From d51743a21cb23f7e0c81844f12bba08420a52a29 Mon Sep 17 00:00:00 2001 From: Jerzy Kasenberg Date: Sun, 1 May 2022 14:04:36 +0200 Subject: [PATCH 1/3] Add TU_BREAKPOINT for mips architecture _mips is provided by xc32-gcc --- src/common/tusb_verify.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/common/tusb_verify.h b/src/common/tusb_verify.h index 568bac8cc..a52a6d269 100644 --- a/src/common/tusb_verify.h +++ b/src/common/tusb_verify.h @@ -90,6 +90,9 @@ #elif defined(__riscv) #define TU_BREAKPOINT() do { __asm("ebreak\n"); } while(0) +#elif defined(_mips) + #define TU_BREAKPOINT() do { __asm("sdbbp 0"); } while (0) + #else #define TU_BREAKPOINT() do {} while (0) #endif From c145777e0eb6b9add414504dd8cf4ec7da6cc61a Mon Sep 17 00:00:00 2001 From: Jerzy Kasenberg Date: Sun, 1 May 2022 14:14:42 +0200 Subject: [PATCH 2/3] dcd_pic32: Add asserts transfer sanity check TU_ASSERTS added to detect transfer inconsistency. --- src/portable/microchip/pic32mz/dcd_pic32mz.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/portable/microchip/pic32mz/dcd_pic32mz.c b/src/portable/microchip/pic32mz/dcd_pic32mz.c index 7d48f755b..1683d95b4 100644 --- a/src/portable/microchip/pic32mz/dcd_pic32mz.c +++ b/src/portable/microchip/pic32mz/dcd_pic32mz.c @@ -530,6 +530,7 @@ static void ep0_handle_rx(void) transferred = rx_fifo_read(0, xfer->buffer + xfer->transferred); xfer->transferred += transferred; + TU_ASSERT(xfer->transferred <= xfer->total_len,); if (transferred < xfer->max_packet_size || xfer->transferred == xfer->total_len) { ep0_set_stage(EP0_STAGE_DATA_OUT_COMPLETE); @@ -560,6 +561,7 @@ static void epn_handle_rx_int(uint8_t epnum) transferred = rx_fifo_read(epnum, xfer->buffer + xfer->transferred); USB_REGS->EPCSR[epnum].RXCSRL_HOSTbits.RXPKTRDY = 0; xfer->transferred += transferred; + TU_ASSERT(xfer->transferred <= xfer->total_len,); if (transferred < xfer->max_packet_size || xfer->transferred == xfer->total_len) { xfer_complete(xfer, XFER_RESULT_SUCCESS, true); @@ -579,6 +581,7 @@ static void epn_handle_tx_int(uint8_t epnum) else { xfer->transferred += xfer->last_packet_size; + TU_ASSERT(xfer->transferred <= xfer->total_len,); if (xfer->last_packet_size < xfer->max_packet_size || xfer->transferred == xfer->total_len) { xfer->last_packet_size = 0; From e49cad84e2798ddd4ee49d3684ce7b414d30ccb2 Mon Sep 17 00:00:00 2001 From: Jerzy Kasenberg Date: Sun, 1 May 2022 14:18:53 +0200 Subject: [PATCH 3/3] dcd_pic32: Fix memory overwrite in incoming data When transfer was finished rx_fifo_read() read all that was to read RXPKTRDY was cleared allowing next packet to be received. Then xfer_complete was called. Interrupt for OUT endpoint was left enable, that would not be a problem if data was handled fast and new transfer was scheduled. For MSC when host sends a lot of data this interrupt that was enabled could cause epn_handle_rx_int() to be called after transfer was completed and next was not scheduled yet. Without TU_ASSERT that was added to detect this, incoming data was written past buffer provided by user code resulting in random memory corruption. This just blocks RX interrupt when transfer is finished, and also only unmasked rx interrupts are handled. --- src/portable/microchip/pic32mz/dcd_pic32mz.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/portable/microchip/pic32mz/dcd_pic32mz.c b/src/portable/microchip/pic32mz/dcd_pic32mz.c index 1683d95b4..2103d41fb 100644 --- a/src/portable/microchip/pic32mz/dcd_pic32mz.c +++ b/src/portable/microchip/pic32mz/dcd_pic32mz.c @@ -564,6 +564,7 @@ static void epn_handle_rx_int(uint8_t epnum) TU_ASSERT(xfer->transferred <= xfer->total_len,); if (transferred < xfer->max_packet_size || xfer->transferred == xfer->total_len) { + USB_REGS->INTRRXEbits.w &= ~(1u << epnum); xfer_complete(xfer, XFER_RESULT_SUCCESS, true); } } @@ -692,7 +693,7 @@ void dcd_int_handler(uint8_t rhport) int i; uint8_t mask; __USBCSR2bits_t csr2_bits; - uint16_t rxints = USB_REGS->INTRRX; + uint16_t rxints = USB_REGS->INTRRX & USB_REGS->INTRRXEbits.w; uint16_t txints = USB_REGS->INTRTX; csr2_bits = USBCSR2bits; (void) rhport;