Project

General

Profile

Bug #4225

ehci can hang interminably trying to read PCI capabilities

Added by Garrett D'Amore about 7 years ago. Updated over 1 year ago.

Status:
In Progress
Priority:
Normal
Category:
driver - device drivers
Start date:
2013-10-17
Due date:
% Done:

60%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

The ehci driver has an unbounded loop trying to read extended PCI capabilities. For properly initialized hardware, this is no problem. But I've recently run into an Intel development board where the space is not properly configured, and the linked list has a "cycle" (in the form of always reading 0xff as the next offset. ;-)

The broken code is in ehci_take_control().

The loop here:

        while (extended_cap_offset) {

                /* Get the extended capability value. */
                extended_cap = pci_config_get32(ehcip->ehci_config_handle,
                    extended_cap_offset);

                /* Get the capability ID */
                extended_cap_id = (extended_cap & EHCI_EX_CAP_ID) >>
                    EHCI_EX_CAP_ID_SHIFT;

                /* Check if the card support legacy */
                if (extended_cap_id == EHCI_EX_CAP_ID_BIOS_HANDOFF) {
                        break;
                }

                /* Get the offset of the next capability */
                extended_cap_offset = (extended_cap & EHCI_EX_CAP_NEXT_PTR) >>
                    EHCI_EX_CAP_NEXT_PTR_SHIFT;
        }

Needs to be modified to terminate. Notably, Linux terminates the loop after 256/4 attempts, which corresponds to the maximum number of capabilities that one could reasonably attempt to store in the PCI capability space.

I also note that Linux's ehci driver actually doesn't try to take control from the BIOS, but simply reports the state. I suspect that this semaphore is not one that is actually used in practice. (Linux does boot properly on the particular development platform in question.)


Related issues

Related to illumos gate - Bug #9806: ehci_take_control() can infinite loop due to PCI invalid readsClosedRobert Mustacchi2018-09-09

Actions
#1

Updated by Garrett D'Amore about 7 years ago

  • Status changed from New to In Progress
#2

Updated by Robert Mustacchi over 1 year ago

  • Related to Bug #9806: ehci_take_control() can infinite loop due to PCI invalid reads added
#3

Updated by Robert Mustacchi over 1 year ago

I believe that this may all be covered by 9806.

Also available in: Atom PDF