| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210826230658.GB4335@Peter>
Date: Fri, 27 Aug 2021 07:07:58 +0800
From: Peter Chen <peter.chen@...nel.org>
To: Jeaho Hwang <jhhwang@...t.co.kr>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
Linux team <team-linux@...t.co.kr>,
변무광(Byeon Moo Kwang)/자동화연)Automation Platform연구팀
<mkbyeon@...lectric.co.kr>,
최기홍(Choi Ki Hong)/자동화연)Automation Platform연구팀
<khchoib@...lectric.co.kr>
Subject: Re: [PATCH v2] usb: chipidea: add loop timeout for hw_ep_set_halt()
On 21-08-24 17:31:44, Jeaho Hwang wrote:
> 2021년 8월 17일 (화) 오후 3:44, Jeaho Hwang <jhhwang@...t.co.kr>님이 작성:
> >
> > If ctrl EP priming is failed (very rare case in standard linux),
> > hw_ep_set_halt goes infinite loop. waiting 100 times was enough
> > for zynq7000.
> >
>
> Hi Peter.
> I found from zynq7000 TRM that the hardware clears Stall bit if a
> setup packet is received on a control endpoint.
> I think hw_ep_set_halt goes infinite loop since:
>
> 1. hw_ep_prime for control EP which is called from
> isr_tr_complete_handler -> isr_setup_status_phase is failed due to a
> setup packet received.
How do you know that? Do you observe the new setup packet on the bus
before the current status stage? Usually, the host doesn't begin new setup
transfer before current setup transfer has finished.
Peter
> 2. in isr_tr_complete_handler it tries to call _ep_set_halt if either
> isr_tr_complete_low or isr_setup_status_phase returns error.
> 3. Since the control EP got a setup packet, HW resets TXS bit just as
> the driver sets inside hw_ep_set_halt so it goes infinite loop.
>
> Does it make sense? If it is right, we shouldn't call _ep_set_halt if
> the err is -EAGAIN, which could be returned ONLY due to the setup
> packet issue described above.
> And the loop timeout is not required anymore.
>
> Can I ask your opinion on this, Peter and USB experts?
>
> Thanks.
>
> > Signed-off-by: Jeaho Hwang <jhhwang@...t.co.kr>
> >
> > diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c
> > index 8834ca613721..d73fadb18f32 100644
> > --- a/drivers/usb/chipidea/udc.c
> > +++ b/drivers/usb/chipidea/udc.c
> > @@ -209,6 +209,9 @@ static int hw_ep_prime(struct ci_hdrc *ci, int num, int dir, int is_ctrl)
> > return 0;
> > }
> >
> > +/* enough for zynq7000 evaluation board */
> > +#define HW_EP_SET_HALT_COUNT_MAX 100
> > +
> > /**
> > * hw_ep_set_halt: configures ep halt & resets data toggle after clear (execute
> > * without interruption)
> > @@ -221,6 +224,7 @@ static int hw_ep_prime(struct ci_hdrc *ci, int num, int dir, int is_ctrl)
> > */
> > static int hw_ep_set_halt(struct ci_hdrc *ci, int num, int dir, int value)
> > {
> > + int count = HW_EP_SET_HALT_COUNT_MAX;
> > if (value != 0 && value != 1)
> > return -EINVAL;
> >
> > @@ -232,9 +236,9 @@ static int hw_ep_set_halt(struct ci_hdrc *ci, int num, int dir, int value)
> > /* data toggle - reserved for EP0 but it's in ESS */
> > hw_write(ci, reg, mask_xs|mask_xr,
> > value ? mask_xs : mask_xr);
> > - } while (value != hw_ep_get_halt(ci, num, dir));
> > + } while (value != hw_ep_get_halt(ci, num, dir) && --count > 0);
> >
> > - return 0;
> > + return count ? 0 : -EAGAIN;
> > }
> >
> > /**
> > --
> > 2.25.1
> >
--
Thanks,
Peter Chen
Powered by blists - more mailing lists