lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YbdWI5PD3e6uFz8U@kroah.com>
Date:   Mon, 13 Dec 2021 15:18:11 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Chunfeng Yun <chunfeng.yun@...iatek.com>
Cc:     Matthias Brugger <matthias.bgg@...il.com>,
        linux-usb@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
        linux-mediatek@...ts.infradead.org, linux-kernel@...r.kernel.org,
        Eddie Hung <eddie.hung@...iatek.com>,
        Yuwen Ng <yuwen.ng@...iatek.com>, stable@...r.kernel.org
Subject: Re: [PATCH 2/3] usb: mtu3: add memory barrier before set GPD's HWO

On Thu, Dec 09, 2021 at 11:14:23AM +0800, Chunfeng Yun wrote:
> There is a seldom issue that the controller access invalid address
> and trigger devapc or emimpu violation. That is due to memory access
> is out of order and cause gpd data is not correct.
> Make sure GPD is fully written before giving it to HW by setting its
> HWO.
> 
> Fixes: 48e0d3735aa5 ("usb: mtu3: supports new QMU format")
> Cc: stable@...r.kernel.org
> Reported-by: Eddie Hung <eddie.hung@...iatek.com>
> Signed-off-by: Chunfeng Yun <chunfeng.yun@...iatek.com>
> ---
>  drivers/usb/mtu3/mtu3_qmu.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/mtu3/mtu3_qmu.c b/drivers/usb/mtu3/mtu3_qmu.c
> index 3f414f91b589..34bb5ac67efe 100644
> --- a/drivers/usb/mtu3/mtu3_qmu.c
> +++ b/drivers/usb/mtu3/mtu3_qmu.c
> @@ -273,6 +273,8 @@ static int mtu3_prepare_tx_gpd(struct mtu3_ep *mep, struct mtu3_request *mreq)
>  			gpd->dw3_info |= cpu_to_le32(GPD_EXT_FLAG_ZLP);
>  	}
>  
> +	/* make sure GPD is fully written before giving it to HW */
> +	mb();

So this means you are using mmio for this structure?  If so, shouldn't
you be using normal io memory read/write calls as well and not just
"raw" pointers like this:

>  	gpd->dw0_info |= cpu_to_le32(GPD_FLAGS_IOC | GPD_FLAGS_HWO);

Are you sure this is ok?

Sprinkling around mb() calls is almost never the correct solution.

If you need to ensure that a write succeeds, shouldn't you do a read
from it afterward?  Many busses require this, doesn't yours?



>  
>  	mreq->gpd = gpd;
> @@ -306,6 +308,8 @@ static int mtu3_prepare_rx_gpd(struct mtu3_ep *mep, struct mtu3_request *mreq)
>  	gpd->next_gpd = cpu_to_le32(lower_32_bits(enq_dma));
>  	ext_addr |= GPD_EXT_NGP(mtu, upper_32_bits(enq_dma));
>  	gpd->dw3_info = cpu_to_le32(ext_addr);
> +	/* make sure GPD is fully written before giving it to HW */
> +	mb();

Again, mb(); does not ensure that memory-mapped i/o actually hits the
HW.  Or if it does on your platform, how?

mb() is a compiler barrier, not a memory write to a bus barrier.  Please
read Documentation/memory-barriers.txt for more details.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