* [PATCH RESEND] xhci: Use xhci_get_virt_ep() to validate ep_index
@ 2022-04-28 19:04 Mayank Rana
2022-04-29 9:49 ` Mathias Nyman
0 siblings, 1 reply; 8+ messages in thread
From: Mayank Rana @ 2022-04-28 19:04 UTC (permalink / raw)
To: peter.chen, balbi, mathias.nyman, stern, chunfeng.yun, gregkh
Cc: linux-kernel, linux-usb, Mayank Rana
ring_doorbell_for_active_rings() API is being called from
multiple context. This specific API tries to get virt_dev
based endpoint using passed slot_id and ep_index. Some caller
API is having check against slot_id and ep_index using
xhci_get_virt_ep() API whereas xhci_handle_cmd_config_ep() API
only check ep_index against -1 value but not upper bound i.e.
EP_CTX_PER_DEV. Hence use xhci_get_virt_ep() API to get virt_dev
based endpoint which checks both slot_id and ep_index to get
valid endpoint.
Signed-off-by: Mayank Rana <quic_mrana@quicinc.com>
---
drivers/usb/host/xhci-ring.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index d0b6806..3bab4f3 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -62,6 +62,9 @@ static int queue_command(struct xhci_hcd *xhci, struct xhci_command *cmd,
u32 field1, u32 field2,
u32 field3, u32 field4, bool command_must_succeed);
+static struct xhci_virt_ep *xhci_get_virt_ep(struct xhci_hcd *xhci,
+ unsigned int slot_id, unsigned int ep_index);
+
/*
* Returns zero if the TRB isn't in this segment, otherwise it returns the DMA
* address of the TRB.
@@ -457,7 +460,9 @@ static void ring_doorbell_for_active_rings(struct xhci_hcd *xhci,
unsigned int stream_id;
struct xhci_virt_ep *ep;
- ep = &xhci->devs[slot_id]->eps[ep_index];
+ ep = xhci_get_virt_ep(xhci, slot_id, ep_index);
+ if (!ep)
+ return;
/* A ring has pending URBs if its TD list is not empty */
if (!(ep->ep_state & EP_HAS_STREAMS)) {
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH RESEND] xhci: Use xhci_get_virt_ep() to validate ep_index
2022-04-28 19:04 [PATCH RESEND] xhci: Use xhci_get_virt_ep() to validate ep_index Mayank Rana
@ 2022-04-29 9:49 ` Mathias Nyman
2022-04-29 10:02 ` Greg KH
2022-04-29 10:13 ` Mathias Nyman
0 siblings, 2 replies; 8+ messages in thread
From: Mathias Nyman @ 2022-04-29 9:49 UTC (permalink / raw)
To: Mayank Rana, peter.chen, balbi, stern, chunfeng.yun, gregkh
Cc: linux-kernel, linux-usb
On 28.4.2022 22.04, Mayank Rana wrote:
> ring_doorbell_for_active_rings() API is being called from
> multiple context. This specific API tries to get virt_dev
> based endpoint using passed slot_id and ep_index. Some caller
> API is having check against slot_id and ep_index using
> xhci_get_virt_ep() API whereas xhci_handle_cmd_config_ep() API
> only check ep_index against -1 value but not upper bound i.e.
> EP_CTX_PER_DEV. Hence use xhci_get_virt_ep() API to get virt_dev
> based endpoint which checks both slot_id and ep_index to get
> valid endpoint.
ep_index upper bound is known to be in range as EP_CTX_PER_DEV is 31,
and ep_index = fls(u32 value) - 1 - 1;
We can change to use xhci_get_virt_ep(), but this would be more useful
earlier in xhci_handle_cmd_config_ep() where we touch the ep before
calling ring_doorbell_for_active_rings()
Also note that this codepath is only used for some prototype
xHC controller that probably never made it to the market about 10 years ago.
