_probe_and_attach(parent, dev, port, addr);
57
Calling 'usbd_probe_and_attach'
1218 if (err)
1219 goto fail;
1220
1221 return (USBD_NORMAL_COMPLETION);
1222
1223fail:
1224 usb_free_device(dev);
1225 up->device = NULL((void *)0);
1226 return (err);
1227}
1228
1229usbd_status
1230usbd_reload_device_desc(struct usbd_device *dev)
1231{
1232 usbd_status err;
1233
1234 /* Get the full device descriptor. */
1235 err = usbd_get_desc(dev, UDESC_DEVICE0x01, 0,
1236 USB_DEVICE_DESCRIPTOR_SIZE18, &dev->ddesc);
1237 if (err)
1238 return (err);
1239
1240 /* Figure out what's wrong with this device. */
1241 dev->quirks = usbd_find_quirk(&dev->ddesc);
1242
1243 return (USBD_NORMAL_COMPLETION);
1244}
1245
1246int
1247usbd_print(void *aux, const char *pnp)
1248{
1249 struct usb_attach_arg *uaa = aux;
1250 char *devinfop;
1251
1252 devinfop = malloc(DEVINFOSIZE1024, M_TEMP127, M_WAITOK0x0001);
1253 usbd_devinfo(uaa->device, 0, devinfop, DEVINFOSIZE1024);
1254
1255 DPRINTFN(15, ("usbd_print dev=%p\n", uaa->device));
1256 if (pnp) {
1257 if (!uaa->usegeneric) {
1258 free(devinfop, M_TEMP127, DEVINFOSIZE1024);
1259 return (QUIET0);
1260 }
1261 printf("%s at %s", devinfop, pnp);
1262 }
1263 if (uaa->port != 0)
1264 printf(" port %d", uaa->port);
1265 if (uaa->configno != UHUB_UNK_CONFIGURATION-1)
1266 printf(" configuration %d", uaa->configno);
1267 if (uaa->ifaceno != UHUB_UNK_INTERFACE-1)
1268 printf(" interface %d", uaa->ifaceno);
1269
1270 if (!pnp)
1271 printf(" %s\n", devinfop);
1272 free(devinfop, M_TEMP127, DEVINFOSIZE1024);
1273 return (UNCONF1);
1274}
1275
1276void
1277usbd_fill_deviceinfo(struct usbd_device *dev, struct usb_device_info *di)
1278{
1279 struct usbd_port *p;
1280 int i;
1281
1282 di->udi_bus = dev->bus->usbctl->dv_unit;
1283 di->udi_addr = dev->address;
1284 strlcpy(di->udi_vendor, dev->vendor, sizeof(di->udi_vendor));
1285 strlcpy(di->udi_product, dev->product, sizeof(di->udi_product));
1286 usbd_printBCD(di->udi_release, sizeof di->udi_release,
1287 UGETW(dev->ddesc.bcdDevice)(*(u_int16_t *)(dev->ddesc.bcdDevice)));
1288 di->udi_vendorNo = UGETW(dev->ddesc.idVendor)(*(u_int16_t *)(dev->ddesc.idVendor));
1289 di->udi_productNo = UGETW(dev->ddesc.idProduct)(*(u_int16_t *)(dev->ddesc.idProduct));
1290 di->udi_releaseNo = UGETW(dev->ddesc.bcdDevice)(*(u_int16_t *)(dev->ddesc.bcdDevice));
1291 di->udi_class = dev->ddesc.bDeviceClass;
1292 di->udi_subclass = dev->ddesc.bDeviceSubClass;
1293 di->udi_protocol = dev->ddesc.bDeviceProtocol;
1294 di->udi_config = dev->config;
1295 di->udi_power = dev->self_powered ? 0 : dev->power;
1296 di->udi_speed = dev->speed;
1297 di->udi_port = dev->powersrc ? dev->powersrc->portno : 0;
1298
1299 if (dev->subdevs != NULL((void *)0)) {
1300 for (i = 0; dev->subdevs[i] && i < USB_MAX_DEVNAMES4; i++) {
1301 strncpy(di->udi_devnames[i],
1302 dev->subdevs[i]->dv_xname, USB_MAX_DEVNAMELEN16);
1303 di->udi_devnames[i][USB_MAX_DEVNAMELEN16-1] = '\0';
1304 }
1305 } else
1306 i = 0;
1307
1308 for (/*i is set */; i < USB_MAX_DEVNAMES4; i++)
1309 di->udi_devnames[i][0] = 0; /* empty */
1310
1311 if (dev->hub) {
1312 for (i = 0;
1313 i < nitems(di->udi_ports)(sizeof((di->udi_ports)) / sizeof((di->udi_ports)[0])) && i < dev->hub->nports; i++) {
1314 p = &dev->hub->ports[i];
1315 di->udi_ports[i] = UGETW(p->status.wPortChange)(*(u_int16_t *)(p->status.wPortChange)) << 16 |
