From: "Michał Pecio" <michal.pecio@gmail.com>
To: Mathias Nyman <mathias.nyman@intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Kuangyi Chiang <ki.chiang65@gmail.com>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] usb: xhci: Fix invalid pointer dereference in Etron workaround
Date: Wed, 9 Apr 2025 11:42:11 +0200 [thread overview]
Message-ID: <20250409114211.62dddbdc@foxbook> (raw)
In-Reply-To: <20250317222927.5b76518e@foxbook>
Hi Mathias,
Gentle reminder about a pretty annoying bug, it would seem like a good
idea to have it fixed in 6.15-rc2.
Basically, if you use SS control transfers on Etron, this happens:
[88483.258966] xhci_hcd 0000:06:00.0: last TRB on seg we're gonna dieee!!!
[88483.260825] BUG: unable to handle page fault for address: ffffc9000177a00c
[88483.262441] #PF: supervisor read access in kernel mode
[88483.263889] #PF: error_code(0x0000) - not-present page
[88483.265306] PGD 100000067 P4D 100000067 PUD 100234067 PMD 103dd4067 PTE 0
[88483.266648] Oops: Oops: 0000 [#1] SMP
[88483.267980] CPU: 2 UID: 1000 PID: 20753 Comm: v4l2-ctl Not tainted 6.15.0-rc1 #7 PREEMPT
[88483.269327] Hardware name: HP HP EliteDesk 705 G3 MT/8265, BIOS P06 Ver. 02.45 07/16/2024
[88483.270689] RIP: 0010:xhci_queue_ctrl_tx+0xaf/0x410 [xhci_hcd]
On Mon, 17 Mar 2025 22:29:27 +0100, Michal Pecio wrote:
> This check is performed before prepare_transfer() and prepare_ring(),
> so enqueue can already point at the final link TRB of a segment. And
> indeed it will, some 0.4% of times this code is called.
>
> Then enqueue + 1 is an invalid pointer. It will crash the kernel right
> away or load some junk which may look like a link TRB and cause the
> real link TRB to be replaced with a NOOP. This wouldn't end well.
>
> Use a functionally equivalent test which doesn't dereference the
> pointer and always gives correct result.
>
> Something has crashed my machine twice in recent days while playing
> with an Etron HC, and a control transfer stress test ran for
> confirmation has just crashed it again. The same test passes with
> this patch applied.
>
> Fixes: 5e1c67abc930 ("xhci: Fix control transfer error on Etron xHCI
> host") Cc: stable@vger.kernel.org
> Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Regards,
Michal
prev parent reply other threads:[~2025-04-09 9:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-17 21:29 [PATCH] usb: xhci: Fix invalid pointer dereference in Etron workaround Michal Pecio
2025-03-19 12:56 ` Kuangyi Chiang
2025-04-09 9:42 ` Michał Pecio [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250409114211.62dddbdc@foxbook \
--to=michal.pecio@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=ki.chiang65@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mathias.nyman@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.