| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID:
<PH7PR07MB953862997AC245FB4ADEE60FDD79A@PH7PR07MB9538.namprd07.prod.outlook.com>
Date: Mon, 23 Jun 2025 05:51:08 +0000
From: Pawel Laszczak <pawell@...ence.com>
To: "Peter Chen (CIX)" <peter.chen@...nel.org>
CC: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
"linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: RE: [PATCH v3] usb: cdnsp: Fix issue with CV Bad Descriptor test
>On 25-06-20 08:23:12, Pawel Laszczak wrote:
>> The SSP2 controller has extra endpoint state preserve bit (ESP) which
>> setting causes that endpoint state will be preserved during Halt
>> Endpoint command. It is used only for EP0.
>> Without this bit the Command Verifier "TD 9.10 Bad Descriptor Test"
>> failed.
>> Setting this bit doesn't have any impact for SSP controller.
>>
>> Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence
>> USBSSP DRD Driver")
>> cc: stable@...r.kernel.org
>> Signed-off-by: Pawel Laszczak <pawell@...ence.com>
>> ---
>> Changelog:
>> v3:
>> - removed else {}
>>
>> v2:
>> - removed some typos
>> - added pep variable initialization
>> - updated TRB_ESP description
>>
>> drivers/usb/cdns3/cdnsp-debug.h | 5 +++--
>> drivers/usb/cdns3/cdnsp-ep0.c | 18 +++++++++++++++---
>> drivers/usb/cdns3/cdnsp-gadget.h | 6 ++++++
>> drivers/usb/cdns3/cdnsp-ring.c | 3 ++-
>> 4 files changed, 26 insertions(+), 6 deletions(-)
>>
>> diff --git a/drivers/usb/cdns3/cdnsp-debug.h
>> b/drivers/usb/cdns3/cdnsp-debug.h index cd138acdcce1..86860686d836
>> 100644
>> --- a/drivers/usb/cdns3/cdnsp-debug.h
>> +++ b/drivers/usb/cdns3/cdnsp-debug.h
>> @@ -327,12 +327,13 @@ static inline const char *cdnsp_decode_trb(char
>*str, size_t size, u32 field0,
>> case TRB_RESET_EP:
>> case TRB_HALT_ENDPOINT:
>> ret = scnprintf(str, size,
>> - "%s: ep%d%s(%d) ctx %08x%08x slot %ld flags
>%c",
>> + "%s: ep%d%s(%d) ctx %08x%08x slot %ld flags
>%c %c",
>> cdnsp_trb_type_string(type),
>> ep_num, ep_id % 2 ? "out" : "in",
>> TRB_TO_EP_INDEX(field3), field1, field0,
>> TRB_TO_SLOT_ID(field3),
>> - field3 & TRB_CYCLE ? 'C' : 'c');
>> + field3 & TRB_CYCLE ? 'C' : 'c',
>> + field3 & TRB_ESP ? 'P' : 'p');
>> break;
>> case TRB_STOP_RING:
>> ret = scnprintf(str, size,
>> diff --git a/drivers/usb/cdns3/cdnsp-ep0.c
>> b/drivers/usb/cdns3/cdnsp-ep0.c index f317d3c84781..5cd9b898ce97
>> 100644
>> --- a/drivers/usb/cdns3/cdnsp-ep0.c
>> +++ b/drivers/usb/cdns3/cdnsp-ep0.c
>> @@ -414,6 +414,7 @@ static int cdnsp_ep0_std_request(struct
>> cdnsp_device *pdev, void cdnsp_setup_analyze(struct cdnsp_device
>> *pdev) {
>> struct usb_ctrlrequest *ctrl = &pdev->setup;
>> + struct cdnsp_ep *pep;
>> int ret = -EINVAL;
>> u16 len;
>>
>> @@ -427,10 +428,21 @@ void cdnsp_setup_analyze(struct cdnsp_device
>*pdev)
>> goto out;
>> }
>>
>> + pep = &pdev->eps[0];
>> +
>> /* Restore the ep0 to Stopped/Running state. */
>> - if (pdev->eps[0].ep_state & EP_HALTED) {
>> - trace_cdnsp_ep0_halted("Restore to normal state");
>> - cdnsp_halt_endpoint(pdev, &pdev->eps[0], 0);
>> + if (pep->ep_state & EP_HALTED) {
>> + if (GET_EP_CTX_STATE(pep->out_ctx) == EP_STATE_HALTED)
>> + cdnsp_halt_endpoint(pdev, pep, 0);
>> +
>> + /*
>> + * Halt Endpoint Command for SSP2 for ep0 preserve current
>> + * endpoint state and driver has to synchronize the
>> + * software endpoint state with endpoint output context
>> + * state.
