qemu/hw
Laszlo Ersek aa6857891d xhci: generate a Transfer Event for each Transfer TRB with the IOC bit set
At the moment, when the XHCI driver in edk2
(MdeModulePkg/Bus/Pci/XhciDxe/XhciDxe.inf) runs on QEMU, with the options

  -device nec-usb-xhci -device usb-kbd

it crashes with:

  ASSERT MdeModulePkg/Bus/Pci/XhciDxe/XhciSched.c(1759):
  TrsRing != ((void*) 0)

The crash hits in the following edk2 call sequence (all files under
MdeModulePkg/Bus/):

UsbEnumerateNewDev()                         [Usb/UsbBusDxe/UsbEnumer.c]
  UsbBuildDescTable()                        [Usb/UsbBusDxe/UsbDesc.c]
    UsbGetDevDesc()                          [Usb/UsbBusDxe/UsbDesc.c]
      UsbCtrlGetDesc(USB_REQ_GET_DESCRIPTOR) [Usb/UsbBusDxe/UsbDesc.c]
        UsbCtrlRequest()                     [Usb/UsbBusDxe/UsbDesc.c]
          UsbHcControlTransfer()             [Usb/UsbBusDxe/UsbUtility.c]
            XhcControlTransfer()             [Pci/XhciDxe/Xhci.c]
              XhcCreateUrb()                 [Pci/XhciDxe/XhciSched.c]
                XhcCreateTransferTrb()       [Pci/XhciDxe/XhciSched.c]
              XhcExecTransfer()              [Pci/XhciDxe/XhciSched.c]
                XhcCheckUrbResult()          [Pci/XhciDxe/XhciSched.c]
                  //
                  // look for TRB_TYPE_DATA_STAGE event [1]
                  //
              //
              // Store a copy of the device descriptor, as the hub device
              // needs this info to configure endpoint. [2]
              //
  UsbSetConfig()                             [Usb/UsbBusDxe/UsbDesc.c]
    UsbCtrlRequest(USB_REQ_SET_CONFIG)       [Usb/UsbBusDxe/UsbDesc.c]
      UsbHcControlTransfer()                 [Usb/UsbBusDxe/UsbUtility.c]
        XhcControlTransfer()                 [Pci/XhciDxe/Xhci.c]
          XhcSetConfigCmd()                  [Pci/XhciDxe/XhciSched.c]
            XhcInitializeEndpointContext()   [Pci/XhciDxe/XhciSched.c]
              //
              // allocate transfer ring for the endpoint [3]
              //

USBKeyboardDriverBindingStart()              [Usb/UsbKbDxe/EfiKey.c]
  UsbIoAsyncInterruptTransfer()              [Usb/UsbBusDxe/UsbBus.c]
    UsbHcAsyncInterruptTransfer()            [Usb/UsbBusDxe/UsbUtility.c]
      XhcAsyncInterruptTransfer()            [Pci/XhciDxe/Xhci.c]
        XhcCreateUrb()                       [Pci/XhciDxe/Xhci.c]
          XhcCreateTransferTrb()             [Pci/XhciDxe/XhciSched.c]
            XhcSyncTrsRing()                 [Pci/XhciDxe/XhciSched.c]
              ASSERT (TrsRing != NULL) [4]

UsbEnumerateNewDev() in the USB bus driver issues a GET_DESCRIPTOR
request, in order to determine the number of configurations that the
endpoint supports. The requests consists of three stages (three TRBs),
setup, data, and status. The length of the response is determined in [1],
namely from the transfer event that the host controller generates in
response to the request's middle stage (ie. the data stage).

If the length of the answer is correct (a full GET_DESCRIPTOR request
takes 18 bytes), then the XHCI driver that underlies the USB bus driver
"snoops" (caches) the descriptor data for later [2].

Later, the USB bus driver sends a SET_CONFIG request. The underlying XHCI
driver allocates a transfer ring for the endpoint, relying on the data
snooped and cached in step [2].

Finally, the USB keyboard driver submits an asynchronous interrupt
transfer to manage the keyboard. As part of this it asserts [4] that the
ring has been allocated in step [3].

And this ASSERT() fires. The root cause can be found in the way QEMU
handles the initial GET_DESCRIPTOR request.

Again, that request consists of three stages (TRBs, Transfer Request
Blocks), "setup", "data", and "status". The XhcCreateTransferTrb()
function sets the IOC ("Interrupt on Completion") flag in each of these
TRBs.

According to the XHCI specification, the host controller shall generate a
Transfer Event in response to *each* individual TRB of the request that
had the IOC flag set. This means that QEMU should queue three events:
setup, data, and status, for edk2's XHCI driver.

However, QEMU only generates two events:
- one for the setup (ie. 1st) stage,
- another for the status (ie. 3rd) stage.

No event is generated for the middle (ie. data) stage. The loop in QEMU's
xhci_xfer_report() function runs three times, but due to the "reported"
variable, only the first and the last TRBs elicit events, the middle (data
stage) results in no event queued.

As a consequence:
- When handling the GET_DESCRIPTOR request, XhcCheckUrbResult() in [1]
  does not update the response length from zero.

- XhcControlTransfer() thinks that the response is invalid (it has zero
  length payload instead of 18 bytes), hence [2] is not reached; the
  device descriptor is not stashed for later, and the number of possible
  configurations is left at zero.

- When handling the SET_CONFIG request, (NumConfigurations == 0) from
  above prevents the allocation of the endpoint's transfer ring.

- When the keyboard driver tries to use the endpoint, the ASSERT() blows
  up.

