From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_2 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA48DC3A59D for ; Mon, 19 Aug 2019 11:01:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A510520844 for ; Mon, 19 Aug 2019 11:01:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726947AbfHSLBc (ORCPT ); Mon, 19 Aug 2019 07:01:32 -0400 Received: from mx2.suse.de ([195.135.220.15]:33044 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726550AbfHSLBb (ORCPT ); Mon, 19 Aug 2019 07:01:31 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id B2147AEB8; Mon, 19 Aug 2019 11:01:30 +0000 (UTC) Message-ID: <1566212487.5663.17.camel@suse.com> Subject: Re: dwc2 / Raspberry Pi - hardware bug for small transfers results in memory corruption From: Oliver Neukum To: Jonathan Bell Cc: Minas Harutyunyan , linux-usb@vger.kernel.org Date: Mon, 19 Aug 2019 13:01:27 +0200 In-Reply-To: References: <1565866530.5780.4.camel@suse.com> <1565880737.5780.12.camel@suse.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Am Freitag, den 16.08.2019, 23:18 +0100 schrieb Jonathan Bell: > On Thu, Aug 15, 2019 at 3:52 PM Oliver Neukum wrote: > > That is an accident waiting to happen. Please make a patch using > > a bounce buffer allocated with knalloc() in > > drivers/media/usb/uvc/uvc_ctrl.c:uvc_ctrl_populate_cache() and friends. > > A patch to uvcvideo will not fix the underlying bug with the host > controller hardware. Absolutely correct. > There are hundreds of device drivers of varying > vintages that potentially react badly to having a rogue host > controller DMA engine writing more bytes than were reported by the > controller's interrupt status register. Then these drivers are likely to be buggy. Not guaranteed to, it is possible to write a driver which is correct and still would react badly to that, but it is difficult. > So my original two questions still need answering: > 1) Does the symptom seen with v4l2-ctl exist on other platforms using > dwc2 (which implies that this is not a bug specific to Raspberry Pi) > 2) How do we harden upstream dwc2 against a broken controller DMA? Unknown and very hard to find out, because you are almost always in a situation where you have a full cache line, which is larger than 4 bytes. You must flush all cache lines your buffer is part of. You must not touch them until DMA is complete. That is easiest to achieve if you just kmalloc() each buffer separately. Using two parts of a buffer for subsequent DMA is within the rules, but not worth the trouble. Using a bounce buffer in the dwc2 driver is likely not worth the trouble, as you wouldn't get away with a single buffer and dynamic allocation would suck (it would have to be atomic). Regards Oliver