Thanks
Mathias
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH RESEND] xhci: Use xhci_get_virt_ep() to validate ep_index
2022-04-29 9:49 ` Mathias Nyman
@ 2022-04-29 10:02 ` Greg KH
2022-04-29 10:23 ` Mathias Nyman
2022-04-29 10:13 ` Mathias Nyman
1 sibling, 1 reply; 8+ messages in thread
From: Greg KH @ 2022-04-29 10:02 UTC (permalink / raw)
To: Mathias Nyman
Cc: Mayank Rana, peter.chen, balbi, stern, chunfeng.yun,
linux-kernel, linux-usb
On Fri, Apr 29, 2022 at 12:49:59PM +0300, Mathias Nyman wrote:
> On 28.4.2022 22.04, Mayank Rana wrote:
> > ring_doorbell_for_active_rings() API is being called from
> > multiple context. This specific API tries to get virt_dev
> > based endpoint using passed slot_id and ep_index. Some caller
> > API is having check against slot_id and ep_index using
> > xhci_get_virt_ep() API whereas xhci_handle_cmd_config_ep() API
> > only check ep_index against -1 value but not upper bound i.e.
> > EP_CTX_PER_DEV. Hence use xhci_get_virt_ep() API to get virt_dev
> > based endpoint which checks both slot_id and ep_index to get
> > valid endpoint.
>
> ep_index upper bound is known to be in range as EP_CTX_PER_DEV is 31,
> and ep_index = fls(u32 value) - 1 - 1;
>
> We can change to use xhci_get_virt_ep(), but this would be more useful
> earlier in xhci_handle_cmd_config_ep() where we touch the ep before
> calling ring_doorbell_for_active_rings()
>
> Also note that this codepath is only used for some prototype
> xHC controller that probably never made it to the market about 10 years ago.
Can we just delete the codepath entirely then?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH RESEND] xhci: Use xhci_get_virt_ep() to validate ep_index
2022-04-29 9:49 ` Mathias Nyman
2022-04-29 10:02 ` Greg KH
@ 2022-04-29 10:13 ` Mathias Nyman
2022-04-29 19:01 ` Mayank Rana
1 sibling, 1 reply; 8+ messages in thread
From: Mathias Nyman @ 2022-04-29 10:13 UTC (permalink / raw)
To: Mayank Rana, peter.chen, balbi, stern, chunfeng.yun, gregkh
Cc: linux-kernel, linux-usb
On 29.4.2022 12.49, Mathias Nyman wrote:
> On 28.4.2022 22.04, Mayank Rana wrote:
>> ring_doorbell_for_active_rings() API is being called from
>> multiple context. This specific API tries to get virt_dev
>> based endpoint using passed slot_id and ep_index. Some caller
>> API is having check against slot_id and ep_index using
>> xhci_get_virt_ep() API whereas xhci_handle_cmd_config_ep() API
>> only check ep_index against -1 value but not upper bound i.e.
>> EP_CTX_PER_DEV. Hence use xhci_get_virt_ep() API to get virt_dev
>> based endpoint which checks both slot_id and ep_index to get
>> valid endpoint.
>
> ep_index upper bound is known to be in range as EP_CTX_PER_DEV is 31,
> and ep_index = fls(u32 value) - 1 - 1;
>
> We can change to use xhci_get_virt_ep(), but this would be more useful
> earlier in xhci_handle_cmd_config_ep() where we touch the ep before
> calling ring_doorbell_for_active_rings()
>
After a second look I would appreciate if you could clean up
ep_index checking in xhci_handle_cmd_config_ep()
It currenty does some horrible typecasting.
ep_index is an unsigned int, so the fls() -1 operation might wrap it around.
Checking this was solved by typecasting a -1 to an unsigned int.
if (ep_index != (unsigned int) -1)
Thanks
Mathias
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH RESEND] xhci: Use xhci_get_virt_ep() to validate ep_index
2022-04-29 10:02 ` Greg KH
@ 2022-04-29 10:23 ` Mathias Nyman
2022-04-29 10:36 ` Greg KH
0 siblings, 1 reply; 8+ messages in thread
From: Mathias Nyman @ 2022-04-29 10:23 UTC (permalink / raw)
To: Greg KH
Cc: Mayank Rana, peter.chen, balbi, stern, chunfeng.yun,
linux-kernel, linux-usb
On 29.4.2022 13.02, Greg KH wrote:
> On Fri, Apr 29, 2022 at 12:49:59PM +0300, Mathias Nyman wrote:
>> On 28.4.2022 22.04, Mayank Rana wrote:
>>> ring_doorbell_for_active_rings() API is being called from
>>> multiple context. This specific API tries to get virt_dev
>>> based endpoint using passed slot_id and ep_index. Some caller
>>> API is having check against slot_id and ep_index using
>>> xhci_get_virt_ep() API whereas xhci_handle_cmd_config_ep() API
>>> only check ep_index against -1 value but not upper bound i.e.