1316 UGETW(p->status.wPortStatus)(*(u_int16_t *)(p->status.wPortStatus));
1317 }
1318 di->udi_nports = dev->hub->nports;
1319 } else
1320 di->udi_nports = 0;
1321
1322 bzero(di->udi_serial, sizeof(di->udi_serial))__builtin_bzero((di->udi_serial), (sizeof(di->udi_serial
)))
;
1323 if (dev->serial != NULL((void *)0))
1324 strlcpy(di->udi_serial, dev->serial,
1325 sizeof(di->udi_serial));
1326}
1327
1328/* Retrieve a complete descriptor for a certain device and index. */
1329usb_config_descriptor_t *
1330usbd_get_cdesc(struct usbd_device *dev, int index, u_int *lenp)
1331{
1332 usb_config_descriptor_t *cdesc, *tdesc, cdescr;
1333 u_int len;
1334 usbd_status err;
1335
1336 if (index == USB_CURRENT_CONFIG_INDEX(-1)) {
1337 tdesc = usbd_get_config_descriptor(dev);
1338 if (tdesc == NULL((void *)0))
1339 return (NULL((void *)0));
1340 len = UGETW(tdesc->wTotalLength)(*(u_int16_t *)(tdesc->wTotalLength));
1341 if (lenp)
1342 *lenp = len;
1343 cdesc = malloc(len, M_TEMP127, M_WAITOK0x0001);
1344 memcpy(cdesc, tdesc, len)__builtin_memcpy((cdesc), (tdesc), (len));
1345 DPRINTFN(5,("%s: current, len=%u\n", __func__, len));
1346 } else {
1347 err = usbd_get_desc(dev, UDESC_CONFIG0x02, index,
1348 USB_CONFIG_DESCRIPTOR_SIZE9, &cdescr);
1349 if (err || cdescr.bDescriptorType != UDESC_CONFIG0x02)
1350 return (NULL((void *)0));
1351 len = UGETW(cdescr.wTotalLength)(*(u_int16_t *)(cdescr.wTotalLength));
1352 DPRINTFN(5,("%s: index=%d, len=%u\n", __func__, index, len));
1353 if (lenp)
1354 *lenp = len;
1355 cdesc = malloc(len, M_TEMP127, M_WAITOK0x0001);
1356 err = usbd_get_desc(dev, UDESC_CONFIG0x02, index, len, cdesc);
1357 if (err) {
1358 free(cdesc, M_TEMP127, len);
1359 return (NULL((void *)0));
1360 }
1361 }
1362 return (cdesc);
1363}
1364
1365void
1366usb_free_device(struct usbd_device *dev)
1367{
1368 int ifcidx, nifc;
1369
1370 DPRINTF(("%s: %p\n", __func__, dev));
1371
1372 if (dev->default_pipe != NULL((void *)0))
1373 usbd_close_pipe(dev->default_pipe);
1374 if (dev->ifaces != NULL((void *)0)) {
1375 nifc = dev->cdesc->bNumInterfaces;
1376 for (ifcidx = 0; ifcidx < nifc; ifcidx++)
1377 usbd_free_iface_data(dev, ifcidx);
1378 free(dev->ifaces, M_USB101, nifc * sizeof(*dev->ifaces));
1379 }
1380 if (dev->cdesc != NULL((void *)0))
1381 free(dev->cdesc, M_USB101, UGETW(dev->cdesc->wTotalLength)(*(u_int16_t *)(dev->cdesc->wTotalLength)));
1382 free(dev->subdevs, M_USB101, dev->nsubdev * sizeof(*dev->subdevs));
1383 dev->bus->devices[dev->address] = NULL((void *)0);
1384
1385 if (dev->vendor != NULL((void *)0))
1386 free(dev->vendor, M_USB101, USB_MAX_STRING_LEN127);
1387 if (dev->product != NULL((void *)0))
1388 free(dev->product, M_USB101, USB_MAX_STRING_LEN127);
1389 if (dev->serial != NULL((void *)0))
1390 free(dev->serial, M_USB101, USB_MAX_STRING_LEN127);
1391
1392 free(dev, M_USB101, sizeof *dev);
1393}
1394
1395/*
1396 * Should only be called by the USB thread doing bus exploration to
1397 * avoid connect/disconnect races.
1398 */
1399int
1400usbd_detach(struct usbd_device *dev, struct device *parent)
1401{
1402 int i, rv = 0;
1403
1404 usbd_deactivate(dev);
1405
1406 if (dev->ndevs > 0) {
1407 for (i = 0; dev->subdevs[i] != NULL((void *)0); i++)
1408 rv |= config_detach(dev->subdevs[i], DETACH_FORCE0x01);
1409 }
1410
1411 if (rv == 0)
1412 usb_free_device(dev);
1413
1414 return (rv);
1415}