From: "Michał Pecio" <michal.pecio@gmail.com>
To: linuxusb.ml@sundtek.de
Cc: linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
Subject: Re: Highly critical bug in XHCI Controller
Date: Sun, 17 Nov 2024 15:35:07 +0100 [thread overview]
Message-ID: <20241117153507.4daaa9f0@foxbook> (raw)
In-Reply-To: <dd4239c7b0538e1cd2f2a85307c73299117d5f0e.camel@sundtek.de>
Hi,
> Basically the issue comes from hub_port_connect.
>
> drivers/usb/core/hub.c
>
> hub_port_init returns -71 -EPROTO and jumps to loop
> https://github.com/torvalds/linux/blob/master/drivers/usb/core/hub.c#L5450
>
> I'd question if usb_ep0_reinit is really required in loop which is
> running following functions:
> usb_disable_endpoint(udev, 0 + USB_DIR_IN, true);
> usb_disable_endpoint(udev, 0 + USB_DIR_OUT, true);
> usb_enable_endpoint(udev, &udev->ep0, true);
>
> this is something only experience over the past decades can tell?
>
> usb_enable_endpoint will trigger xhci_endpoint_reset which doesn't do
> much, but crashes the entire system with the upstream kernel when it
> triggers xhci_check_bw_table).
>
> I removed usb_ep0_reinit here and devices are still workable under
> various conditions (again I shorted and pulled D+/D- to ground for
> testing).
xHCI isn't the only host controller supported by Linux, and
usb_ep0_reinit() predates it. Maybe it's pointless today, maybe
it isn't, but it's not the root cause of your problem anyway.
> The NULL PTR check in xhci_check_bw_table would be a second line
> of defense but as indicated in the first mail it shouldn't even get
> there.
It's an xHCI bug that BW calculation is attempted on an uninitialized
device and crashes. Looks like a NULL check somewhere is exactly what
is needed, or maybe avoid it completely on EP0 (it's probably no-op).
Other similar bug recently:
https://lore.kernel.org/linux-usb/D3CKQQAETH47.1MUO22RTCH2O3@matfyz.cz/T/#u
Yours too should be unique to those Intel Panther Point chipsets.
> As a second issue I found in usb_reset_and_verify device
> https://github.com/torvalds/linux/blob/master/drivers/usb/core/hub.c#L6131
>
> ret = hub_port_init(parent_hub, udev, port1, i, &descriptor);
> if (ret >= 0 || ret == -ENOTCONN || ret == -ENODEV) {
> break;
> }
>
> hub_port_init can also return -71 / -EPROTO, the cases should be very
> rare when usb_reset_and_verify_device is triggered and that happens.
Right, and the intent seems to be to simply retry in this case.
Regards,
Michal
next prev parent reply other threads:[~2024-11-17 14:35 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-17 7:33 Highly critical bug in XHCI Controller Markus Rechberger
2024-11-17 12:44 ` Markus Rechberger
2024-11-17 13:12 ` Greg KH
2024-11-17 14:35 ` Michał Pecio [this message]
2024-11-17 15:03 ` Markus Rechberger
2024-11-17 15:18 ` Alan Stern
2024-11-17 15:47 ` Markus Rechberger
2024-11-17 21:02 ` Alan Stern
2024-11-18 5:14 ` Markus Rechberger
2024-11-18 16:03 ` Alan Stern
2024-11-18 21:23 ` Michał Pecio
2024-11-17 13:12 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241117153507.4daaa9f0@foxbook \
--to=michal.pecio@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=linuxusb.ml@sundtek.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.