On Thu, Dec 09, 2021 at 11:14:23AM +0800, Chunfeng Yun wrote:
There is a seldom issue that the controller access invalid address and trigger devapc or emimpu violation. That is due to memory access is out of order and cause gpd data is not correct. Make sure GPD is fully written before giving it to HW by setting its HWO.
Fixes: 48e0d3735aa5 ("usb: mtu3: supports new QMU format") Cc: stable@vger.kernel.org Reported-by: Eddie Hung eddie.hung@mediatek.com Signed-off-by: Chunfeng Yun chunfeng.yun@mediatek.com
drivers/usb/mtu3/mtu3_qmu.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/mtu3/mtu3_qmu.c b/drivers/usb/mtu3/mtu3_qmu.c index 3f414f91b589..34bb5ac67efe 100644 --- a/drivers/usb/mtu3/mtu3_qmu.c +++ b/drivers/usb/mtu3/mtu3_qmu.c @@ -273,6 +273,8 @@ static int mtu3_prepare_tx_gpd(struct mtu3_ep *mep, struct mtu3_request *mreq) gpd->dw3_info |= cpu_to_le32(GPD_EXT_FLAG_ZLP); }
- /* make sure GPD is fully written before giving it to HW */
- mb();
So this means you are using mmio for this structure? If so, shouldn't you be using normal io memory read/write calls as well and not just "raw" pointers like this:
gpd->dw0_info |= cpu_to_le32(GPD_FLAGS_IOC | GPD_FLAGS_HWO);
Are you sure this is ok?
Sprinkling around mb() calls is almost never the correct solution.
If you need to ensure that a write succeeds, shouldn't you do a read from it afterward? Many busses require this, doesn't yours?
mreq->gpd = gpd; @@ -306,6 +308,8 @@ static int mtu3_prepare_rx_gpd(struct mtu3_ep *mep, struct mtu3_request *mreq) gpd->next_gpd = cpu_to_le32(lower_32_bits(enq_dma)); ext_addr |= GPD_EXT_NGP(mtu, upper_32_bits(enq_dma)); gpd->dw3_info = cpu_to_le32(ext_addr);
- /* make sure GPD is fully written before giving it to HW */
- mb();
Again, mb(); does not ensure that memory-mapped i/o actually hits the HW. Or if it does on your platform, how?
mb() is a compiler barrier, not a memory write to a bus barrier. Please read Documentation/memory-barriers.txt for more details.
thanks,
greg k-h