>> + */
>> + pep->ep_state &= ~EP_HALTED;
>> + pep->ep_state |= EP_STOPPED;
>
>You do not reset endpoint by calling clear_halt, could we change ep_state
>directly?
It's only "software" endpoint state and this code is related only with ep0.
For SSP2 the state in pep->out_ctx - "hardware" endpoint state in this
place will be in EP_STATE_STOPPED but "software" pep->ep_state
will be EP_HALTED.
Driver only synchronizes pep->ep_state with this included in pep->out_ctx.
For SSP the state in pep->out_ctx - "hardware" endpoint state in this please
will be in EP_STATE_HALTED, and "software" pep->ep_state will be
EP_HALTED. For SSP driver will call cdnsp_halt_endpoint in which
it changes the "hardware" and "software" endpoint state
to EP_STOPPED/EP_STATE_STOPPED.
So for SSP the extra code:
pep->ep_state &= ~EP_HALTED;
pep->ep_state |= EP_STOPPED;
will not change anything
Pawel
>
>Peter
>> }
>>
>> /*
>> diff --git a/drivers/usb/cdns3/cdnsp-gadget.h
>> b/drivers/usb/cdns3/cdnsp-gadget.h
>> index 2afa3e558f85..a91cca509db0 100644
>> --- a/drivers/usb/cdns3/cdnsp-gadget.h
>> +++ b/drivers/usb/cdns3/cdnsp-gadget.h
>> @@ -987,6 +987,12 @@ enum cdnsp_setup_dev {
>> #define STREAM_ID_FOR_TRB(p) ((((p)) << 16) & GENMASK(31,
>16))
>> #define SCT_FOR_TRB(p) (((p) << 1) & 0x7)
>>
>> +/*
>> + * Halt Endpoint Command TRB field.
>> + * The ESP bit only exists in the SSP2 controller.
>> + */
>> +#define TRB_ESP BIT(9)
>> +
>> /* Link TRB specific fields. */
>> #define TRB_TC BIT(1)
>>
>> diff --git a/drivers/usb/cdns3/cdnsp-ring.c
>> b/drivers/usb/cdns3/cdnsp-ring.c index fd06cb85c4ea..d397d28efc6e
>> 100644
>> --- a/drivers/usb/cdns3/cdnsp-ring.c
>> +++ b/drivers/usb/cdns3/cdnsp-ring.c
>> @@ -2483,7 +2483,8 @@ void cdnsp_queue_halt_endpoint(struct
>> cdnsp_device *pdev, unsigned int ep_index) {
>> cdnsp_queue_command(pdev, 0, 0, 0, TRB_TYPE(TRB_HALT_ENDPOINT)
>|
>> SLOT_ID_FOR_TRB(pdev->slot_id) |
>> - EP_ID_FOR_TRB(ep_index));
>> + EP_ID_FOR_TRB(ep_index) |
>> + (!ep_index ? TRB_ESP : 0));
>> }
>>
>> void cdnsp_force_header_wakeup(struct cdnsp_device *pdev, int
>> intf_num)
>> --
>> 2.43.0
>>
>
>--
>
>Best regards,
>Peter
Powered by blists - more mailing lists