Re: [PATCH] usb: dwc3: core: Prevent USB core invalid event buffer address access

From: Thinh Nguyen
Date: Wed Aug 07 2024 - 20:22:10 EST

Next message: Andrii Nakryiko: "[PATCH v2 3/6] uprobes: get rid of enum uprobe_filter_ctx in uprobe filter callbacks"
Previous message: Andrii Nakryiko: "[PATCH v2 2/6] uprobes: protected uprobe lifetime with SRCU"
In reply to: Selvarasu Ganesan: "Re: [PATCH] usb: dwc3: core: Prevent USB core invalid event buffer address access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 07, 2024, Selvarasu Ganesan wrote:
>
> On 8/7/2024 5:44 AM, Thinh Nguyen wrote:
> > On Mon, Jul 22, 2024, Selvarasu Ganesan wrote:
> >> This commit addresses an issue where the USB core could access an
> >> invalid event buffer address during runtime suspend, potentially causing
> >> SMMU faults and other memory issues. The problem arises from the
> >> following sequence.
> >> 1. In dwc3_gadget_suspend, there is a chance of a timeout when
> >> moving the USB core to the halt state after clearing the
> >> run/stop bit by software.
> >> 2. In dwc3_core_exit, the event buffer is cleared regardless of
> >> the USB core's status, which may lead to an SMMU faults and
> >> other memory issues. if the USB core tries to access the event
> >> buffer address.
> >>
> >> To prevent this issue, this commit ensures that the event buffer address
> >> is not cleared by software when the USB core is active during runtime
> >> suspend by checking its status before clearing the buffer address.
> > What happen after adding this check? Can the device resume and function
> > properly afterward? If not, do you know if a soft-reset will recover the
> > issue?
> >
> > Thanks,
> > Thinh
>
> Yes, we can see the proper resume with this fix even if the USB IP core
> not entered into halted during suspend.
>
> And we not tried soft reset as this fix is working fine.
>
> Anyway soft reset is part of resume sequence and it will reset or
> recover the USB IP state machine.
>

Ok.

Just wonder, what condition does the buffer access become invalid?
While it makes sense that we should not cleanup the buffer while the
controller is in run state, I don't think SMMU fault will always occur
when (!(reg & DWC3_DSTS_DEVCTRLHLT)) right?

>
> Thanks,
>
> Selva
>
> >
> >> Signed-off-by: Selvarasu Ganesan <selvarasu.g@xxxxxxxxxxx>
> >> ---
> >> drivers/usb/dwc3/core.c | 4 +++-
> >> 1 file changed, 3 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
> >> index cb82557678dd..c7c1a253862e 100644
> >> --- a/drivers/usb/dwc3/core.c
> >> +++ b/drivers/usb/dwc3/core.c
> >> @@ -559,8 +559,10 @@ int dwc3_event_buffers_setup(struct dwc3 *dwc)
> >> void dwc3_event_buffers_cleanup(struct dwc3 *dwc)
> >> {
> >> struct dwc3_event_buffer *evt;
> >> + u32 reg;
> >>
> >> - if (!dwc->ev_buf)
> >> + reg = dwc3_readl(dwc->regs, DWC3_DSTS);
> >> + if (!dwc->ev_buf || !(reg & DWC3_DSTS_DEVCTRLHLT))
> >> return;

Can you separate the checks so we don't have to read register for all
conditions?

if (!dwc->ev_buf)
return;

/*
* If dwc3_core_exit() fails, event buffer is not
* accessible for <XYZ> platforms.
*/
reg = dwc3_readl(dwc->regs, DWC3_DSTS);
if (!(reg & DWC3_DSTS_DEVCTRLHLT))
return;

Thanks,
Thinh

> >>
> >> evt = dwc->ev_buf;
> >> --
> >> 2.17.1

Next message: Andrii Nakryiko: "[PATCH v2 3/6] uprobes: get rid of enum uprobe_filter_ctx in uprobe filter callbacks"
Previous message: Andrii Nakryiko: "[PATCH v2 2/6] uprobes: protected uprobe lifetime with SRCU"
In reply to: Selvarasu Ganesan: "Re: [PATCH] usb: dwc3: core: Prevent USB core invalid event buffer address access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]