From: "Michał Pecio" <michal.pecio@gmail.com>
To: Mathias Nyman <mathias.nyman@linux.intel.com>
Cc: gregkh@linuxfoundation.org, linux-usb@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH 2/4] xhci: Mitigate failed set dequeue pointer commands
Date: Thu, 17 Oct 2024 18:14:47 +0200 [thread overview]
Message-ID: <20241017181447.7c712c4b@foxbook> (raw)
In-Reply-To: <3a22e31a-12bc-4fdc-90d2-e09a7f9d067f@linux.intel.com>
On Thu, 17 Oct 2024 16:10:39 +0300, Mathias Nyman wrote:
> > Hmm, wouldn't a long and partially cached TD basically become
> > corrupted by this overwrite?
>
> Unlikely but not impossible.
> We already turn all cancelled TDs that we don't stop on into no-ops,
> so those would already now experience the same problem.
No, I think they wouldn't. Note in xHCI 1.2, 4.6.9, on page 135 states
clearly that xHC shall invalidate cached TRBs besides the current TD.
Same page, point 3, mentions that software "may not modify" the current
TD, whatever on earth is that supposed to mean. Unfortunately, I can't
find a clear "shall not" in 4.6.9, but I would see it as such.
> We stopped the endpoint, and issued a 'Set TR deq' command which is
> supposed to clear xHC TRB cache. I find it hard to believe xHC would
> continue by caching some select TRBs of a TD to cache.
The idea is, if Set TR Deq fails, the xHC preserves transfer state and
cache and tries to continue. If the TD wasn't fully cached when the xHC
stopped, it remains incomplete. Missing TRBs will be filled with No Ops
when it restarts, yielding an ivalid TD (e.g. No Op chained at the end).
So it may turn out that instead of "EP TRB ptr not part of current TD"
something else would show up, perhaps TRB Errors.
> But lets say we end up corrupting the TD. It might still be better
> than allowing xHC to process the TRBs and write to DMA addresses that
> might be freed/reused already.
There is some truth to that, I guess. It's bummer that those bugs are
here in the first place and no one seems to know where they come from.
Was this tested on HW? I suppose it wouldn't be hard to corrupt a Set
TR Deq command to make it fail, stream 0xffff or something like that.
It may be harder to come up with a realistic test case with long TDs.
Regards,
Michal
next prev parent reply other threads:[~2024-10-17 16:14 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20241016140000.783905-1-mathias.nyman@linux.intel.com>
2024-10-16 13:59 ` [PATCH 1/4] xhci: Fix incorrect stream context type macro Mathias Nyman
2024-10-16 13:59 ` [PATCH 2/4] xhci: Mitigate failed set dequeue pointer commands Mathias Nyman
2024-10-17 6:40 ` Michał Pecio
2024-10-17 13:10 ` Mathias Nyman
2024-10-17 16:14 ` Michał Pecio [this message]
2024-10-18 9:59 ` Mathias Nyman
2024-10-16 14:00 ` [PATCH 4/4] xhci: dbc: honor usb transfer size boundaries Mathias Nyman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241017181447.7c712c4b@foxbook \
--to=michal.pecio@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
--cc=mathias.nyman@linux.intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox