| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Mar 2015 15:04:50 +0800 From: "Lu, Baolu" <baolu.lu@...ux.intel.com> To: Alan Stern <stern@...land.harvard.edu>, Mathias Nyman <mathias.nyman@...ux.intel.com> CC: Jörg Otte <jrg.otte@...il.com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, USB list <linux-usb@...r.kernel.org>, Linus Torvalds <torvalds@...ux-foundation.org>, Mauro Carvalho Chehab <mchehab@....samsung.com> Subject: Re: [V4.0.0-rc3] Xhci Regression: ERROR Transfer event TRB DMA ptr not part of current TD On 03/11/2015 02:49 AM, Alan Stern wrote: > On Tue, 10 Mar 2015, Mathias Nyman wrote: > >>> Mathias: >>> >>> Your patch description says this: >>> >>>> The endpoint might already processesed some TRBs on the endpiont ring >>>> before we soft reset the endpoint. >>>> Make sure we set the dequeue pointer to where we were befere soft reset >>> However, if a driver tries to issue an endpoint reset while there are >>> still some URBs queued, it is a bug. Host controller drivers shouldn't >>> have to worry about this -- xhci_endpoint_reset() should simply return >>> an error if the endpoint ring isn't empty. >>> >>> I suppose we should check for this in the USB core. I'll write a patch >>> and CC: you. >>> >>> Alan Stern >>> >> It's possible that there's something in usb core as well, >> but I think the following was what happened: >> >> 1. First a normal configure endpoint command is issued, it sets endpoint dequeue pointer >> to xxx400 = start of ring segment >> 2. two urbs get queued -> two TDs put on endpoint ring. >> 3. xhci executes those, ring is in running (idle) state. sw dequeue at xxx430, No TDs queued. >> Endpoint dequeue pointer is not written to the endpoint output context as the ring is still >> in running state (even if idle, not advancing with no TDs queued) it still shows xxx400 >> 4. -> something happends, xhci_endpoint_reset() is called, we do a new configure endpoint >> to 'soft reset' the endpiont, but we copy the dequeue pointer from the old endpoint >> output context to the configure endpoint input context, which re-initializes the old >> dequeue xxx400 pointer to xhci hardware, and it starts executing the old TDs from the ring. Is it possible to return an error message up to client driver? The client driver then decides how to handle this kind of error. It, possibly, unlink all ongoing transfers and ask host driver to soft reset this endpoint. When xhci_endpoint_reset is called, there should be no ongoing transfers. Thanks, Baolu > Obviously that's bad. > > But don't you have to stop the endpoint ring in order to configure it? > When you stop the ring, doesn't the controller store the correct > current value of the dequeue pointer somewhere? > >> 5. xhci driver notices that we get events for old TRBs that do not belong to the TD the driver >> thinks we should be handling > Alan Stern > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists