From: David Gibson <dwg@au1.ibm.com>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: Wei Yang <weiyang@linux.vnet.ibm.com>,
qemu-devel@nongnu.org, anthony@codemonkey.ws
Subject: Re: [Qemu-devel] [PATCH 3/6] USB OHCI bug fixes
Date: Tue, 28 Feb 2012 14:09:17 +1100 [thread overview]
Message-ID: <20120228030917.GL3433@truffala.fritz.box> (raw)
In-Reply-To: <4F4B8F6E.6010703@redhat.com>
On Mon, Feb 27, 2012 at 03:13:02PM +0100, Gerd Hoffmann wrote:
> On 02/24/12 01:23, David Gibson wrote:
> > From: Wei Yang <weiyang@linux.vnet.ibm.com>
> >
> > This patch fixes two bugs in the OHCI device where the device writes
> > back data to system memory that should be exclusively under the
> > control of the guest side driver.
>
> Looks good. Fails checkpatch though.
Oops, missed one of the overlong lines. checkpatch clean revised
version below.
> What is your merge plan btw? Wanna pick me this up for the usb queue?
> Or do you need just my ack?
If you could put it in your queue that would be great.
>From a4c996ba5e71dfd9f84abcf9365693229f707213 Mon Sep 17 00:00:00 2001
From: Wei Yang <weiyang@linux.vnet.ibm.com>
Date: Wed, 22 Feb 2012 12:02:06 +1100
Subject: [PATCH] USB OHCI bug fixes
This patch fixes two bugs in the OHCI device where the device writes
back data to system memory that should be exclusively under the
control of the guest side driver.
In OHCI specification Section 5.2.7, it mentioned "In all cases, Host
Controller Driver is responsible for the insertion and removal of all
Endpoint Descriptors in the various Host Controller Endpoint
Descriptor lists". In the ohci_frame_boundary(), ohci_put_hcca()
writes the entire hcca back including the interrupt ED lists which
should be under driver control. This violates the specification and
can race with a host driver updating that list at the same time.
In the OHCI Spec Section 4.6, Transfer Descriptor Queue Processing, it
mentioned "Since the TD pointed to by TailP is not accessed by the HC,
the Host Controller Driver can initialize that TD and link at least
one other to it without creating a coherency or synchronization
problem". While the function ohci_put_ed() writes the entire endpoint
descriptor back including the TailP which should under driver
control. This violate the specification and can race with a host
driver updating the TD list at the same time.
In each case the solution is to make sure we don't write data which is
under driver control.
Cc: Gerd Hoffman <kraxel@redhat.com>
Signed-off-by: Wei Yang <weiyang@linux.vnet.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
hw/usb-ohci.c | 18 ++++++++++++++++--
1 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
index 7aa19fe..a4b4ef9 100644
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -122,6 +122,8 @@ struct ohci_hcca {
uint16_t frame, pad;
uint32_t done;
};
+#define HCCA_WRITEBACK_OFFSET offsetof(struct ohci_hcca, frame)
+#define HCCA_WRITEBACK_SIZE 8 /* frame, pad, done */
static void ohci_bus_stop(OHCIState *ohci);
static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev);
@@ -189,6 +191,10 @@ struct ohci_ed {
uint32_t head;
uint32_t next;
};
+#define ED_TAILP_OFFSET offsetof(struct ohci_ed, tail)
+#define ED_PART1_SIZE ED_TAILP_OFFSET
