SPRZ455D december   2020  – june 2023 DRA829J , DRA829J-Q1 , DRA829V , DRA829V-Q1 , TDA4VM , TDA4VM-Q1

ADVANCE INFORMATION  

  1.   1
  2. 1Modules Affected
  3. 2Nomenclature, Package Symbolization, and Revision Identification
    1. 2.1 Device and Development-Support Tool Nomenclature
    2. 2.2 Devices Supported
    3. 2.3 Package Symbolization and Revision Identification
  4. 3Silicon Revision 1.1/1.0 Usage Notes and Advisories
    1. 3.1 Silicon Revision 1.1/1.0 Usage Notes
      1.      i2134
    2. 3.2 Silicon Revision 1.1/1.0 Advisories
    3.     i2024
    4.     i2038
    5.     i2048
    6.     i2049
    7.     i2050
    8.     i2052
    9.     i2053
    10.     i2054
    11.     i2055
    12.     i2062
    13.     i2063
    14.     i2064
    15.     i2065
    16.     i2067
    17.     i2079
    18.     i2081
    19.     i2083
    20.     i2085
    21.     i2086
    22.     i2087
    23.     i2090
    24.     i2091
    25.     i2092
    26.     i2093
    27.     i2094
    28.     i2095
    29.     i2096
    30.     i2097
    31.     i2098
    32.     i2099
    33.     i2100
    34.     i2101
    35.     i2102
    36.     i2103
    37.     i2103
    38.     i2115
    39.     i2116
    40.     i2117
    41.     i2118
    42.     i2119
    43.     i2120
    44.     i2121
    45.     i2122
    46.     i2123
    47. 3.3 i2124
    48. 3.4 i2126
    49. 3.5 i2127
    50.     i2128
    51.     i2129
    52.     i2131
    53.     i2132
    54.     i2133
    55.     i2134
    56.     i2137
    57.     i2138
    58.     i2139
    59.     i2141
    60.     i2143
    61.     i2144
    62.     i2145
    63.     i2146
    64.     i2147
    65.     i2148
    66.     i2149
    67. 3.6 i2150
    68. 3.7 i2151
    69. 3.8 i2152
    70.     i2153
    71.     i2154
    72.     i2155
    73.     i2157
    74.     i2159
    75.     i2160
    76.     i2161
    77.     i2162
    78.     i2163
    79.     i2164
    80.     i2166
    81.     i2168
    82.     i2171
    83.     i2173
    84.     i2174
    85.     i2177
    86.     i2178
    87.     i2179
    88.     i2180
    89.     i2182
    90.     i2183
    91.     i2184
    92.     i2185
    93.     i2187
    94.     i2188
    95.     i2189
    96.     i2190
    97.     i2191
    98.     i2196
    99.     i2197
    100.     i2198
    101.     i2199
    102.     i2200
    103.     i2205
    104.     i2207
    105.     i2208
    106.     i2210
    107.     i2211
    108.     i2213
    109.     i2214
    110.     i2215
    111.     i2216
    112.     i2217
    113.     i2219
    114.     i2221
    115.     i2227
    116.     i2228
    117.     i2229
    118.     i2230
    119.     i2232
    120.     i2234
    121.     i2235
    122.     i2238
    123.     i2239
    124.     i2244
    125.     i2245
    126.     i2246
    127.     i2249
    128.     i2253
    129.     i2257
    130.     i2271
    131.     i2274
    132.     i2275
    133.     i2277
    134.     i2278
    135.     i2279
    136.     i2283
    137.     i2305
    138.     i2306
    139.     i2307
    140.     i2310
    141.     i2311
    142.     i2312
    143.     i2320
    144.     i2329
    145.     i2351
    146.     i2362
    147.     i2366
    148.     i2371
    149.     i2383
  5.   Trademarks
  6.   Revision History

i2067


USB: Race Condition while Reading TRB from System Memory in Device Mode

Details:

The following sequence will ensure that stale data is not transferred:

  1. Software needs to mark the initial TRB in TD as invalid (cycle bit points to software ownership).
  2. Software needs to prepare all other TRBs in TD
  3. Software will defer making initial TRB in TD as valid until DMA is done transferring all TRBs in existing TD. Software waits for IRQ[6] interrupt with TRBERR flag set before marking this TRB as valid (change cycle bit to indicate hardware ownership).

Workaround(s):

USB device controller uses 12-byte Transfer Request Block (TRB) data structures that are used to form a transfer ring in system memory. TRB contains the pointer to data buffer in memory that contains data to be transferred over USB or the location to store the data received over USB. Transfer ring management uses producer-consumer model where the software is the producer and Controller is the consumer. Ownership of a TRB is transferred between software and hardware using ‘Cycle’ bit field within the TRB. Software write of TRB into memory and hardware read of TRB from memory are expected to be atomic operations.

The issue arises because controller reads the TRB from system memory using two independent DMA transactions (8-byte transaction followed by a 4-byte transaction). As a result, TRB read operation by the controller is not atomic. If the software write to TRB occurs after hardware has read the first 8 bytes, this could lead to stale data transfer on IN transaction and stale data provided to software on OUT transaction.

The ‘Cycle’ bit is the least significant bit, which is read by the Controller in the second DMA transfer. Race condition exists because software write could be interleaved between the two read transactions. The following order of events could lead to corrupted data transfer on the USB bus:

  1. Controller reads the 8 most significant bytes of the TRB. The data buffer pointer in this TRB may be old.
  2. Software writes the 12-byte TRB in an atomic manner. This updates the data buffer pointer in the TRB to the new location.
  3. Controller reads the remaining 4 bytes of the TRB. Since cycle bit was updated by software in previous step, Controller sees this as a valid TRB even though data buffer pointer is incorrect.

This issue only affects Device mode.
千亿体育app官网登录(中国)官方网站IOS/安卓通用版/手机APP | 米乐app下载官网(中国)|ios|Android/通用版APP最新版 | 米乐|米乐·M6(中国大陆)官方网站 | 千亿体育登陆地址 | 华体会体育(中国)HTH·官方网站 | 千赢qy国际_全站最新版千赢qy国际V6.2.14安卓/IOS下载 | 18新利网v1.2.5|中国官方网站 | bob电竞真人(中国官网)安卓/ios苹果/电脑版【1.97.95版下载】 | 千亿体育app官方下载(中国)官方网站IOS/安卓/手机APP下载安装 |