| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0b985241-31a4-4d12-80be-4e211d21dfd6@samsung.com>
Date: Wed, 7 Aug 2024 10:16:56 +0530
From: Selvarasu Ganesan <selvarasu.g@...sung.com>
To: Thinh Nguyen <Thinh.Nguyen@...opsys.com>
Cc: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
"linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"jh0801.jung@...sung.com" <jh0801.jung@...sung.com>, "dh10.jung@...sung.com"
<dh10.jung@...sung.com>, "naushad@...sung.com" <naushad@...sung.com>,
"akash.m5@...sung.com" <akash.m5@...sung.com>, "rc93.raju@...sung.com"
<rc93.raju@...sung.com>, "taehyun.cho@...sung.com"
<taehyun.cho@...sung.com>, "hongpooh.kim@...sung.com"
<hongpooh.kim@...sung.com>, "eomji.oh@...sung.com" <eomji.oh@...sung.com>,
"shijie.cai@...sung.com" <shijie.cai@...sung.com>
Subject: Re: [PATCH] usb: dwc3: core: Prevent USB core invalid event buffer
address access
On 8/7/2024 5:44 AM, Thinh Nguyen wrote:
> On Mon, Jul 22, 2024, Selvarasu Ganesan wrote:
>> This commit addresses an issue where the USB core could access an
>> invalid event buffer address during runtime suspend, potentially causing
>> SMMU faults and other memory issues. The problem arises from the
>> following sequence.
>> 1. In dwc3_gadget_suspend, there is a chance of a timeout when
>> moving the USB core to the halt state after clearing the
>> run/stop bit by software.
>> 2. In dwc3_core_exit, the event buffer is cleared regardless of
>> the USB core's status, which may lead to an SMMU faults and
>> other memory issues. if the USB core tries to access the event
>> buffer address.
>>
>> To prevent this issue, this commit ensures that the event buffer address
>> is not cleared by software when the USB core is active during runtime
>> suspend by checking its status before clearing the buffer address.
> What happen after adding this check? Can the device resume and function
> properly afterward? If not, do you know if a soft-reset will recover the
> issue?
>
> Thanks,
> Thinh
Yes, we can see the proper resume with this fix even if the USB IP core
not entered into halted during suspend.
And we not tried soft reset as this fix is working fine.
Anyway soft reset is part of resume sequence and it will reset or
recover the USB IP state machine.
Thanks,
Selva
>
>> Signed-off-by: Selvarasu Ganesan <selvarasu.g@...sung.com>
>> ---
>> drivers/usb/dwc3/core.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
>> index cb82557678dd..c7c1a253862e 100644
>> --- a/drivers/usb/dwc3/core.c
>> +++ b/drivers/usb/dwc3/core.c
>> @@ -559,8 +559,10 @@ int dwc3_event_buffers_setup(struct dwc3 *dwc)
>> void dwc3_event_buffers_cleanup(struct dwc3 *dwc)
>> {
>> struct dwc3_event_buffer *evt;
>> + u32 reg;
>>
>> - if (!dwc->ev_buf)
>> + reg = dwc3_readl(dwc->regs, DWC3_DSTS);
>> + if (!dwc->ev_buf || !(reg & DWC3_DSTS_DEVCTRLHLT))
>> return;
>>
>> evt = dwc->ev_buf;
>> --
>> 2.17.1
Powered by blists - more mailing lists