[coreboot-gerrit] Patch set updated for coreboot: 5f27f24 libpayload: usbmsc: Set correct allocation length for REQUEST SENSE

Marc Jones (marc.jones@se-eng.com) gerrit at coreboot.org
Tue Dec 30 06:08:46 CET 2014 

Marc Jones (marc.jones at se-eng.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/7903

-gerrit

commit 5f27f243373326d73708bed284c2bf2d775813d7
Author: Julius Werner <jwerner at chromium.org>
Date:   Fri May 2 14:51:03 2014 -0700

    libpayload: usbmsc: Set correct allocation length for REQUEST SENSE
    
    So I was debugging this faulty USB SD card reader that would just fail
    it's REQUEST SENSE response for some reason (sending the CSW immediately
    without the data), cursing those damn device vendors for building
    non-compliant crap like I always do... when I noticed that we do not
    actually set the Allocation Length field in our REQUEST SENSE command
    block at all! We set a length in the CBW, but the SCSI command still has
    its own length field and the SCSI spec specifically says that the device
    has to return the exact amount of bytes listed there (even if it's 0). I
    don't know what's more suprising: that we had such a blatant bug in this
    stack for so long, or that this card reader is really the first device
    to actually be spec compliant in that regard.
    
    This patch fixes the bug and changes the command block structures to be
    a little easier to read (why that field was called 'lun' before is
    beyond me... LUN is a transport level thing and should never appear in
    the command block at all, for any command). It also fixes a memcpy() in
    wrap_cbw() to avoid a read buffer overflow that might expose stack frame
    data to the device.
    
    BRANCH=rambi?,nyan
    BUG=chrome-os-partner:28437
    TEST=The card reader works now (for it's first LUN at least).
    
    Original-Change-Id: I86fdcae2ea4d2e2939e3676d31d8b6a4e797873b
    Original-Signed-off-by: Julius Werner <jwerner at chromium.org>
    Original-Reviewed-on: https://chromium-review.googlesource.com/198100
    Original-Reviewed-by: Aaron Durbin <adurbin at chromium.org>
    (cherry picked from commit 88943d9715994a14c50e74170f2453cceca0983b)
    Signed-off-by: Marc Jones <marc.jones at se-eng.com>
    
    Change-Id: I3097c223248c07c866a33d4ab8f3db1a7082a815
---
 payloads/libpayload/drivers/usb/usbmsc.c | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/payloads/libpayload/drivers/usb/usbmsc.c b/payloads/libpayload/drivers/usb/usbmsc.c
index 178f982..3b5206e 100644
--- a/payloads/libpayload/drivers/usb/usbmsc.c
+++ b/payloads/libpayload/drivers/usb/usbmsc.c
@@ -205,7 +205,7 @@ wrap_cbw (cbw_t *cbw, int datalen, cbw_direction dir, const u8 *cmd,
 
 	cbw->dCBWDataTransferLength = datalen;
 	cbw->bmCBWFlags = dir;
-	memcpy (cbw->CBWCB, cmd, sizeof (cbw->CBWCB));
+	memcpy (cbw->CBWCB, cmd, cmdlen);
 	cbw->bCBWCBLength = cmdlen;
 }
 
@@ -290,7 +290,7 @@ typedef struct {
 	unsigned int block;	//2-5
 	unsigned char res2;	//6
 	unsigned short numblocks;	//7-8
-	unsigned char res3;	//9 - the block is 10 bytes long
+	unsigned char control;	//9 - the block is 10 bytes long
 } __attribute__ ((packed)) cmdblock_t;
 
 typedef struct {
@@ -298,8 +298,14 @@ typedef struct {
 	unsigned char res1;	//1
 	unsigned char res2;	//2
 	unsigned char res3;	//3
-	unsigned char lun;	//4
-	unsigned char res4;	//5
+	union {			//4
+		struct {
+			unsigned long start:1;  // for START STOP UNIT
+			unsigned long:7;
+		};
+		unsigned char length;		// for REQUEST SENSE
+	};
+	unsigned char control;	//5
 } __attribute__ ((packed)) cmdblock6_t;
 
 /**
@@ -409,9 +415,10 @@ request_sense (usbdev_t *dev)
 	cmdblock6_t cb;
 	memset (&cb, 0, sizeof (cb));
 	cb.command = 0x3;
+	cb.length = sizeof (buf);
 
 	return execute_command (dev, cbw_direction_data_in, (u8 *) &cb,
-				sizeof (cb), buf, 19, 1);
+				sizeof (cb), buf, sizeof (buf), 1);
 }
 
 static int request_sense_no_media (usbdev_t *dev)
@@ -421,9 +428,10 @@ static int request_sense_no_media (usbdev_t *dev)
 	cmdblock6_t cb;
 	memset (&cb, 0, sizeof (cb));
 	cb.command = 0x3;
+	cb.length = sizeof (buf);
 
 	ret = execute_command (dev, cbw_direction_data_in, (u8 *) &cb,
-				sizeof (cb), buf, 19, 1);
+				sizeof (cb), buf, sizeof (buf), 1);
 
 	if (ret)
 		return ret;
@@ -458,7 +466,7 @@ spin_up (usbdev_t *dev)
 	cmdblock6_t cb;
 	memset (&cb, 0, sizeof (cb));
 	cb.command = 0x1b;
-	cb.lun = 1;
+	cb.start = 1;
 	return execute_command (dev, cbw_direction_data_out, (u8 *) &cb,
 				sizeof (cb), 0, 0, 0);
 }

More information about the coreboot-gerrit mailing list