The solution is to correct the emulation in QEMU, and to generate a
transfer event whenever IOC is set in a TRB.

The patch replaces

  !reported && (IOC || foo)    == !reported && IOC ||
                                  !reported && foo

with

  IOC || (!reported && foo)    == IOC ||
                                  !reported && foo

which only changes how

  reported && IOC

is handled. (Namely, it now generates an event.)

Tested with edk2 built for "qemu-system-aarch64 -M virt" (ie.
"ArmVirtualizationQemu.dsc", aka "AAVMF"), and guest Linux.

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-03 08:36:58 +01:00
..
9pfs rcu: introduce RCU-enabled QLIST 2015-02-16 17:30:19 +01:00
acpi pci, pc, virtio fixes and cleanups 2015-01-27 13:17:30 +00:00
alpha QOM infrastructure fixes and device conversions 2015-03-02 13:20:43 +00:00
arm error: Use error_report_err() where appropriate 2015-02-18 10:51:09 +01:00
audio sb16: fix interrupt acknowledgement 2015-01-22 11:04:18 +01:00
block Clean up around error_get_pretty(), qerror_report_err() 2015-02-26 07:01:08 +00:00
bt
char QOM infrastructure fixes and device conversions 2015-03-02 13:20:43 +00:00
core QOM infrastructure fixes and device conversions 2015-03-02 13:20:43 +00:00
cpu icc_bus: fix typo ICC_BRIGDE -> ICC_BRIDGE 2014-11-03 19:51:56 +03:00
cris
display isa: remove isa_mem_base variable 2015-02-13 14:09:28 +00:00
dma vmstate: accept QEMUTimer in VMSTATE_TIMER*, add VMSTATE_TIMER_PTR* 2015-01-26 12:22:44 +01:00
gpio PPC: Add MPC8XXX gpio controller 2014-11-04 23:26:12 +01:00
i2c
i386 Revert "Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' into staging" 2015-03-03 00:29:17 +00:00
ide QOM infrastructure fixes and device conversions 2015-03-02 13:20:43 +00:00
input Add trace to ps2.c. 2015-02-10 09:27:20 +03:00
intc hmp: Name HMP info handler functions hmp_info_SUBCOMMAND() 2015-02-18 11:58:50 +01:00
ipack
isa isa: remove isa_mem_base variable 2015-02-13 14:09:28 +00:00
lm32 acpi-build: make ROMs RAM blocks resizeable 2015-01-08 13:17:55 +02:00
m68k hw/core/loader: implement address translation in uimage loader 2014-11-03 00:59:10 +03:00
mem numa: Move NUMA declarations from sysemu.h to numa.h 2015-02-23 15:39:27 -03:00
microblaze hw/core/loader: implement address translation in uimage loader 2014-11-03 00:59:10 +03:00
mips QOM infrastructure fixes and device conversions 2015-03-02 13:20:43 +00:00
misc hw: misc, add educational driver 2015-01-26 12:26:55 +01:00
moxie
net etsec: Replace qdev_init() by qdev_init_nofail() 2015-02-24 00:19:05 +01:00
nvram fw_cfg: fix endianness in fw_cfg_data_mem_read() / _write() 2015-01-16 11:54:30 +00:00
openrisc hw/core/loader: implement address translation in uimage loader 2014-11-03 00:59:10 +03:00
pci Clean up around error_get_pretty(), qerror_report_err() 2015-02-26 07:01:08 +00:00
pci-bridge pci: split shpc_cleanup and shpc_free 2015-02-16 17:30:14 +01:00
pci-host - vhost-scsi: add bootindex property 2015-02-24 13:58:18 +00:00
pcmcia
ppc NUMA fixes queue 2015-03-02 12:13:45 +00:00
s390x s390x/pci: Rework memory access in zpci instruction 2015-02-18 09:37:15 +01:00
scsi Clean up around error_get_pretty(), qerror_report_err() 2015-02-26 07:01:08 +00:00
sd vmstate: accept QEMUTimer in VMSTATE_TIMER*, add VMSTATE_TIMER_PTR* 2015-01-26 12:22:44 +01:00
sh4 r2d: Don't use legacy -usbdevice support for setting up board 2015-02-18 10:53:10 +01:00
sparc hmp: Name HMP info handler functions hmp_info_SUBCOMMAND() 2015-02-18 11:58:50 +01:00
sparc64 QOM infrastructure fixes and device conversions 2015-03-02 13:20:43 +00:00
ssi
timer fix mc146818rtc wrong subsection name to avoid vmstate_subsection_load() fail 2015-02-05 17:16:14 +01:00
tpm Drop superfluous conditionals around g_strdup() 2014-12-10 11:30:55 +03:00
tricore
unicore32
usb xhci: generate a Transfer Event for each Transfer TRB with the IOC bit set 2015-03-03 08:36:58 +01:00
vfio vfio: Fix debug message compile error 2015-02-10 10:25:44 -07:00
virtio - vhost-scsi: add bootindex property 2015-02-24 13:58:18 +00:00
watchdog vmstate: accept QEMUTimer in VMSTATE_TIMER*, add VMSTATE_TIMER_PTR* 2015-01-26 12:22:44 +01:00
xen xen-pt: Fix PCI devices re-attach failed 2015-01-13 11:49:46 +00:00
xenpv
xtensa hw/xtensa/xtfpga: treat uImage load address as virtual 2014-11-03 01:00:37 +03:00
Makefile.objs vfio: move hw/misc/vfio.c to hw/vfio/pci.c Move vfio.h into include/hw/vfio 2014-12-19 15:24:06 -07:00