>>> EP_CTX_PER_DEV. Hence use xhci_get_virt_ep() API to get virt_dev
>>> based endpoint which checks both slot_id and ep_index to get
>>> valid endpoint.
>>
>> ep_index upper bound is known to be in range as EP_CTX_PER_DEV is 31,
>> and ep_index = fls(u32 value) - 1 - 1;
>>
>> We can change to use xhci_get_virt_ep(), but this would be more useful
>> earlier in xhci_handle_cmd_config_ep() where we touch the ep before
>> calling ring_doorbell_for_active_rings()
>>
>> Also note that this codepath is only used for some prototype
>> xHC controller that probably never made it to the market about 10 years ago.
>
> Can we just delete the codepath entirely then?
Probably.
Commit ac9d8fe7c6a8 USB: xhci: Add quirk for Fresco Logic xHCI hardware.
that added this states:
"This patch is for prototype hardware that will be given to other companies
for evaluation purposes only, and should not reach consumer hands. Fresco
Logic's next chip rev should have this bug fixed."
Should we print some warning instead if this controller is used?
just in case.
Thanks
Mathias
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH RESEND] xhci: Use xhci_get_virt_ep() to validate ep_index
2022-04-29 10:23 ` Mathias Nyman
@ 2022-04-29 10:36 ` Greg KH
0 siblings, 0 replies; 8+ messages in thread
From: Greg KH @ 2022-04-29 10:36 UTC (permalink / raw)
To: Mathias Nyman
Cc: Mayank Rana, peter.chen, balbi, stern, chunfeng.yun,
linux-kernel, linux-usb
On Fri, Apr 29, 2022 at 01:23:50PM +0300, Mathias Nyman wrote:
> On 29.4.2022 13.02, Greg KH wrote:
> > On Fri, Apr 29, 2022 at 12:49:59PM +0300, Mathias Nyman wrote:
> >> On 28.4.2022 22.04, Mayank Rana wrote:
> >>> ring_doorbell_for_active_rings() API is being called from
> >>> multiple context. This specific API tries to get virt_dev
> >>> based endpoint using passed slot_id and ep_index. Some caller
> >>> API is having check against slot_id and ep_index using
> >>> xhci_get_virt_ep() API whereas xhci_handle_cmd_config_ep() API
> >>> only check ep_index against -1 value but not upper bound i.e.
> >>> EP_CTX_PER_DEV. Hence use xhci_get_virt_ep() API to get virt_dev
> >>> based endpoint which checks both slot_id and ep_index to get
> >>> valid endpoint.
> >>
> >> ep_index upper bound is known to be in range as EP_CTX_PER_DEV is 31,
> >> and ep_index = fls(u32 value) - 1 - 1;
> >>
> >> We can change to use xhci_get_virt_ep(), but this would be more useful
> >> earlier in xhci_handle_cmd_config_ep() where we touch the ep before
> >> calling ring_doorbell_for_active_rings()
> >>
> >> Also note that this codepath is only used for some prototype
> >> xHC controller that probably never made it to the market about 10 years ago.
> >
> > Can we just delete the codepath entirely then?
>
> Probably.
> Commit ac9d8fe7c6a8 USB: xhci: Add quirk for Fresco Logic xHCI hardware.
> that added this states:
>
> "This patch is for prototype hardware that will be given to other companies
> for evaluation purposes only, and should not reach consumer hands. Fresco
> Logic's next chip rev should have this bug fixed."
>
> Should we print some warning instead if this controller is used?
> just in case.
Would be a good idea, see if that hardware did actually get out into the
wild.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH RESEND] xhci: Use xhci_get_virt_ep() to validate ep_index
2022-04-29 10:13 ` Mathias Nyman
@ 2022-04-29 19:01 ` Mayank Rana
2022-05-06 13:58 ` Mathias Nyman
0 siblings, 1 reply; 8+ messages in thread
From: Mayank Rana @ 2022-04-29 19:01 UTC (permalink / raw)
To: Mathias Nyman, peter.chen, balbi, stern, chunfeng.yun, gregkh
Cc: linux-kernel, linux-usb
On 4/29/2022 3:13 AM, Mathias Nyman wrote:
> On 29.4.2022 12.49, Mathias Nyman wrote:
>> On 28.4.2022 22.04, Mayank Rana wrote:
>>> ring_doorbell_for_active_rings() API is being called from
>>> multiple context. This specific API tries to get virt_dev
>>> based endpoint using passed slot_id and ep_index. Some caller
>>> API is having check against slot_id and ep_index using
>>> xhci_get_virt_ep() API whereas xhci_handle_cmd_config_ep() API
>>> only check ep_index against -1 value but not upper bound i.e.
