[U-Boot,RFC] usb: ehci: do not invalidate a NULL buffer

Message ID	20171117142836.3456-1-dirk.behme@de.bosch.com
State	Accepted
Commit	b3cbcd902db7019410dfe3729a660abcb1f03ffb
Delegated to:	Marek Vasut
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: Dirk Behme <dirk.behme@gmail.com> To: Marek Vasut <marex@denx.de>, u-boot@lists.denx.de Date: Fri, 17 Nov 2017 15:28:36 +0100 Message-Id: <20171117142836.3456-1-dirk.behme@de.bosch.com> Cc: Martin.Mueller5@de.bosch.com Subject: [U-Boot] [RFC PATCH] usb: ehci: do not invalidate a NULL buffer Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	[U-Boot,RFC] usb: ehci: do not invalidate a NULL buffer \| expand [U-Boot,RFC] usb: ehci: do not invalidate a NULL buffer

Message ID

20171117142836.3456-1-dirk.behme@de.bosch.com

State

Accepted

Commit

b3cbcd902db7019410dfe3729a660abcb1f03ffb

Delegated to:

Marek Vasut

Headers

show

Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.denx.de
	(client-ip=81.169.180.215; helo=lists.denx.de;
	envelope-from=u-boot-bounces@lists.denx.de;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="BaZRGjYB"; dkim-atps=neutral
Received: from lists.denx.de (dione.denx.de [81.169.180.215])
	by ozlabs.org (Postfix) with ESMTP id 3ydgTj2NmWz9s3w
	for <incoming@patchwork.ozlabs.org>;
	Sat, 18 Nov 2017 01:28:57 +1100 (AEDT)
Received: by lists.denx.de (Postfix, from userid 105)
	id E7DBCC21DBA; Fri, 17 Nov 2017 14:28:45 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,
	RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H2,
	T_DKIM_INVALID autolearn=unavailable
	autolearn_force=no version=3.4.0
Received: from lists.denx.de (localhost [IPv6:::1])
	by lists.denx.de (Postfix) with ESMTP id EBD0BC21D63;
	Fri, 17 Nov 2017 14:28:42 +0000 (UTC)
Received: by lists.denx.de (Postfix, from userid 105)
	id 44C5AC21DA6; Fri, 17 Nov 2017 14:28:41 +0000 (UTC)
Received: from mail-wr0-f195.google.com (mail-wr0-f195.google.com
	[209.85.128.195])
	by lists.denx.de (Postfix) with ESMTPS id B26A5C21D76
	for <u-boot@lists.denx.de>; Fri, 17 Nov 2017 14:28:40 +0000 (UTC)
Received: by mail-wr0-f195.google.com with SMTP id z75so925560wrc.5
	for <u-boot@lists.denx.de>; Fri, 17 Nov 2017 06:28:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=sRyhMqqYdjoU367l+8ZO1eu8iQQIqfg5ts2IJveem9I=;
	b=BaZRGjYBgJJ7R6udQJnuEN2JqT5fV69DeQVnJ4zWJXWuYU6puXev1Dl0z+jQle4TCW
	asCXt+bJZ/otLeAVi0Ilarops9u3zJFCUpnQisYBtdo1PwSkHg90tpxQO1KCRF2ZIact
	CBhHkxZmaQdplUAbRPSk6Awym8xn7Efuow60fq75dkDZgExy2RoVPkULmxEW+GnhSXjq
	RET6EPsSbZpNyfBUS+oN/x8oV/QGjnrwH5bF6AzfjI4Az/2pV2bw5pSnDAjsTo/IzG1o
	VRrc9s/tCC2n1kC1WEXQDV0NzwzKBHQ4U9bqMFt018IMMFyNv0e/N68AaqUolvS2yRFs
	eAVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=sRyhMqqYdjoU367l+8ZO1eu8iQQIqfg5ts2IJveem9I=;
	b=oRRJ3mcRCDxk/y1AeiREbiP0uKPEBvvHpfOyCo0xXGA9d3fcjIf8i2RAKr6FRqHr7R
	bmR1gmESsMdgG+9yCstNIZvVDD/YJk9SrafzfNwUc1vz7Eb5ujjdtP13PGfXspXCNQyh
	QYyiRaQcjhxPwz/J/YT4j648p2CTVHdaQ/gbFMXHxmxZiJ/W8irV7dKLTZk9tuZmoPOy
	nM9Jv1kQO+ln4LmL/vC2hJzq29P6f7jar+MSYZMdYkYhVvknn+EnbUYctmDbKbEffmys
	7byqGEBJUC2rWIKfd4IDpx+ulPFlsRkLwzd5A5FyPVL9tQQ1Y4V2o3Wc9UCRBCIZV9vZ
	Y7xQ==
X-Gm-Message-State: AJaThX7xzU5LIbBrREXoPHtUgcK8J4D8icc9h7zSlQAXzlO9dybpLddx
	a/2bKa8yq6ogm88kIf0OZ7g=
X-Google-Smtp-Source: AGs4zMZFfMdgfYGszY7TR+u7NZ9Zqr4t84xHvt36OuQFIxDjy3Nc4as31WXsVJVhJwpBjeOMES3VIA==
X-Received: by 10.223.128.3 with SMTP id 3mr4387075wrk.196.1510928920240;
	Fri, 17 Nov 2017 06:28:40 -0800 (PST)
Received: from obelix.fritz.box (p4FEE0DAB.dip0.t-ipconnect.de.
	[79.238.13.171]) by smtp.gmail.com with ESMTPSA id
	b105sm2633672wrd.69.2017.11.17.06.28.38
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 17 Nov 2017 06:28:39 -0800 (PST)
From: Dirk Behme <dirk.behme@gmail.com>
X-Google-Original-From: Dirk Behme <dirk.behme@de.bosch.com>
To: Marek Vasut <marex@denx.de>,
	u-boot@lists.denx.de
Date: Fri, 17 Nov 2017 15:28:36 +0100
Message-Id: <20171117142836.3456-1-dirk.behme@de.bosch.com>
X-Mailer: git-send-email 2.15.0
Cc: Martin.Mueller5@de.bosch.com
Subject: [U-Boot] [RFC PATCH] usb: ehci: do not invalidate a NULL buffer
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Series

[U-Boot,RFC] usb: ehci: do not invalidate a NULL buffer | expand

Commit Message

Dirk Behme Nov. 17, 2017, 2:28 p.m. UTC

Its a valid use case to call ehci_submit_async() with a NULL buffer
with length 0. E.g. from usb_set_configuration().

As invalidate_dcache_range() isn't able to judge if the address
NULL is valid or not (depending on the SoC hardware configuration it
might be valid) do the check in ehci_submit_async() as here we know
that we don't have to invalidate such a buffer.

Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>

---
Notes:

This was found on an older vendor specific U-Boot on an ARMv8 SoC
with a MMU configuration where address 0x00000000 is invalid.

The callstack I've seen is

usb_set_configuration(), calls
 -> usb_control_msg() with *data == NULL and size == 0
  -> submit_control_msg()
   -> _ehci_submit_control_msg()
    -> ehci_submit_async()

ehci_submit_async() called  __asm_invalidate_dcache_range() from
arch/arm/cpu/armv8/cache.S, then. Resulting in an exception trying
to use address 0 in x0 (dc ivac, x0).

I'm slightly unsure why this hasn't been catched or complained about
previously, already. Maybe I missed anything while working with an older
vendor U-Boot? Sorry in this case.

Best regards

Dirk
---
 drivers/usb/host/ehci-hcd.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Marek Vasut Nov. 17, 2017, 3:04 p.m. UTC | #1

On 11/17/2017 03:28 PM, Dirk Behme wrote:
> Its a valid use case to call ehci_submit_async() with a NULL buffer
> with length 0. E.g. from usb_set_configuration().
> 
> As invalidate_dcache_range() isn't able to judge if the address
> NULL is valid or not (depending on the SoC hardware configuration it
> might be valid) do the check in ehci_submit_async() as here we know
> that we don't have to invalidate such a buffer.
> 
> Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>

Looks OK, what about the other cache ops in EHCI, are they also affected?

> ---
> Notes:
> 
> This was found on an older vendor specific U-Boot on an ARMv8 SoC
> with a MMU configuration where address 0x00000000 is invalid.
> 
> The callstack I've seen is
> 
> usb_set_configuration(), calls
>  -> usb_control_msg() with *data == NULL and size == 0
>   -> submit_control_msg()
>    -> _ehci_submit_control_msg()
>     -> ehci_submit_async()
> 
> ehci_submit_async() called  __asm_invalidate_dcache_range() from
> arch/arm/cpu/armv8/cache.S, then. Resulting in an exception trying
> to use address 0 in x0 (dc ivac, x0).
> 
> I'm slightly unsure why this hasn't been catched or complained about
> previously, already. Maybe I missed anything while working with an older
> vendor U-Boot? Sorry in this case.
> 
> Best regards
> 
> Dirk
> ---
>  drivers/usb/host/ehci-hcd.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
> index be3e842dcc..32c661b37e 100644
> --- a/drivers/usb/host/ehci-hcd.c
> +++ b/drivers/usb/host/ehci-hcd.c
> @@ -595,8 +595,9 @@ ehci_submit_async(struct usb_device *dev, unsigned long pipe, void *buffer,
>  	 * dangerous operation, it's responsibility of the calling
>  	 * code to make sure enough space is reserved.
>  	 */
> -	invalidate_dcache_range((unsigned long)buffer,
> -		ALIGN((unsigned long)buffer + length, ARCH_DMA_MINALIGN));
> +	if (buffer != NULL && length > 0)
> +		invalidate_dcache_range((unsigned long)buffer,
> +			ALIGN((unsigned long)buffer + length, ARCH_DMA_MINALIGN));
>  
>  	/* Check that the TD processing happened */
>  	if (QT_TOKEN_GET_STATUS(token) & QT_TOKEN_STATUS_ACTIVE)
>

Behme Dirk (CM/ESO2) Nov. 21, 2017, 6:30 a.m. UTC | #2

On 17.11.2017 16:04, Marek Vasut wrote:
> On 11/17/2017 03:28 PM, Dirk Behme wrote:
>> Its a valid use case to call ehci_submit_async() with a NULL buffer
>> with length 0. E.g. from usb_set_configuration().
>>
>> As invalidate_dcache_range() isn't able to judge if the address
>> NULL is valid or not (depending on the SoC hardware configuration it
>> might be valid) do the check in ehci_submit_async() as here we know
>> that we don't have to invalidate such a buffer.
>>
>> Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
> 
> Looks OK, 


Ok, thanks, I'll drop the RFC, then.


> what about the other cache ops in EHCI, are they also affected?


This was found based on a MMU configuration excluding address 
0x00000000. Fixing this one location made a usb start and reading from 
an USB stick work.

So either only this location is affected, or above use case doesn't 
cover all relevant path. In latter case I don't have enough USB 
knowledge to evaluate all path by review.

Best regards

Dirk


>> ---
>> Notes:
>>
>> This was found on an older vendor specific U-Boot on an ARMv8 SoC
>> with a MMU configuration where address 0x00000000 is invalid.
>>
>> The callstack I've seen is
>>
>> usb_set_configuration(), calls
>>   -> usb_control_msg() with *data == NULL and size == 0
>>    -> submit_control_msg()
>>     -> _ehci_submit_control_msg()
>>      -> ehci_submit_async()
>>
>> ehci_submit_async() called  __asm_invalidate_dcache_range() from
>> arch/arm/cpu/armv8/cache.S, then. Resulting in an exception trying
>> to use address 0 in x0 (dc ivac, x0).
>>
>> I'm slightly unsure why this hasn't been catched or complained about
>> previously, already. Maybe I missed anything while working with an older
>> vendor U-Boot? Sorry in this case.
>>
>> Best regards
>>
>> Dirk
>> ---
>>   drivers/usb/host/ehci-hcd.c | 5 +++--
>>   1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
>> index be3e842dcc..32c661b37e 100644
>> --- a/drivers/usb/host/ehci-hcd.c
>> +++ b/drivers/usb/host/ehci-hcd.c
>> @@ -595,8 +595,9 @@ ehci_submit_async(struct usb_device *dev, unsigned long pipe, void *buffer,
>>   	 * dangerous operation, it's responsibility of the calling
>>   	 * code to make sure enough space is reserved.
>>   	 */
>> -	invalidate_dcache_range((unsigned long)buffer,
>> -		ALIGN((unsigned long)buffer + length, ARCH_DMA_MINALIGN));
>> +	if (buffer != NULL && length > 0)
>> +		invalidate_dcache_range((unsigned long)buffer,
>> +			ALIGN((unsigned long)buffer + length, ARCH_DMA_MINALIGN));
>>   
>>   	/* Check that the TD processing happened */
>>   	if (QT_TOKEN_GET_STATUS(token) & QT_TOKEN_STATUS_ACTIVE)
>>

Marek Vasut Nov. 21, 2017, 11:28 a.m. UTC | #3

On 11/21/2017 07:30 AM, Dirk Behme wrote:
> On 17.11.2017 16:04, Marek Vasut wrote:
>> On 11/17/2017 03:28 PM, Dirk Behme wrote:
>>> Its a valid use case to call ehci_submit_async() with a NULL buffer
>>> with length 0. E.g. from usb_set_configuration().
>>>
>>> As invalidate_dcache_range() isn't able to judge if the address
>>> NULL is valid or not (depending on the SoC hardware configuration it
>>> might be valid) do the check in ehci_submit_async() as here we know
>>> that we don't have to invalidate such a buffer.
>>>
>>> Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
>>
>> Looks OK, 
> 
> 
> Ok, thanks, I'll drop the RFC, then.
> 
> 
>> what about the other cache ops in EHCI, are they also affected?
> 
> 
> This was found based on a MMU configuration excluding address
> 0x00000000. Fixing this one location made a usb start and reading from
> an USB stick work.
> 
> So either only this location is affected, or above use case doesn't
> cover all relevant path. In latter case I don't have enough USB
> knowledge to evaluate all path by review.

Well, I skimmed through the rest of the function and this seems to be
the only spot where it could be problematic if length == 0 , so this is
the correct fix.

Applied, thanks.

> Best regards
> 
> Dirk
> 
> 
>>> ---
>>> Notes:
>>>
>>> This was found on an older vendor specific U-Boot on an ARMv8 SoC
>>> with a MMU configuration where address 0x00000000 is invalid.
>>>
>>> The callstack I've seen is
>>>
>>> usb_set_configuration(), calls
>>>   -> usb_control_msg() with *data == NULL and size == 0
>>>    -> submit_control_msg()
>>>     -> _ehci_submit_control_msg()
>>>      -> ehci_submit_async()
>>>
>>> ehci_submit_async() called  __asm_invalidate_dcache_range() from
>>> arch/arm/cpu/armv8/cache.S, then. Resulting in an exception trying
>>> to use address 0 in x0 (dc ivac, x0).
>>>
>>> I'm slightly unsure why this hasn't been catched or complained about
>>> previously, already. Maybe I missed anything while working with an older
>>> vendor U-Boot? Sorry in this case.
>>>
>>> Best regards
>>>
>>> Dirk
>>> ---
>>>   drivers/usb/host/ehci-hcd.c | 5 +++--
>>>   1 file changed, 3 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
>>> index be3e842dcc..32c661b37e 100644
>>> --- a/drivers/usb/host/ehci-hcd.c
>>> +++ b/drivers/usb/host/ehci-hcd.c
>>> @@ -595,8 +595,9 @@ ehci_submit_async(struct usb_device *dev,
>>> unsigned long pipe, void *buffer,
>>>        * dangerous operation, it's responsibility of the calling
>>>        * code to make sure enough space is reserved.
>>>        */
>>> -    invalidate_dcache_range((unsigned long)buffer,
>>> -        ALIGN((unsigned long)buffer + length, ARCH_DMA_MINALIGN));
>>> +    if (buffer != NULL && length > 0)
>>> +        invalidate_dcache_range((unsigned long)buffer,
>>> +            ALIGN((unsigned long)buffer + length, ARCH_DMA_MINALIGN));
>>>         /* Check that the TD processing happened */
>>>       if (QT_TOKEN_GET_STATUS(token) & QT_TOKEN_STATUS_ACTIVE)
>>>

diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
index be3e842dcc..32c661b37e 100644
--- a/drivers/usb/host/ehci-hcd.c
+++ b/drivers/usb/host/ehci-hcd.c
@@ -595,8 +595,9 @@  ehci_submit_async(struct usb_device *dev, unsigned long pipe, void *buffer,
 	 * dangerous operation, it's responsibility of the calling
 	 * code to make sure enough space is reserved.
 	 */
-	invalidate_dcache_range((unsigned long)buffer,
-		ALIGN((unsigned long)buffer + length, ARCH_DMA_MINALIGN));
+	if (buffer != NULL && length > 0)
+		invalidate_dcache_range((unsigned long)buffer,
+			ALIGN((unsigned long)buffer + length, ARCH_DMA_MINALIGN));
 
 	/* Check that the TD processing happened */
 	if (QT_TOKEN_GET_STATUS(token) & QT_TOKEN_STATUS_ACTIVE)

[U-Boot,RFC] usb: ehci: do not invalidate a NULL buffer

Commit Message

Comments

Patch