| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250225231705.3fa7c8bd@foxbook> Date: Tue, 25 Feb 2025 23:17:05 +0100 From: MichaĆ Pecio <michal.pecio@...il.com> To: Mathias Nyman <mathias.nyman@...ux.intel.com> Cc: Mathias Nyman <mathias.nyman@...el.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2 2/3] usb: xhci: Simplify moving HW Dequeue Pointer past cancelled TDs On Tue, 25 Feb 2025 16:55:49 +0200, Mathias Nyman wrote: > This new way relies on td_list being in sync and up to date. > i.e. hardware dequeue can't be ahead of first TD in list. > > One bad scenario could be something like: > > class driver queues TD1 > class driver queues TD2 > Class driver cancels TD2, queue stop endpoint command > (Class driver cancels TD1) (optional) > > xHC hardware just completed TD1 and stop endpoint command at the same > time, xHC hw may have advanced the hw dequeue to TD2, write event for > stop endpoint command, and then write transfer event for TD1 > completion. (xHC hardware may do things in odd order) I suppose this would be illegal; per 4.6.9 transfer events are posted and EP Context updated before Stop EP cmd completion. HW Dequeue Ptr is advanced on subseqent doorbell ring if the stopped TRB is complete. But I can see how this could appear to work fine and then mysteriously break on some weird buggy HC. I will abandon this patch for now. > Now we detect that hw dequeue is in the cancelled TD2 but with TD1 is > till in the td_list. This new solution would move dequeue back to TD1 > beginning, and process it again.
Powered by blists - more mailing lists