[Bug 220033] New: xhci: Compliance Issue - avg_trb_len not set for EP0 during Address Device Command

public inbox for linux-usb@vger.kernel.org
 help / color / mirror / Atom feed

From: bugzilla-daemon@kernel.org
To: linux-usb@vger.kernel.org
Subject: [Bug 220033] New: xhci: Compliance Issue - avg_trb_len not set for EP0 during Address Device Command
Date: Fri, 18 Apr 2025 13:31:17 +0000	[thread overview]
Message-ID: <bug-220033-208809@https.bugzilla.kernel.org/> (raw)

https://bugzilla.kernel.org/show_bug.cgi?id=220033

            Bug ID: 220033
           Summary: xhci: Compliance Issue - avg_trb_len not set for EP0
                    during Address Device Command
           Product: Drivers
           Version: 2.5
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P3
         Component: USB
          Assignee: drivers_usb@kernel-bugs.kernel.org
          Reporter: jay.chen@siemens.com
        Regression: No

[Summary]:

During device enumeration, while processing the Address Device Command, the
xHCI driver (xhci-hcd) leaves the Average TRB Length (avg_trb_len) field for
Control Endpoint 0 (EP0) set to 0 in the Input Context.

According to the xHCI 1.2 Specification (Section 6.2.3.1, p.454), the Average
TRB Length must be greater than 0, and software shall set it to 8 for Control
Endpoints.

Some xHCI hardware vendors may validate the Input Context at Address Device
time and reject contexts with invalid values, potentially causing device
enumeration issues.

While xhci_endpoint_init() later sets avg_trb_len correctly, setting it earlier
in xhci_setup_addressable_virt_dev() would improve compliance and robustness.

====================================
[Description]:

Observed in kernel 6.15-rc2 (self-built vanilla, no taint).

Using KGDB during Address Device Command handling, the Input Context was
dumped, showing EP0 avg_trb_len field remained 0.

Stack Trace during capture:
    queue_trb -> queue_command -> xhci_queue_address_device ->
xhci_setup_device -> xhci_address_device

Memory dump of Input Context (kgdb):

(logical Input Context memory)
>>> x/96bx 0x11BF40000
0x11bf40000:    Cannot access memory at address 0x11bf40000

(physical Input Context memory
>>> p/x page_offset_base
$1 = 0xffff888000000000
>>> x/96bx 0xFFFF88811BF40000

(Input Control Context)
0xffff88811bf40000:     0x00    0x00    0x00    0x00    0x03    0x00    0x00   
0x00
0xffff88811bf40008:     0x00    0x00    0x00    0x00    0x00    0x00    0x00   
0x00
0xffff88811bf40010:     0x00    0x00    0x00    0x00    0x00    0x00    0x00   
0x00
0xffff88811bf40018:     0x00    0x00    0x00    0x00    0x00    0x00    0x00   
0x00

Slot
0xffff88811bf40020:     0x00    0x00    0x40    0x08    0x00    0x00    0x01   
0x00
0xffff88811bf40028:     0x00    0x00    0x00    0x00    0x00    0x00    0x00   
0x00
0xffff88811bf40030:     0x00    0x00    0x00    0x00    0x00    0x00    0x00   
0x00
0xffff88811bf40038:     0x00    0x00    0x00    0x00    0x00    0x00    0x00   
0x00

EP Context0 (Control EP)
0xffff88811bf40040:     0x00    0x00    0x00    0x00    0x26    0x00    0x00   
0x02
0xffff88811bf40048:     0x01    0x10    0xf4    0x1b    0x01    0x00    0x00   
0x00
0xffff88811bf40050:     0x00    0x00    0x00    0x00    0x00    0x00    0x00   
0x00
0xffff88811bf40058:     0x00    0x00    0x00    0x00    0x00    0x00    0x00   
0x00

EP State = 0

CErr = 3 ("Software should set CErr to ‘3’ for normal operations. The values of
‘1’ or ‘2’ should be avoided during normal operation because they will reduce
transfer reliability. The value of ‘0’ is typically only used for test or
debug.")
EP Type = 4 (Control Bidirectional)
Max Packet Size = 512

DCS = 1
TR Dequeue Pointer = 0x11BF41000

**** Average TRB Length = 0 ****

SPEC xHCI_1_2_201905:
(p.453, "This field represents the average Length of the TRBs executed by this
endpoint. The value of this field shall be greater than ‘0’"
(p.454, "Note: Software shall set Average TRB Length to ‘8’ for control
endpoints."
(p.454, 6.2.3.1 Address Device Command Usage: "The Input Endpoint 0 Context is
considered “valid” ...... if: ... 6) all other fields are within the valid
range of values"

---
Tested environment:
- Platform: QEMU Standard PC (Q35 + ICH9)
- Host Controller: QEMU XHCI Host Controller
- Device: QEMU USB Hard Drive (SuperSpeed 5Gbps)

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

next             reply	other threads:[~2025-04-18 13:31 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-18 13:31 bugzilla-daemon [this message]
2025-05-06 14:37 ` [Bug 220033] xhci: Compliance Issue - avg_trb_len not set for EP0 during Address Device Command bugzilla-daemon
2025-05-07 10:21 ` bugzilla-daemon
2025-05-07 19:58 ` bugzilla-daemon
2025-05-13  9:17 ` bugzilla-daemon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-220033-208809@https.bugzilla.kernel.org/ \
    --to=bugzilla-daemon@kernel.org \
    --cc=linux-usb@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox