On Tue, Feb 28, 2012 at 02:51:22PM +1100, David Gibson wrote:
> This patch fixes two bugs in the OHCI device where the device writes
> back data to system memory that should be exclusively under the
> control of the guest side driver.
>
> In OHCI specification Section 5.2.7, it mentioned "In all cases, Host
> Controller Driver is responsible for the insertion and removal of all
> Endpoint Descriptors in the various Host Controller Endpoint
> Descriptor lists". In the ohci_frame_boundary(), ohci_put_hcca()
> writes the entire hcca back including the interrupt ED lists which
> should be under driver control. This violates the specification and
> can race with a host driver updating that list at the same time.
>
> In the OHCI Spec Section 4.6, Transfer Descriptor Queue Processing, it
> mentioned "Since the TD pointed to by TailP is not accessed by the HC,
> the Host Controller Driver can initialize that TD and link at least
> one other to it without creating a coherency or synchronization
> problem". While the function ohci_put_ed() writes the entire endpoint
> descriptor back including the TailP which should under driver
> control. This violate the specification and can race with a host
> driver updating the TD list at the same time.
>
> In each case the solution is to make sure we don't write data which is
> under driver control.
Arrrgh, sorry, screwed up yet again. This version has some redundant
#defines left in.
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
