From nobody Wed May 15 14:21:39 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1652024044096594.2087414833752; Sun, 8 May 2022 08:34:04 -0700 (PDT) Received: from localhost ([::1]:54852 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nniv4-0000wA-5b for importer@patchew.org; Sun, 08 May 2022 11:34:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57626) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nnitr-0000Eh-7F for qemu-devel@nongnu.org; Sun, 08 May 2022 11:32:47 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:41395) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nnitp-00064D-8H for qemu-devel@nongnu.org; Sun, 08 May 2022 11:32:46 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id E8FBA5C00A0; Sun, 8 May 2022 11:32:42 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Sun, 08 May 2022 11:32:42 -0400 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun, 8 May 2022 11:32:42 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bzzt.net; h=cc :cc:content-transfer-encoding:date:date:from:from:in-reply-to :message-id:mime-version:reply-to:sender:subject:subject:to:to; s=fm2; t=1652023962; x=1652110362; bh=+dT8tPH0Ct2IqpehkHXXd2LUN 7HyDKsOdTNUH2vcLcU=; b=V2KB7vpOfRXYW99lCHxn/pEOaSZAdI4LHenQWdKIJ K2v0g8zBsRuy70Wt5tG6r2RZRSarXnPuuvQ9eyQgiqvZPjW3KaQW9E9GwH9dGGVM p7bqkMVa+amT2lXVTKSFsh3YxX9xMbrDfCPnX9f9QhDKypmKwBAWS9hrRgx3bY8w 782G5qwkyrUKLqMXKxT470fgrla6U1K8K1biyv4GNeTsaIlPvidzCy27+qBWncML swY2jFber0iJJ7tCj47qr5W3FIdpWsrvnWJ7Q2s0Z0B3eYe6yjK9laKAyr6J/v3F nTagwb5GpDcycg1q3xP1VgmQMa947Me+WQgEmKcGVD7BQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding:date:date :from:from:in-reply-to:message-id:mime-version:reply-to:sender :subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1652023962; x=1652110362; bh=+ dT8tPH0Ct2IqpehkHXXd2LUN7HyDKsOdTNUH2vcLcU=; b=w0PMXZsbZGPiVTjni yn/Xvv6W2S/KTWKEodgKTLyxpT88iyGgw8xyenbCXqJlqUq/ULNhqKKfVg9KDR4m NxVSyqVPEExAjOR8jj03tLESc4C4PwRcFXV+5AO/XdTMYnVB1wdYWTd0eoJD2zpX RlfR2qiTPsZk8jX3h0+J4m06KE/HX8F0Ev1CyMTdJca1BEl1RHMukzTZxRX5E8IG iOciIFWg9iLXfuePOetiu83VHppir/91Yknecpu3m3B0ij3s2PGlLhgUXha/n1Pc 3oIXSCK4S7BtnQpKCfRwwTdXsjk16Tmx4wVJbzr+AqN+anVy3nSBYF1Uz9Xfyaiz UIZAw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrfeejgdeklecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhephffvvefufffkofgggfestdekredtre dttdenucfhrhhomheptehrnhhouhhtucfgnhhgvghlvghnuceorghrnhhouhhtsegsiiii thdrnhgvtheqnecuggftrfgrthhtvghrnhepjeefjeffffffgffgiefhjeegvdfhgeegje eltdevkeejgeduieeuvdevudelieejnecuffhomhgrihhnpegtohhrvggsohhothdrohhr ghdpghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe hmrghilhhfrhhomheprghrnhhouhhtsegsiiiithdrnhgvth X-ME-Proxy: From: Arnout Engelen To: kraxel@redhat.com, qemu-devel@nongnu.org Cc: Arnout Engelen Subject: [PATCH] hw/usb/hcd-ehci: fix writeback order Date: Sun, 8 May 2022 17:32:22 +0200 Message-Id: <20220508153222.3560803-1-arnout@bzzt.net> X-Mailer: git-send-email 2.35.3 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=66.111.4.28; envelope-from=arnout@bzzt.net; helo=out4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZM-MESSAGEID: 1652024046650100001 Content-Type: text/plain; charset="utf-8" The 'active' bit passes control over a qTD between the guest and the controller: set to 1 by guest to enable execution by the controller, and the controller sets it to '0' to hand back control to the guest. ehci_state_writeback write two dwords to main memory using DMA: the third dword of the qTD (containing dt, total bytes to transfer, cpage, cerr and status) and the fourth dword of the qTD (containing the offset). This commit makes sure the fourth dword is written before the third, avoiding a race condition where a new offset written into the qTD by the guest after it observed the status going to go to '0' gets overwritten by a 'late' DMA writeback of the previous offset. This race condition could lead to 'cpage out of range (5)' errors, and reproduced by: ./qemu-system-x86_64 -enable-kvm -bios $SEABIOS/bios.bin -m 4096 -device us= b-ehci -blockdev driver=3Dfile,read-only=3Don,filename=3D/home/aengelen/Dow= nloads/openSUSE-Tumbleweed-DVD-i586-Snapshot20220428-Media.iso,node-name=3D= iso -device usb-storage,drive=3Diso,bootindex=3D0 -chardev pipe,id=3Dshell,= path=3D/tmp/pipe -device virtio-serial -device virtconsole,chardev=3Dshell = -device virtio-rng-pci -serial mon:stdio -nographic (press a key, select 'Installation' (2), and accept the default values. On my machine the 'cpage out of range' is reproduced while loading the Linux Kernel about once per 7 attempts. With the fix in this commit it no longer fails) This problem was previously reported as a seabios problem in https://mail.coreboot.org/hyperkitty/list/seabios@seabios.org/thread/OUTHT5= ISSQJGXPNTUPY3O5E5EPZJCHM3/ and as a nixos CI build failure in https://github.com/NixOS/nixpkgs/issues/170803 Signed-off-by: Arnout Engelen --- hw/usb/hcd-ehci.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index 33a8a377bd..d4da8dcb8d 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -2011,7 +2011,10 @@ static int ehci_state_writeback(EHCIQueue *q) ehci_trace_qtd(q, NLPTR_GET(p->qtdaddr), (EHCIqtd *) &q->qh.next_qtd); qtd =3D (uint32_t *) &q->qh.next_qtd; addr =3D NLPTR_GET(p->qtdaddr); - put_dwords(q->ehci, addr + 2 * sizeof(uint32_t), qtd + 2, 2); + /* First write back the offset */ + put_dwords(q->ehci, addr + 3 * sizeof(uint32_t), qtd + 3, 1); + /* Then write back the token, clearing the 'active' bit */ + put_dwords(q->ehci, addr + 2 * sizeof(uint32_t), qtd + 2, 1); ehci_free_packet(p); =20 /* --=20 2.35.3