Re: [PATCH] hw/usb/hcd-dwc2: Enforce epnum to 0 for the control endpoint to avoid the assertion failure in usb_ep_get()

From: Paul Zimmerman <pauldzim@gmail.com>
To: Qiang Liu <cyruscyliu@gmail.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>,
	"open list:All patches CC here" <qemu-devel@nongnu.org>
Subject: Re: [PATCH] hw/usb/hcd-dwc2: Enforce epnum to 0 for the control endpoint to avoid the assertion failure in usb_ep_get()
Date: Sun, 4 Jul 2021 15:27:29 -0700	[thread overview]
Message-ID: <CADBGO78TVLf4qaJDhTvkJ61vPdzmAT1BFrCpDurgPOdmFyP1Og@mail.gmail.com> (raw)
In-Reply-To: <CAAKa2jmWU=M8V9Lsjrjs-AV=RP6wVNb7mWBAM+MkT9HTdrwtzA@mail.gmail.com>

On Sat, Jun 26, 2021 at 10:21 PM Qiang Liu <cyruscyliu@gmail.com> wrote:
>
> Hi folks,
>
> I found this bug by my dwc2 fuzzer.
> It seems that
> * https://bugs.launchpad.net/qemu/+bug/1907042
> * https://bugs.launchpad.net/qemu/+bug/1525123
> or
> * https://gitlab.com/qemu-project/qemu/-/issues/119
> * https://gitlab.com/qemu-project/qemu/-/issues/303
> have reported similar issues.
>
> Would it be better to consider and fix them together?
>
> Best,
> Qiang
>
> On Sun, Jun 27, 2021 at 11:28 AM Qiang Liu <cyruscyliu@gmail.com> wrote:
> >
> > When eptype is USB_ENDPOINT_XFER_CONTROL and pid is
> > TSIZ_SC_MC_PID_SETUP, usb_ep_get() should return the control endpoint.
> > In hw/usb/core.c, the assumed epnum of the control endpoint is 0. When
> > epnum is not 0, usb_ep_get() will crash due to the check assert(pid ==
> > USB_TOKEN_IN || pid == USB_TOKEN_OUT).
> >
> > The description
> > http://www.capital-micro.com/PDF/CME-M7_Family_User_Guide_EN.pdf
> > (18.5.3.4 (14), 18.5.3.4 (10)) a) mentions that the pid is maintained by
> > the host, b) but doesn't mention that whether the epnum should be 0 for
> > the control endpoint. However, usb_ep_get() assumes it is 0. To avoid
> > potential assertion failure in usb_ep_get(), we could enforce epnum to 0
> > and warn users.
> >
> > Fixes: 153ef1662c3 ("dwc-hsotg (dwc2) USB host controller emulation")
> > Signed-off-by: Qiang Liu <cyruscyliu@gmail.com>
> > ---
> >  hw/usb/hcd-dwc2.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c
> > index e1d96ac..65d9d46 100644
> > --- a/hw/usb/hcd-dwc2.c
> > +++ b/hw/usb/hcd-dwc2.c
> > @@ -636,6 +636,11 @@ static void dwc2_enable_chan(DWC2State *s,  uint32_t index)
> >      }
> >
> >      if (eptype == USB_ENDPOINT_XFER_CONTROL && pid == TSIZ_SC_MC_PID_SETUP) {
> > +        if (epnum != 0) {
> > +            qemu_log_mask(LOG_GUEST_ERROR,
> > +                          "epnum should be 0 for the control endpoint\n");
> > +            epnum = 0;
> > +        }
> >          pid = USB_TOKEN_SETUP;
> >      } else {
> >          pid = epdir ? USB_TOKEN_IN : USB_TOKEN_OUT;
> > --
> > 2.7.4
> >

Hi Qiang,

Sorry for the late reply, I've had a busy week.
Yes, I think it would be best to fix this in the core since it affects more
than one host. I'm not sure that forcing the Control endpoint to 0 is
the best solution though, perhaps it would be better to print an error
message and fail the operation? AFAIK there are no real-world devices
that have Control endpoints other than 0, although I believe it is allowed
by the USB spec.

Let's wait and see what Gerd thinks.

- Paul