Re: [PATCH] hw/usb/hcd-dwc2: Enforce epnum to 0 for the control endpoint

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] hw/usb/hcd-dwc2: Enforce epnum to 0 for the control endpoint

From:	Qiang Liu
Subject:	Re: [PATCH] hw/usb/hcd-dwc2: Enforce epnum to 0 for the control endpoint to avoid the assertion failure in usb_ep_get()
Date:	Sun, 27 Jun 2021 13:21:33 +0800

Hi folks,

I found this bug by my dwc2 fuzzer.
It seems that
* https://bugs.launchpad.net/qemu/+bug/1907042
* https://bugs.launchpad.net/qemu/+bug/1525123
or
* https://gitlab.com/qemu-project/qemu/-/issues/119
* https://gitlab.com/qemu-project/qemu/-/issues/303
have reported similar issues.

Would it be better to consider and fix them together?

Best,
Qiang

On Sun, Jun 27, 2021 at 11:28 AM Qiang Liu <cyruscyliu@gmail.com> wrote:
>
> When eptype is USB_ENDPOINT_XFER_CONTROL and pid is
> TSIZ_SC_MC_PID_SETUP, usb_ep_get() should return the control endpoint.
> In hw/usb/core.c, the assumed epnum of the control endpoint is 0. When
> epnum is not 0, usb_ep_get() will crash due to the check assert(pid ==
> USB_TOKEN_IN || pid == USB_TOKEN_OUT).
>
> The description
> http://www.capital-micro.com/PDF/CME-M7_Family_User_Guide_EN.pdf
> (18.5.3.4 (14), 18.5.3.4 (10)) a) mentions that the pid is maintained by
> the host, b) but doesn't mention that whether the epnum should be 0 for
> the control endpoint. However, usb_ep_get() assumes it is 0. To avoid
> potential assertion failure in usb_ep_get(), we could enforce epnum to 0
> and warn users.
>
> Fixes: 153ef1662c3 ("dwc-hsotg (dwc2) USB host controller emulation")
> Signed-off-by: Qiang Liu <cyruscyliu@gmail.com>
> ---
>  hw/usb/hcd-dwc2.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c
> index e1d96ac..65d9d46 100644
> --- a/hw/usb/hcd-dwc2.c
> +++ b/hw/usb/hcd-dwc2.c
> @@ -636,6 +636,11 @@ static void dwc2_enable_chan(DWC2State *s,  uint32_t 
> index)
>      }
>
>      if (eptype == USB_ENDPOINT_XFER_CONTROL && pid == TSIZ_SC_MC_PID_SETUP) {
> +        if (epnum != 0) {
> +            qemu_log_mask(LOG_GUEST_ERROR,
> +                          "epnum should be 0 for the control endpoint\n");
> +            epnum = 0;
> +        }
>          pid = USB_TOKEN_SETUP;
>      } else {
>          pid = epdir ? USB_TOKEN_IN : USB_TOKEN_OUT;
> --
> 2.7.4
>

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] hw/usb/hcd-dwc2: Enforce epnum to 0 for the control endpoint to avoid the assertion failure in usb_ep_get(), Qiang Liu, 2021/06/26
- Re: [PATCH] hw/usb/hcd-dwc2: Enforce epnum to 0 for the control endpoint to avoid the assertion failure in usb_ep_get(), Qiang Liu <=

Prev by Date: [PATCH] hw/usb/hcd-dwc2: Enforce epnum to 0 for the control endpoint to avoid the assertion failure in usb_ep_get()
Next by Date: [PATCH 1/4] memory: introduce DIRTY_MEMORY_DIRTY_RATE dirty bits
Previous by thread: [PATCH] hw/usb/hcd-dwc2: Enforce epnum to 0 for the control endpoint to avoid the assertion failure in usb_ep_get()
Next by thread: [PATCH 0/4] support dirtyrate measurement with dirty bitmap
Index(es):
- Date
- Thread