Context Navigation

← Previous Change
Ticket Comment History
Next Change →

Changes between Initial Version and Version 1 of Ticket #12117, comment 7

Timestamp:: Sep 29, 2013 11:11:53 PM (11 years ago)
Author:: chuck-h

Legend:

: Unmodified
: Added
: Removed
: Modified

Ticket #12117, comment 7

-              initial
+              v1
 A possible clue. Running !VirtualBox4.2.18 with BUILD_TYPE=debug and VBOX_LOG="dev_usb.e.l".
 On the last successful transfer before hang, I notice two things:
+On the last successful transfer before hang, it looks like devOHCI processed an HcCommandStatus_w() callback, setting the Bulk List Full (BLF) flag, while it was inside the ohciStartOfFrame() routine. I believe this call came in normal fashion from the guest, executing td_submit_urb() in the ohci-q.cpp kernel code.
 (1) Although the 9-byte outgoing URB gets processed and devOHCI receives an ohciRhXferCompletion callback for it, there is no corresponding "Writeback Done" log from ohciUpdateHCCA.
+Inside ohciStartOfFrame(), the BLF flag is tested in order to decide to call ohciServiceBulkList(), then tested again to decide whether to unwind a disabled bulk list. There seems to be a narrow window of vulnerability if the guest sets BLF between these two tests, but no indication in the logs that this ocurred.
+(2) it looks like devOHCI processed an HcCommandStatus_w() callback, setting the Bulk List Full (BLF) flag, while it was inside the ohciStartOfFrame() routine. I believe this call came in normal fashion from the guest, executing td_submit_urb() in the ohci-q.cpp kernel code.
+Inside ohciStartOfFrame(), ohciServiceBulkList() resets the BLF flag to 0 as part of its normal processing. It is possible that there is a race condition between the guest setting BLF and the host resetting it. I have not followed this logic through, though.
+It is worth noting that the HcCommandStatus_w() log entry is the only indication we have in the host logs that the guest has just finished queuing a new bulk TD. We may presume that the other parts of the TD-queuing process occurred at about the same time (i.e. during host ohciStartOfFrame execution), and it might be one of these actions (e.g. updating pointers) that causes trouble, not the BLF setting itself. The SMP "memory-barriers" issue of the original ticket may be pertinent.
 (The sequencing of log entries below may not be perfect; as far as I can tell it appears that outputs from Log() and Log2() statements may be interleaved in a different sequence from their execution. Or perhaps I am rather confused!)
 …
 ohci: cbp=0x11815600 be=0x11815608 cbTotal=9
 URB 00007f9568040500       Bulk/m>3591: ohciRhXferCompleteGeneralURB: ED=0x36d6d0a0 TD=0x36ad1180 Age=1 cbTotal=0x0 NewCbp=0x00000009 dqic=0
+ohci: Writeback Done (0x36ad1301) on frame 0x38c5 (age 0x1)
 }}}