+#define ED_HEADP_OFFSET offsetof(struct ohci_ed, head)
+#define ED_PART2_SIZE (sizeof(struct ohci_ed) - ED_HEADP_OFFSET)
/* General transfer descriptor */
struct ohci_td {
@@ -569,7 +575,13 @@ static inline int ohci_read_hcca(OHCIState *ohci,
static inline int ohci_put_ed(OHCIState *ohci,
uint32_t addr, struct ohci_ed *ed)
{
- return put_dwords(ohci, addr, (uint32_t *)ed, sizeof(*ed) >> 2);
+ /* ed->tail is under control of the HCD, so we need to split
+ * the write back into two parts
+ */
+ put_dwords(ohci, addr, (uint32_t *)ed, ED_PART1_SIZE >> 2);
+ return put_dwords(ohci, addr + ED_HEADP_OFFSET,
+ (uint32_t *)((char *)ed + ED_HEADP_OFFSET),
+ ED_PART2_SIZE >> 2);
}
static inline int ohci_put_td(OHCIState *ohci,
@@ -588,7 +600,9 @@ static inline int ohci_put_iso_td(OHCIState *ohci,
static inline int ohci_put_hcca(OHCIState *ohci,
uint32_t addr, struct ohci_hcca *hcca)
{
- cpu_physical_memory_write(addr + ohci->localmem_base, hcca, sizeof(*hcca));
+ cpu_physical_memory_write(addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET,
+ (char *)hcca + HCCA_WRITEBACK_OFFSET,
+ HCCA_WRITEBACK_SIZE);
return 1;
}
--
1.7.9
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
next prev parent reply other threads:[~2012-02-28 3:09 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-24 0:23 [Qemu-devel] [0/6] Assorted bugfixes David Gibson
2012-02-24 0:23 ` [Qemu-devel] [PATCH 1/6] kvm: Comparison with ioctl number macros needs to be unsigned David Gibson
2012-02-24 0:23 ` [Qemu-devel] [PATCH 2/6] slirp: Fix assertion failure on rejected DHCP requests David Gibson
2012-02-27 13:58 ` Jan Kiszka
2012-02-28 1:07 ` David Gibson
2012-02-24 0:23 ` [Qemu-devel] [PATCH 3/6] USB OHCI bug fixes David Gibson
2012-02-27 14:13 ` Gerd Hoffmann
2012-02-28 3:09 ` David Gibson [this message]
2012-02-28 3:37 ` David Gibson
2012-02-24 0:23 ` [Qemu-devel] [PATCH 4/6] Endian fixes for virtfs David Gibson
2012-02-24 8:29 ` Aneesh Kumar K.V
2012-02-24 0:23 ` [Qemu-devel] [PATCH 5/6] Endian fix an assertion in usb-msd David Gibson
2012-02-24 0:23 ` [Qemu-devel] [PATCH 6/6] kvm: Fix dirty tracking with large kernel page size David Gibson
2012-02-24 1:03 ` Benjamin Herrenschmidt
2012-02-26 21:41 ` Blue Swirl
2012-02-27 0:16 ` David Gibson
2012-02-27 0:25 ` Benjamin Herrenschmidt
2012-02-27 0:36 ` Alexander Graf
2012-03-03 15:29 ` Blue Swirl
2012-02-28 12:32 ` Avi Kivity
2012-02-28 21:48 ` Benjamin Herrenschmidt
2012-03-04 10:49 ` Avi Kivity
2012-03-04 11:53 ` Benjamin Herrenschmidt
2012-03-04 12:18 ` Avi Kivity
2012-03-04 16:46 ` Andreas Färber
2012-03-04 18:46 ` Alexander Graf
2012-03-04 20:21 ` Andreas Färber
2012-03-04 20:25 ` Alexander Graf
2012-03-04 20:31 ` Andreas Färber
2012-03-04 20:59 ` Alexander Graf
2012-03-04 21:19 ` Benjamin Herrenschmidt
2012-03-04 21:45 ` Alexander Graf
2012-03-04 21:21 ` Andreas Färber
2012-03-04 21:17 ` Benjamin Herrenschmidt
2012-02-28 23:32 ` Alexander Graf
2012-02-29 0:22 ` David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120228030917.GL3433@truffala.fritz.box \
--to=dwg@au1.ibm.com \
--cc=anthony@codemonkey.ws \
--cc=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=weiyang@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).