>>> EP_CTX_PER_DEV. Hence use xhci_get_virt_ep() API to get virt_dev
>>> based endpoint which checks both slot_id and ep_index to get
>>> valid endpoint.
>> ep_index upper bound is known to be in range as EP_CTX_PER_DEV is 31,
>> and ep_index = fls(u32 value) - 1 - 1;
>>
>> We can change to use xhci_get_virt_ep(), but this would be more useful
>> earlier in xhci_handle_cmd_config_ep() where we touch the ep before
>> calling ring_doorbell_for_active_rings()
>>
> After a second look I would appreciate if you could clean up
> ep_index checking in xhci_handle_cmd_config_ep()
>
> It currenty does some horrible typecasting.
> ep_index is an unsigned int, so the fls() -1 operation might wrap it around.
> Checking this was solved by typecasting a -1 to an unsigned int.
>
> if (ep_index != (unsigned int) -1)
>
> Thanks
> Mathias
Thanks Mathias for review and suggestion here.
let me try to clean up xhci_handle_cmd_config_ep() API based ep_index
usage.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH RESEND] xhci: Use xhci_get_virt_ep() to validate ep_index
2022-04-29 19:01 ` Mayank Rana
@ 2022-05-06 13:58 ` Mathias Nyman
0 siblings, 0 replies; 8+ messages in thread
From: Mathias Nyman @ 2022-05-06 13:58 UTC (permalink / raw)
To: Mayank Rana, peter.chen, balbi, stern, chunfeng.yun, gregkh
Cc: linux-kernel, linux-usb
On 29.4.2022 22.01, Mayank Rana wrote:
> On 4/29/2022 3:13 AM, Mathias Nyman wrote:
>> On 29.4.2022 12.49, Mathias Nyman wrote:
>>> On 28.4.2022 22.04, Mayank Rana wrote:
>>>> ring_doorbell_for_active_rings() API is being called from
>>>> multiple context. This specific API tries to get virt_dev
>>>> based endpoint using passed slot_id and ep_index. Some caller
>>>> API is having check against slot_id and ep_index using
>>>> xhci_get_virt_ep() API whereas xhci_handle_cmd_config_ep() API
>>>> only check ep_index against -1 value but not upper bound i.e.
>>>> EP_CTX_PER_DEV. Hence use xhci_get_virt_ep() API to get virt_dev
>>>> based endpoint which checks both slot_id and ep_index to get
>>>> valid endpoint.
>>> ep_index upper bound is known to be in range as EP_CTX_PER_DEV is 31,
>>> and ep_index = fls(u32 value) - 1 - 1;
>>>
>>> We can change to use xhci_get_virt_ep(), but this would be more useful
>>> earlier in xhci_handle_cmd_config_ep() where we touch the ep before
>>> calling ring_doorbell_for_active_rings()
>>>
>> After a second look I would appreciate if you could clean up
>> ep_index checking in xhci_handle_cmd_config_ep()
>>
>> It currenty does some horrible typecasting.
>> ep_index is an unsigned int, so the fls() -1 operation might wrap it around.
>> Checking this was solved by typecasting a -1 to an unsigned int.
>>
>> if (ep_index != (unsigned int) -1)
>>
>> Thanks
>> Mathias
>
> Thanks Mathias for review and suggestion here.
> let me try to clean up xhci_handle_cmd_config_ep() API based ep_index usage.
>
Please don't spend too much time on this,
I'm going to remove this code as Greg suggested.
Should have replied earlier, sorry about the delay
Thanks
-Mathias
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-05-06 13:56 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-28 19:04 [PATCH RESEND] xhci: Use xhci_get_virt_ep() to validate ep_index Mayank Rana
2022-04-29 9:49 ` Mathias Nyman
2022-04-29 10:02 ` Greg KH
2022-04-29 10:23 ` Mathias Nyman
2022-04-29 10:36 ` Greg KH
2022-04-29 10:13 ` Mathias Nyman
2022-04-29 19:01 ` Mayank Rana
2022-05-06 13:58 ` Mathias Nyman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).