From: Greg KH <gregkh@linuxfoundation.org>
To: Markus Rechberger <linuxusb.ml@sundtek.de>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: Highly critical bug in XHCI Controller
Date: Sun, 17 Nov 2024 14:12:46 +0100 [thread overview]
Message-ID: <2024111731-neuter-customer-0230@gregkh> (raw)
In-Reply-To: <dd4239c7b0538e1cd2f2a85307c73299117d5f0e.camel@sundtek.de>
On Sun, Nov 17, 2024 at 08:44:16PM +0800, Markus Rechberger wrote:
> Basically the issue comes from hub_port_connect.
>
> drivers/usb/core/hub.c
>
> hub_port_init returns -71 -EPROTO and jumps to loop
> https://github.com/torvalds/linux/blob/master/drivers/usb/core/hub.c#L5450
>
> I'd question if usb_ep0_reinit is really required in loop which is
> running following functions:
> usb_disable_endpoint(udev, 0 + USB_DIR_IN, true);
> usb_disable_endpoint(udev, 0 + USB_DIR_OUT, true);
> usb_enable_endpoint(udev, &udev->ep0, true);
>
> this is something only experience over the past decades can tell?
>
> usb_enable_endpoint will trigger xhci_endpoint_reset which doesn't do
> much, but crashes the entire system with the upstream kernel when it
> triggers xhci_check_bw_table).
>
> I removed usb_ep0_reinit here and devices are still workable under
> various conditions (again I shorted and pulled D+/D- to ground for
> testing).
> The NULL PTR check in xhci_check_bw_table would be a second line of
> defense but as indicated in the first mail it shouldn't even get there.
>
>
>
> As a second issue I found in usb_reset_and_verify device
> https://github.com/torvalds/linux/blob/master/drivers/usb/core/hub.c#L6131
>
> ret = hub_port_init(parent_hub, udev, port1, i, &descriptor);
> if (ret >= 0 || ret == -ENOTCONN || ret == -ENODEV) {
> break;
> }
>
> hub_port_init can also return -71 / -EPROTO, the cases should be very
> rare when usb_reset_and_verify_device is triggered and that happens.
>
>
> I'm just waiting for comments now since this is some critical piece of
> infrastructure code before proceeding with a patch.
Send us a patch and we will be glad to review it.
thanks!
greg k-h
next prev parent reply other threads:[~2024-11-17 13:13 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-17 7:33 Highly critical bug in XHCI Controller Markus Rechberger
2024-11-17 12:44 ` Markus Rechberger
2024-11-17 13:12 ` Greg KH [this message]
2024-11-17 14:35 ` Michał Pecio
2024-11-17 15:03 ` Markus Rechberger
2024-11-17 15:18 ` Alan Stern
2024-11-17 15:47 ` Markus Rechberger
2024-11-17 21:02 ` Alan Stern
2024-11-18 5:14 ` Markus Rechberger
2024-11-18 16:03 ` Alan Stern
2024-11-18 21:23 ` Michał Pecio
2024-11-17 13:12 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024111731-neuter-customer-0230@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=linuxusb.ml@sundtek.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.