[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1859359] Re: xHCI and event ring handling

From: Benjamin David Lunt
Subject: [Bug 1859359] Re: xHCI and event ring handling
Date: Sun, 12 Jan 2020 23:09:32 -0000

I failed to note above that the HCSPARAMS2 register does indeed limit
the count of segments in the Event Ring.  I guess as long as you never
change this value from one (1) you will be okay.

However, the spurious interrupt stuff still stands as a bug.

Thank you,

You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.

  xHCI and event ring handling

Status in QEMU:

Bug description:
  I believe that the Event Ring handling in QEMU is not correct.  For
  example, an Event Ring may have multiple segments.  However, the code
  in xhci_write_event()
  xhci.c;hb=HEAD#l645), starting with line 668, seems to only support a
  single segment.

  Also, QEMU is sending a spurious interrupt after the Guest writes to
  the ERDP register due to the fact that the address written does not
  match the current index.  This is because the index is incremented
  after sending the event.  The xHCI specification states in section "When software finishes processing an Event TRB, it will
  write the address of that Event TRB to the ERDP."

  Since xhci_write_event() has already incremented the index pointer
  (intr->er_ep_idx), the check at line 3098
  xhci.c;hb=HEAD#l3090) no longer is valid.

  I have not studied QEMU's code enough yet to offer a patch.  However,
  this should be a simple fix.

  if (intr->er_ep_idx >= intr->er_table[intr->er_segment].er_size) {
    intr->er_ep_idx = 0;
    if (intr->er_segment >= intr->er_table_size) {
      intr->er_segment = 0;
      intr->er_pcs = !intr->er_pcs;

  Being sure to incorporate this new segment member into the above code
  (possibly as shown) as well as change the lines at 665 to use the new
  segment member of the structure, and of course in the initialization
  portion of the event ring.

  As for the spurious interrupt at line 3101, a new member will need to
  be added to the code to keep track of the last inserted ED (TRB) into
  the Event Ring and then of course checking against this new member,
  not the now newly incremented member.

  I have sent an email to the author listed at the top of the file as
  well, not sure if this is proper bug reporting etiquette or not.

  Thank you.

To manage notifications about this bug go to:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]