usb: chipidea: host: Improve port index sanitizing

Coverity from Synopsys complains "Illegal address computation (OVERRUN)"
on status_reg.

After below code executed,

  port_index = wIndex & 0xff;
  port_index -= (port_index > 0);

the static analysis tool see the value of port_index is now between 0 and
254 (inclusive).

However, ehci_def.h define port_status as below:

  #define HCS_N_PORTS_MAX         15
  u32     port_status[HCS_N_PORTS_MAX];

So the tool think illegal array pointer may be obtained.

  status_reg = &ehci->regs->port_status[port_index];

This will follow "846cbf98cbef USB: EHCI: Improve port index sanitizing" to
improve port index sanitizing.

Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/20241202083453.704533-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/chipidea/host.c b/drivers/usb/chipidea/host.c
index 0cce192083701e5635b7079fb7dd1d124f4e29aa..442d79e32a65b59d551e274dc3464febead3820b 100644 (file)
--- a/drivers/usb/chipidea/host.c
+++ b/drivers/usb/chipidea/host.c
@@ -256,8 +256,14 @@ static int ci_ehci_hub_control(
        struct device *dev = hcd->self.controller;
        struct ci_hdrc *ci = dev_get_drvdata(dev);
 
-       port_index = wIndex & 0xff;
-       port_index -= (port_index > 0);
+       /*
+        * Avoid out-of-bounds values while calculating the port index
+        * from wIndex. The compiler doesn't like pointers to invalid
+        * addresses, even if they are never used.
+        */
+       port_index = (wIndex - 1) & 0xff;
+       if (port_index >= HCS_N_PORTS_MAX)
+               port_index = 0;
        status_reg = &ehci->regs->port_status[port_index];
 
        spin_lock_irqsave(&ehci->lock, flags);