From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:52121) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S2Efl-0004S0-NU for qemu-devel@nongnu.org; Mon, 27 Feb 2012 23:28:23 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1S2Efa-0004DY-Jy for qemu-devel@nongnu.org; Mon, 27 Feb 2012 23:28:21 -0500 Received: from e23smtp03.au.ibm.com ([202.81.31.145]:47600) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S2Efa-0004Cw-0Z for qemu-devel@nongnu.org; Mon, 27 Feb 2012 23:28:10 -0500 Received: from /spool/local by e23smtp03.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 28 Feb 2012 04:20:09 +1000 Received: from d23av01.au.ibm.com (d23av01.au.ibm.com [9.190.234.96]) by d23relay05.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q1S4MGU33592354 for ; Tue, 28 Feb 2012 15:22:18 +1100 Received: from d23av01.au.ibm.com (loopback [127.0.0.1]) by d23av01.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q1S4RhFM011323 for ; Tue, 28 Feb 2012 15:27:44 +1100 Date: Tue, 28 Feb 2012 15:03:54 +1100 From: David Gibson Message-ID: <20120228040354.GN3433@truffala.fritz.box> References: <1330401082-10073-1-git-send-email-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1330401082-10073-1-git-send-email-david@gibson.dropbear.id.au> Subject: Re: [Qemu-devel] [PATCH] USB OHCI bug fixes List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: kraxel@redhat.com Cc: Wei Yang , qemu-devel@nongnu.org, anthony@codemonkey.ws On Tue, Feb 28, 2012 at 02:51:22PM +1100, David Gibson wrote: > This patch fixes two bugs in the OHCI device where the device writes > back data to system memory that should be exclusively under the > control of the guest side driver. > > In OHCI specification Section 5.2.7, it mentioned "In all cases, Host > Controller Driver is responsible for the insertion and removal of all > Endpoint Descriptors in the various Host Controller Endpoint > Descriptor lists". In the ohci_frame_boundary(), ohci_put_hcca() > writes the entire hcca back including the interrupt ED lists which > should be under driver control. This violates the specification and > can race with a host driver updating that list at the same time. > > In the OHCI Spec Section 4.6, Transfer Descriptor Queue Processing, it > mentioned "Since the TD pointed to by TailP is not accessed by the HC, > the Host Controller Driver can initialize that TD and link at least > one other to it without creating a coherency or synchronization > problem". While the function ohci_put_ed() writes the entire endpoint > descriptor back including the TailP which should under driver > control. This violate the specification and can race with a host > driver updating the TD list at the same time. > > In each case the solution is to make sure we don't write data which is > under driver control. Arrrgh, sorry, screwed up yet again. This version has some redundant #defines left in. -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson