[v3] usb: dwc3: core: Prevent USB core invalid event buffer address access

Commit Message

Selvarasu Ganesan Aug. 15, 2024, 6:48 a.m. UTC

This commit addresses an issue where the USB core could access an
invalid event buffer address during runtime suspend, potentially causing
SMMU faults and other memory issues in Exynos platforms. The problem
arises from the following sequence.
        1. In dwc3_gadget_suspend, there is a chance of a timeout when
        moving the USB core to the halt state after clearing the
        run/stop bit by software.
        2. In dwc3_core_exit, the event buffer is cleared regardless of
        the USB core's status, which may lead to an SMMU faults and
        other memory issues. if the USB core tries to access the event
        buffer address.

To prevent this hardware quirk on Exynos platforms, this commit ensures
that the event buffer address is not cleared by software  when the USB
core is active during runtime suspend by checking its status before
clearing the buffer address.

Cc: stable@vger.kernel.org # v6.1+
Signed-off-by: Selvarasu Ganesan <selvarasu.g@samsung.com>
---

Changes in v3:
- Added comment on why we need this fix.
- Included platform name in commit message.
- Removed Fixes tag as no issue on the previous commits, and updated Cc tag.
- Link to v2: https://lore.kernel.org/lkml/20240808120507.1464-1-selvarasu.g@samsung.com/

Changes in v2:
- Added separate check for USB controller status before cleaning the
  event buffer.
- Link to v1: https://lore.kernel.org/lkml/20240722145617.537-1-selvarasu.g@samsung.com/
---
 drivers/usb/dwc3/core.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Greg KH Aug. 16, 2024, 9:55 a.m. UTC | #1

On Thu, Aug 15, 2024 at 12:18:31PM +0530, Selvarasu Ganesan wrote:
> This commit addresses an issue where the USB core could access an
> invalid event buffer address during runtime suspend, potentially causing
> SMMU faults and other memory issues in Exynos platforms. The problem
> arises from the following sequence.
>         1. In dwc3_gadget_suspend, there is a chance of a timeout when
>         moving the USB core to the halt state after clearing the
>         run/stop bit by software.
>         2. In dwc3_core_exit, the event buffer is cleared regardless of
>         the USB core's status, which may lead to an SMMU faults and
>         other memory issues. if the USB core tries to access the event
>         buffer address.
> 
> To prevent this hardware quirk on Exynos platforms, this commit ensures
> that the event buffer address is not cleared by software  when the USB
> core is active during runtime suspend by checking its status before
> clearing the buffer address.
> 
> Cc: stable@vger.kernel.org # v6.1+

Any hint as to what commit id this fixes?

thanks,

greg k-h

Selvarasu Ganesan Aug. 16, 2024, 3:43 p.m. UTC | #2

On 8/16/2024 3:25 PM, Greg KH wrote:
> On Thu, Aug 15, 2024 at 12:18:31PM +0530, Selvarasu Ganesan wrote:
>> This commit addresses an issue where the USB core could access an
>> invalid event buffer address during runtime suspend, potentially causing
>> SMMU faults and other memory issues in Exynos platforms. The problem
>> arises from the following sequence.
>>          1. In dwc3_gadget_suspend, there is a chance of a timeout when
>>          moving the USB core to the halt state after clearing the
>>          run/stop bit by software.
>>          2. In dwc3_core_exit, the event buffer is cleared regardless of
>>          the USB core's status, which may lead to an SMMU faults and
>>          other memory issues. if the USB core tries to access the event
>>          buffer address.
>>
>> To prevent this hardware quirk on Exynos platforms, this commit ensures
>> that the event buffer address is not cleared by software  when the USB
>> core is active during runtime suspend by checking its status before
>> clearing the buffer address.
>>
>> Cc: stable@vger.kernel.org # v6.1+
> Any hint as to what commit id this fixes?
>
> thanks,
>
> greg k-h


Hi Greg,

This issue is not related to any particular commit. The given fix is 
address a hardware quirk on the Exynos platform. And we require it to be 
backported on stable kernel 6.1 and above all stable kernel.

Thanks,
Selva


>

Thinh Nguyen Aug. 16, 2024, 10:31 p.m. UTC | #3

On Thu, Aug 15, 2024, Selvarasu Ganesan wrote:
> This commit addresses an issue where the USB core could access an
> invalid event buffer address during runtime suspend, potentially causing
> SMMU faults and other memory issues in Exynos platforms. The problem
> arises from the following sequence.
>         1. In dwc3_gadget_suspend, there is a chance of a timeout when
>         moving the USB core to the halt state after clearing the
>         run/stop bit by software.
>         2. In dwc3_core_exit, the event buffer is cleared regardless of
>         the USB core's status, which may lead to an SMMU faults and
>         other memory issues. if the USB core tries to access the event
>         buffer address.
> 
> To prevent this hardware quirk on Exynos platforms, this commit ensures
> that the event buffer address is not cleared by software  when the USB
> core is active during runtime suspend by checking its status before
> clearing the buffer address.
> 
> Cc: stable@vger.kernel.org # v6.1+

Usually there's no "v" to indicate version. I'm not sure if it'll be an
issue. Regardless,

Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>

Thanks,
Thinh

> Signed-off-by: Selvarasu Ganesan <selvarasu.g@samsung.com>
> ---

Greg KH Aug. 17, 2024, 5:17 a.m. UTC | #4

On Fri, Aug 16, 2024 at 09:13:09PM +0530, Selvarasu Ganesan wrote:
> 
> On 8/16/2024 3:25 PM, Greg KH wrote:
> > On Thu, Aug 15, 2024 at 12:18:31PM +0530, Selvarasu Ganesan wrote:
> >> This commit addresses an issue where the USB core could access an
> >> invalid event buffer address during runtime suspend, potentially causing
> >> SMMU faults and other memory issues in Exynos platforms. The problem
> >> arises from the following sequence.
> >>          1. In dwc3_gadget_suspend, there is a chance of a timeout when
> >>          moving the USB core to the halt state after clearing the
> >>          run/stop bit by software.
> >>          2. In dwc3_core_exit, the event buffer is cleared regardless of
> >>          the USB core's status, which may lead to an SMMU faults and
> >>          other memory issues. if the USB core tries to access the event
> >>          buffer address.
> >>
> >> To prevent this hardware quirk on Exynos platforms, this commit ensures
> >> that the event buffer address is not cleared by software  when the USB
> >> core is active during runtime suspend by checking its status before
> >> clearing the buffer address.
> >>
> >> Cc: stable@vger.kernel.org # v6.1+
> > Any hint as to what commit id this fixes?
> >
> > thanks,
> >
> > greg k-h
> 
> 
> Hi Greg,
> 
> This issue is not related to any particular commit. The given fix is 
> address a hardware quirk on the Exynos platform. And we require it to be 
> backported on stable kernel 6.1 and above all stable kernel.

If it's a hardware quirk issue, why are you restricting it to a specific
kernel release and not a specific kernel commit?  Why not 5.15?  5.4?

thanks,

greg k-h

Selvarasu Ganesan Aug. 17, 2024, 1:43 p.m. UTC | #5

On 8/17/2024 10:47 AM, Greg KH wrote:
> On Fri, Aug 16, 2024 at 09:13:09PM +0530, Selvarasu Ganesan wrote:
>> On 8/16/2024 3:25 PM, Greg KH wrote:
>>> On Thu, Aug 15, 2024 at 12:18:31PM +0530, Selvarasu Ganesan wrote:
>>>> This commit addresses an issue where the USB core could access an
>>>> invalid event buffer address during runtime suspend, potentially causing
>>>> SMMU faults and other memory issues in Exynos platforms. The problem
>>>> arises from the following sequence.
>>>>           1. In dwc3_gadget_suspend, there is a chance of a timeout when
>>>>           moving the USB core to the halt state after clearing the
>>>>           run/stop bit by software.
>>>>           2. In dwc3_core_exit, the event buffer is cleared regardless of
>>>>           the USB core's status, which may lead to an SMMU faults and
>>>>           other memory issues. if the USB core tries to access the event
>>>>           buffer address.
>>>>
>>>> To prevent this hardware quirk on Exynos platforms, this commit ensures
>>>> that the event buffer address is not cleared by software  when the USB
>>>> core is active during runtime suspend by checking its status before
>>>> clearing the buffer address.
>>>>
>>>> Cc: stable@vger.kernel.org # v6.1+
>>> Any hint as to what commit id this fixes?
>>>
>>> thanks,
>>>
>>> greg k-h
>>
>> Hi Greg,
>>
>> This issue is not related to any particular commit. The given fix is
>> address a hardware quirk on the Exynos platform. And we require it to be
>> backported on stable kernel 6.1 and above all stable kernel.
> If it's a hardware quirk issue, why are you restricting it to a specific
> kernel release and not a specific kernel commit?  Why not 5.15?  5.4?

Hi Greg,

I mentioned a specific kernel because our platform is set to be tested 
and functioning with kernels 6.1 and above, and the issue was reported 
with these kernel versions. However, we would be fine if all stable 
kernels, such as 5.4 and 5.15, were backported. In this case, if you 
need a new patch version to update the Cc tag for all stable kernels, 
please suggest the Cc tag to avoid confusion in next version.

Thanks,
Selva
>
> thanks,
>
> greg k-h
>
>

Selvarasu Ganesan Aug. 21, 2024, 5:29 a.m. UTC | #6

On 8/17/2024 7:13 PM, Selvarasu Ganesan wrote:
> On 8/17/2024 10:47 AM, Greg KH wrote:
>> On Fri, Aug 16, 2024 at 09:13:09PM +0530, Selvarasu Ganesan wrote:
>>> On 8/16/2024 3:25 PM, Greg KH wrote:
>>>> On Thu, Aug 15, 2024 at 12:18:31PM +0530, Selvarasu Ganesan wrote:
>>>>> This commit addresses an issue where the USB core could access an
>>>>> invalid event buffer address during runtime suspend, potentially causing
>>>>> SMMU faults and other memory issues in Exynos platforms. The problem
>>>>> arises from the following sequence.
>>>>>            1. In dwc3_gadget_suspend, there is a chance of a timeout when
>>>>>            moving the USB core to the halt state after clearing the
>>>>>            run/stop bit by software.
>>>>>            2. In dwc3_core_exit, the event buffer is cleared regardless of
>>>>>            the USB core's status, which may lead to an SMMU faults and
>>>>>            other memory issues. if the USB core tries to access the event
>>>>>            buffer address.
>>>>>
>>>>> To prevent this hardware quirk on Exynos platforms, this commit ensures
>>>>> that the event buffer address is not cleared by software  when the USB
>>>>> core is active during runtime suspend by checking its status before
>>>>> clearing the buffer address.
>>>>>
>>>>> Cc: stable@vger.kernel.org # v6.1+
>>>> Any hint as to what commit id this fixes?
>>>>
>>>> thanks,
>>>>
>>>> greg k-h
>>> Hi Greg,
>>>
>>> This issue is not related to any particular commit. The given fix is
>>> address a hardware quirk on the Exynos platform. And we require it to be
>>> backported on stable kernel 6.1 and above all stable kernel.
>> If it's a hardware quirk issue, why are you restricting it to a specific
>> kernel release and not a specific kernel commit?  Why not 5.15?  5.4?
> Hi Greg,
>
> I mentioned a specific kernel because our platform is set to be tested
> and functioning with kernels 6.1 and above, and the issue was reported
> with these kernel versions. However, we would be fine if all stable
> kernels, such as 5.4 and 5.15, were backported. In this case, if you
> need a new patch version to update the Cc tag for all stable kernels,
> please suggest the Cc tag to avoid confusion in next version.
>
> Thanks,
> Selva


Hi Greg,

Would you like to provide any feedback or suggestions regarding the my 
last comments mentioned above?

Thanks,
Selva
>> thanks,
>>
>> greg k-h
>>
>>
>

Greg KH Aug. 22, 2024, 7:59 a.m. UTC | #7

On Sat, Aug 17, 2024 at 07:13:53PM +0530, Selvarasu Ganesan wrote:
> 
> On 8/17/2024 10:47 AM, Greg KH wrote:
> > On Fri, Aug 16, 2024 at 09:13:09PM +0530, Selvarasu Ganesan wrote:
> >> On 8/16/2024 3:25 PM, Greg KH wrote:
> >>> On Thu, Aug 15, 2024 at 12:18:31PM +0530, Selvarasu Ganesan wrote:
> >>>> This commit addresses an issue where the USB core could access an
> >>>> invalid event buffer address during runtime suspend, potentially causing
> >>>> SMMU faults and other memory issues in Exynos platforms. The problem
> >>>> arises from the following sequence.
> >>>>           1. In dwc3_gadget_suspend, there is a chance of a timeout when
> >>>>           moving the USB core to the halt state after clearing the
> >>>>           run/stop bit by software.
> >>>>           2. In dwc3_core_exit, the event buffer is cleared regardless of
> >>>>           the USB core's status, which may lead to an SMMU faults and
> >>>>           other memory issues. if the USB core tries to access the event
> >>>>           buffer address.
> >>>>
> >>>> To prevent this hardware quirk on Exynos platforms, this commit ensures
> >>>> that the event buffer address is not cleared by software  when the USB
> >>>> core is active during runtime suspend by checking its status before
> >>>> clearing the buffer address.
> >>>>
> >>>> Cc: stable@vger.kernel.org # v6.1+
> >>> Any hint as to what commit id this fixes?
> >>>
> >>> thanks,
> >>>
> >>> greg k-h
> >>
> >> Hi Greg,
> >>
> >> This issue is not related to any particular commit. The given fix is
> >> address a hardware quirk on the Exynos platform. And we require it to be
> >> backported on stable kernel 6.1 and above all stable kernel.
> > If it's a hardware quirk issue, why are you restricting it to a specific
> > kernel release and not a specific kernel commit?  Why not 5.15?  5.4?
> 
> Hi Greg,
> 
> I mentioned a specific kernel because our platform is set to be tested 
> and functioning with kernels 6.1 and above, and the issue was reported 
> with these kernel versions. However, we would be fine if all stable 
> kernels, such as 5.4 and 5.15, were backported. In this case, if you 
> need a new patch version to update the Cc tag for all stable kernels, 
> please suggest the Cc tag to avoid confusion in next version.

I'll fix it up when applying it, thanks.

greg k-h

Selvarasu Ganesan Aug. 28, 2024, 4:08 a.m. UTC | #8

On 8/22/2024 1:29 PM, Greg KH wrote:
> On Sat, Aug 17, 2024 at 07:13:53PM +0530, Selvarasu Ganesan wrote:
>> On 8/17/2024 10:47 AM, Greg KH wrote:
>>> On Fri, Aug 16, 2024 at 09:13:09PM +0530, Selvarasu Ganesan wrote:
>>>> On 8/16/2024 3:25 PM, Greg KH wrote:
>>>>> On Thu, Aug 15, 2024 at 12:18:31PM +0530, Selvarasu Ganesan wrote:
>>>>>> This commit addresses an issue where the USB core could access an
>>>>>> invalid event buffer address during runtime suspend, potentially causing
>>>>>> SMMU faults and other memory issues in Exynos platforms. The problem
>>>>>> arises from the following sequence.
>>>>>>            1. In dwc3_gadget_suspend, there is a chance of a timeout when
>>>>>>            moving the USB core to the halt state after clearing the
>>>>>>            run/stop bit by software.
>>>>>>            2. In dwc3_core_exit, the event buffer is cleared regardless of
>>>>>>            the USB core's status, which may lead to an SMMU faults and
>>>>>>            other memory issues. if the USB core tries to access the event
>>>>>>            buffer address.
>>>>>>
>>>>>> To prevent this hardware quirk on Exynos platforms, this commit ensures
>>>>>> that the event buffer address is not cleared by software  when the USB
>>>>>> core is active during runtime suspend by checking its status before
>>>>>> clearing the buffer address.
>>>>>>
>>>>>> Cc: stable@vger.kernel.org # v6.1+
>>>>> Any hint as to what commit id this fixes?
>>>>>
>>>>> thanks,
>>>>>
>>>>> greg k-h
>>>> Hi Greg,
>>>>
>>>> This issue is not related to any particular commit. The given fix is
>>>> address a hardware quirk on the Exynos platform. And we require it to be
>>>> backported on stable kernel 6.1 and above all stable kernel.
>>> If it's a hardware quirk issue, why are you restricting it to a specific
>>> kernel release and not a specific kernel commit?  Why not 5.15?  5.4?
>> Hi Greg,
>>
>> I mentioned a specific kernel because our platform is set to be tested
>> and functioning with kernels 6.1 and above, and the issue was reported
>> with these kernel versions. However, we would be fine if all stable
>> kernels, such as 5.4 and 5.15, were backported. In this case, if you
>> need a new patch version to update the Cc tag for all stable kernels,
>> please suggest the Cc tag to avoid confusion in next version.
> I'll fix it up when applying it, thanks.

Thank you for the support!!.

Thanks,
Selva
>
> greg k-h
>

Patch

diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
index 734de2a8bd21..ccc3895dbd7f 100644
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -564,9 +564,17 @@  int dwc3_event_buffers_setup(struct dwc3 *dwc)
 void dwc3_event_buffers_cleanup(struct dwc3 *dwc)
 {
 	struct dwc3_event_buffer	*evt;
+	u32				reg;
 
 	if (!dwc->ev_buf)
 		return;
+	/*
+	 * Exynos platforms may not be able to access event buffer if the
+	 * controller failed to halt on dwc3_core_exit().
+	 */
+	reg = dwc3_readl(dwc->regs, DWC3_DSTS);
+	if (!(reg & DWC3_DSTS_DEVCTRLHLT))
+		return;
 
 	evt = dwc->ev_buf;