[U-Boot] [PATCH v2] usb_storage: fix ehci driver max transfer size

Tue Jul 10 09:22:24 CEST 2012

Dear Stefan Herbrechtsmeier,

> Am 10.07.2012 04:12, schrieb Marek Vasut:
> >> The commit 5dd95cf93dfffa1d19a1928990852aac9f55b9d9 'usb_storage:
> >> Fix EHCI "out of buffer pointers" with CD-ROM' introduce a bug in
> >> usb_storage as it wrongly assumes that every transfer can use
> >> 4096 bytes per qt_buffer. This is wrong if the start address of
> >> the data is not page aligned to 4096 bytes and leads to 'EHCI
> >> timed out on TD' messages because of 'out of buffer pointers'
> >> in ehci_td_buffer function.
> > 
> > Yes, this can be simply confirmed even with USB stick by loading to
> > unaligned address. It'll make the buffers overflow too.
> > 
> >> The bug appears during load of a fragmented file and
> >> read from or write to an unaligned memory address.
> >> 
> >> Cc: Marek Vasut <marex at denx.de>
> >> Signed-off-by: Stefan Herbrechtsmeier <stefan at herbrechtsmeier.net>
> >> 
> >> ---
> >> 
> >> Changes for v2:
> >>   - Replace fixed worst case calculation with dynamic
> >>   
> >>     computation based on start address of transfer
> >>   
> >>   common/usb_storage.c |   37 ++++++++++++++++++++-----------------
> >>   1 file changed, 20 insertions(+), 17 deletions(-)
> >> 
> >> diff --git a/common/usb_storage.c b/common/usb_storage.c
> >> index faad237..bdc306f 100644
> >> --- a/common/usb_storage.c
> >> +++ b/common/usb_storage.c
> >> @@ -150,12 +150,17 @@ struct us_data {
> >> 
> >>   	unsigned int	irqpipe;	 	/* pipe for release_irq */
> >>   	unsigned char	irqmaxp;		/* max packed for irq Pipe */
> >>   	unsigned char	irqinterval;		/* Intervall for IRQ Pipe */
> >> 
> >> -	unsigned long	max_xfer_blk;		/* Max blocks per xfer */
> >> 
> >>   	ccb		*srb;			/* current srb */
> >>   	trans_reset	transport_reset;	/* reset routine */
> >>   	trans_cmnd	transport;		/* transport routine */
> >>   
> >>   };
> >> 
> >> +/*
> >> + * The U-Boot EHCI driver cannot handle more than 5 page aligned
> >> buffers + * of 4096 bytes in a transfer without running itself out of
> >> qt_buffers + */
> >> +#define USB_MAX_XFER_BLK(start, blksz)	(((4096 * 5) - (start % 4096)) /
> >> blksz) +
> > 
> > Can't something in include/common.h around line 900 can't be used?
> 
> If you mean the round functions I don't need them, as I need the
> leftover of 4096 and I need to divide round down the count.
> 
> > btw put braces around (start) in the macro and around (blksz) .
> 
> I will send a v3 tonight.

Ok then, I think this is just perfect than and it should definitelly hit this 
release :-)

Thank you very much, sorry for pestering you too much and adding delays. Shame 
on my maintaining skills.

> Regards,
>      Stefan

Best regards,
Marek Vasut