| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Dec 2021 16:32:26 +0800
From: Chunfeng Yun <chunfeng.yun@...iatek.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
CC: Matthias Brugger <matthias.bgg@...il.com>,
<linux-usb@...r.kernel.org>,
<linux-arm-kernel@...ts.infradead.org>,
<linux-mediatek@...ts.infradead.org>,
<linux-kernel@...r.kernel.org>,
Eddie Hung <eddie.hung@...iatek.com>,
"Yuwen Ng" <yuwen.ng@...iatek.com>, <stable@...r.kernel.org>
Subject: Re: [PATCH 2/3] usb: mtu3: add memory barrier before set GPD's HWO
On Mon, 2021-12-13 at 15:18 +0100, Greg Kroah-Hartman wrote:
> On Thu, Dec 09, 2021 at 11:14:23AM +0800, Chunfeng Yun wrote:
> > There is a seldom issue that the controller access invalid address
> > and trigger devapc or emimpu violation. That is due to memory
> > access
> > is out of order and cause gpd data is not correct.
> > Make sure GPD is fully written before giving it to HW by setting
> > its
> > HWO.
> >
> > Fixes: 48e0d3735aa5 ("usb: mtu3: supports new QMU format")
> > Cc: stable@...r.kernel.org
> > Reported-by: Eddie Hung <eddie.hung@...iatek.com>
> > Signed-off-by: Chunfeng Yun <chunfeng.yun@...iatek.com>
> > ---
> > drivers/usb/mtu3/mtu3_qmu.c | 7 ++++++-
> > 1 file changed, 6 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/usb/mtu3/mtu3_qmu.c
> > b/drivers/usb/mtu3/mtu3_qmu.c
> > index 3f414f91b589..34bb5ac67efe 100644
> > --- a/drivers/usb/mtu3/mtu3_qmu.c
> > +++ b/drivers/usb/mtu3/mtu3_qmu.c
> > @@ -273,6 +273,8 @@ static int mtu3_prepare_tx_gpd(struct mtu3_ep
> > *mep, struct mtu3_request *mreq)
> > gpd->dw3_info |= cpu_to_le32(GPD_EXT_FLAG_ZLP);
> > }
> >
> > + /* make sure GPD is fully written before giving it to HW */
> > + mb();
>
> So this means you are using mmio for this structure?
No, it's a noncached memory.
> If so, shouldn't
> you be using normal io memory read/write calls as well and not just
> "raw" pointers like this:
>
> > gpd->dw0_info |= cpu_to_le32(GPD_FLAGS_IOC | GPD_FLAGS_HWO);
>
> Are you sure this is ok?
>
> Sprinkling around mb() calls is almost never the correct solution.
>
> If you need to ensure that a write succeeds, shouldn't you do a read
> from it afterward? Many busses require this, doesn't yours?
It works for register access.
Here is noncache memory access, add mb(), just want to prohibite both
the compiler and CPU from reordering read/writes.
>
>
>
> >
> > mreq->gpd = gpd;
> > @@ -306,6 +308,8 @@ static int mtu3_prepare_rx_gpd(struct mtu3_ep
> > *mep, struct mtu3_request *mreq)
> > gpd->next_gpd = cpu_to_le32(lower_32_bits(enq_dma));
> > ext_addr |= GPD_EXT_NGP(mtu, upper_32_bits(enq_dma));
> > gpd->dw3_info = cpu_to_le32(ext_addr);
> > + /* make sure GPD is fully written before giving it to HW */
> > + mb();
>
> Again, mb(); does not ensure that memory-mapped i/o actually hits the
> HW. Or if it does on your platform, how?
Maybe the comment is misleading, I'll change it, here just want to
prevent reordering of compiler and cpu.
>
> mb() is a compiler barrier, not a memory write to a bus
> barrier. Please
> read Documentation/memory-barriers.txt for more details.
Ok, I'll do.
Thanks a lot
>
> thanks,
>
> greg k-h
Powered by blists - more mailing lists