From: Mathias Nyman <mathias.nyman@linux.intel.com>
To: Umang Jain <uajain@igalia.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Lucas De Marchi <demarchi@kernel.org>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-dev@igalia.com
Subject: Re: [RFC PATCH v1 2/3] early: usb: xhci-dbc: Handle out of bounds xhci-xdbc capability
Date: Fri, 5 Jun 2026 21:16:06 +0300 [thread overview]
Message-ID: <8d88e66a-c5bb-4f6c-b1a0-3f3b00a84540@linux.intel.com> (raw)
In-Reply-To: <20260604144122.962236-3-uajain@igalia.com>
Hi
On 6/4/26 17:41, Umang Jain wrote:
> Currently, the early xhci-dbc assumes that the extended capability
> can be mapped within the fixed boot time mappings dictated by
> NR_FIX_BTMAPS.
>
> This patch iterates over the PCI BAR address size to find and map
> xhci-xdbc capability which could be out-of-bounds otherwise,
> in xdbc_map_pci_mmio(). The iterations map the maximum allowed
> boot time mappings (fixmap size) at a time and search for xhci-xdbc
> capability offset, till the end of the bar address size.
>
Patch 1/3 can probably be merged into this one.
> Signed-off-by: Umang Jain <uajain@igalia.com>
> ---
> drivers/usb/early/xhci-dbc.c | 47 +++++++++++++++++++++++++++++++++---
> 1 file changed, 44 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/usb/early/xhci-dbc.c b/drivers/usb/early/xhci-dbc.c
> index 8ce362a90910..1f6a129d4b5d 100644
> --- a/drivers/usb/early/xhci-dbc.c
> +++ b/drivers/usb/early/xhci-dbc.c
> @@ -35,10 +35,13 @@ static bool early_console_keep;
> static inline void xdbc_trace(const char *fmt, ...) { }
> #endif /* XDBC_TRACE */
>
> +#define XDBC_MAPPING_SIZE 56
> +
I know spec says 56 bytes, but when looking at the Debug capability structure
in xhci section 7.6.8. it looks like 64 bytes.
> static void __iomem * __init xdbc_map_pci_mmio(u32 bus, u32 dev, u32 func)
> {
> - u64 val64, sz64, mask64;
> + u64 val64, sz64, mask64, fixmap_size, mapped_size;
> void __iomem *base;
> + int offset;
> u32 val, sz;
> u8 byte;
>
> @@ -85,8 +88,46 @@ static void __iomem * __init xdbc_map_pci_mmio(u32 bus, u32 dev, u32 func)
>
> xdbc.xhci_start = val64;
> xdbc.xhci_length = sz64;
> - base = early_ioremap(val64, sz64);
> - xdbc.xhci_base_length = sz64;
> +
> + fixmap_size = NR_FIX_BTMAPS << PAGE_SHIFT;
> + if (sz64 < fixmap_size) {
> + xdbc.xhci_base_length = sz64;
> + return early_ioremap(val64, sz64);
> + }
> +
> + /*
> + * Base address size is greater than fixed size boot mappings,
> + * hence iterate over the region one fixmap_size at a time.
> + */
> + base = early_ioremap(val64, fixmap_size);
> + offset = xhci_find_next_ext_cap(base, 0, 0);
> + mapped_size = fixmap_size;
> +
> + while (mapped_size <= sz64) {
> + val = readl(base + offset);
> + if (XHCI_EXT_CAPS_ID(val) == XHCI_EXT_CAPS_DEBUG) {
> + if (offset + XDBC_MAPPING_SIZE > fixmap_size) {
> + early_iounmap(base, fixmap_size);
> + base = early_ioremap(val64 + offset, XDBC_MAPPING_SIZE);
Took a closer look and it turns out we do sometimes need to touch registers in other
extended capabilities. Mainly BIOS handoff in XHCI_EXT_CAPS_LEGACY and port reset in
XHCI_EXT_CAPS_PROTOCOL
In the case where xHC size is larger than early_ioremap() allows I would just
early_ioremap() maximum allowed size once, starting from xdbc.xhci_start.
Then walk the extended capabilities list ensuring DbC and the other needed capabilities
are inside this maximum allowed size.
early_iounmap() and fail if not.
This way we can also access the normal xHC host registers in case we need to reset the
controller, or ensure the 'controller not ready' bit is clear.
Thanks
Mathias
next prev parent reply other threads:[~2026-06-05 18:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 14:41 [RFC PATCH v1 0/3] usb: early: xhci-dbc: Handle out-of-bound Umang Jain
2026-06-04 14:41 ` [RFC PATCH v1 1/3] usb: early: xhci-dbc: Track early_ioremap size separately Umang Jain
2026-06-04 14:41 ` [RFC PATCH v1 2/3] early: usb: xhci-dbc: Handle out of bounds xhci-xdbc capability Umang Jain
2026-06-05 18:16 ` Mathias Nyman [this message]
2026-06-04 14:41 ` [RFC PATCH v1 3/3] WIP: early: xhci-xdbc: Map lower and with 0 offset to partially work Umang Jain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8d88e66a-c5bb-4f6c-b1a0-3f3b00a84540@linux.intel.com \
--to=mathias.nyman@linux.intel.com \
--cc=demarchi@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-dev@igalia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=uajain@igalia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox