From patchwork Wed Feb 26 07:02:55 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: =?utf-8?q?Micha=C5=82_Pecio?= <michal.pecio@gmail.com>
X-Patchwork-Id: 13991622
Received: from mail-ej1-f54.google.com (mail-ej1-f54.google.com
 [209.85.218.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E7002267B9D;
	Wed, 26 Feb 2025 07:03:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.218.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1740553382; cv=none;
 b=PqbJn0FLfw2SSURnBSdrmYRZJ56HWegsoQkOBY6Aq9MODugZ7lPsMkHqsYkSzLaBbpqjYCJMwRf1EqVlCx5N6PmfqymVkm4ohrT4ko6wSbZRGos8wCrhVLU6IZipYGCAn/pxeAQxFsnH2L14cIYjGXFBu07ot/h8J9fyFHJ+De8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1740553382; c=relaxed/simple;
	bh=Kqe1gQUtzcqKdab8ZBtaidJEpF+k2xXYoBmxUhCJeMI=;
	h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=UBRod9t/6/AmFWjZuWQmP8jcd4zHnXWIkEIDt3D+kHfzkd9To0pVca4lH+Iwiu1vPda3Ta+tY0RcKNyBLzwmNgVkbWR2YirdmEFR5IObHRBgV9aPZ8EPnA00VhBQxNMi+kkZJJRNHMro5Rh9LV6XrrAA6V4yzk/TTEx80x25cNE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=EmoXtens; arc=none smtp.client-ip=209.85.218.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="EmoXtens"
Received: by mail-ej1-f54.google.com with SMTP id
 a640c23a62f3a-ab744d5e567so98856766b.1;
        Tue, 25 Feb 2025 23:03:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1740553379; x=1741158179;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=OsFdL7LBIygzcy20JDjI+85CJNQJPpaqLDWDofbFEjg=;
        b=EmoXtensci13Sa1+UyAfXf5JMiuNhLDKxYstDRVZ7NLiaegaOSdGy+SnKHW8WVjLEH
         vEp0qNS6/08blGt/3EgWuX9fiioHrNEpfmZJHQoE6EZGl1MLcBYBAVqo+Ez/GsNWuKbg
         ID2RFhfm2Qy9AG6CzQZNt3voSrZMsLhlUPSVD2e8IJw5PWqHjlIghRHx0z3GCGJGuacR
         KzwWwaGryUaVZKHORySO2V8XIwhCfESeuEJe0IvlukFNMMLrBLZAltQeBUMUPCBhspfp
         hWIu3uNSRo+4I7ff4ro5rOnoWt0GpiTIO4mjUzuWmCADW3KWwsCrfkqmwuLtYqx6ksZ8
         3wbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740553379; x=1741158179;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=OsFdL7LBIygzcy20JDjI+85CJNQJPpaqLDWDofbFEjg=;
        b=nM1egPxIxzmOhMHxf1kIiuRvW1aue4O7VMdqxflmgHoQH+dOBwC0oS5CIGy4RQMnYU
         UrQ6qf2vM1jnVR/ZdFqG/GOq4HfP+nBjH8ANShAu1R30v7QJ5a78qJ5XSdzH+RZJirQD
         KEin8jcihw7rDE/7y/CFCRNoBt2LY+/YrnDWDQtcqraUdYxD16TnRmzdqXwm3F8Yl53D
         GJ3u7W/IScOrL7cHg2BLR6o2sRJb4VWkYTMcuPE915bV1BDfREwSHwGt8PLydSrMnZ2d
         ZyfZ6uhGV9YPP7nUp/b2kGh7K/fOOER/+FJF9vvPxiajtPsj1pQEk+54ly4u597Sz5DH
         sz1Q==
X-Forwarded-Encrypted: i=1;
 AJvYcCV5Hi+/buSnj0SAKCqjzyqKunFFB3G3RKDywA3EoQvavwFJwmM7idZ3J6dQhy5IpQxvOlOiYA+7u733@vger.kernel.org,
 AJvYcCX8hVE1K1fDbS8ezoclMQVwpF8KXj+btXpkrDVaUGOm/yfQt0NwICg6xyX6dtfZqcnsLGp40qeIleX7uvk=@vger.kernel.org
X-Gm-Message-State: AOJu0YyiF18AqB6JcL8i9GbzPOsWMeHxK8gWqk8EcS7XrwPsCXMG28rY
	bB7LrQPntqYlcOhovvos8Ohbbzz4N8gfre4QrNaVpDzGkqUM53Lp
X-Gm-Gg: ASbGncuEfKZDaH61CeM1R/Sua+/O897ccdCqBQyHPOgxVXjiU3OFst3HHrM2ElKugWy
	Y8NG3nMbCq8gp3k5u5DgQb/PzBtDYdvVYmdkeujmrz9JnCA0T22lmDEorWITlscjOxtQDq+1/Cm
	nBgKfkPqG8UEqRWRSfo/bkh0ihZbN2S0VFRErb02wI+ECxwKvc+SP6G7EIyrl/Wrje2yhukd9+A
	lkg3X/tzKz9fN1ZGBAHoMY3vIA2um/svotMYjQwjLik0a6pY7CdWKSRYuTtqv9muIta5aDf1Af/
	OBLecdy7rr1TQEEGDdhibo30B/I9tO9k0h33IF/6
X-Google-Smtp-Source: 
 AGHT+IHLx4B9QasOhWDgt2i3SkmYkC/M3Wurcf1VMTIobHREkQU+9RTLNyYXcdFo47+x2c33nRzEmg==
X-Received: by 2002:a17:907:7e8e:b0:abb:b411:5e02 with SMTP id
 a640c23a62f3a-abc0aea5253mr2193603766b.18.1740553378770;
        Tue, 25 Feb 2025 23:02:58 -0800 (PST)
Received: from foxbook (adqi59.neoplus.adsl.tpnet.pl. [79.185.142.59])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-abed1a01648sm275856266b.0.2025.02.25.23.02.57
        (version=TLS1_2 cipher=AES128-SHA bits=128/128);
        Tue, 25 Feb 2025 23:02:58 -0800 (PST)
Date: Wed, 26 Feb 2025 08:02:55 +0100
From: Michal Pecio <michal.pecio@gmail.com>
To: Mathias Nyman <mathias.nyman@intel.com>, Greg Kroah-Hartman
 <gregkh@linuxfoundation.org>
Cc: Niklas Neronin <niklas.neronin@linux.intel.com>,
 linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v3 1/5] usb: xhci: Don't skip on Stopped - Length Invalid
Message-ID: <20250226080255.770ca055@foxbook>
In-Reply-To: <20250226080202.7eb5e142@foxbook>
References: <20250226080202.7eb5e142@foxbook>
Precedence: bulk
X-Mailing-List: linux-usb@vger.kernel.org
List-Id: <linux-usb.vger.kernel.org>
List-Subscribe: <mailto:linux-usb+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-usb+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Up until commit d56b0b2ab142 ("usb: xhci: ensure skipped isoc TDs are
returned when isoc ring is stopped") in v6.11, the driver didn't skip
missed isochronous TDs when handling Stoppend and Stopped - Length
Invalid events. Instead, it erroneously cleared the skip flag, which
would cause the ring to get stuck, as future events won't match the
missed TD which is never removed from the queue until it's cancelled.

This buggy logic seems to have been in place substantially unchanged
since the 3.x series over 10 years ago, which probably speaks first
and foremost about relative rarity of this case in normal usage, but
by the spec I see no reason why it shouldn't be possible.

After d56b0b2ab142, TDs are immediately skipped when handling those
Stopped events. This poses a potential problem in case of Stopped -
Length Invalid, which occurs either on completed TDs (likely already
given back) or Link and No-Op TRBs. Such event won't be recognized
as matching any TD (unless it's the rare Link TRB inside a TD) and
will result in skipping all pending TDs, giving them back possibly
before they are done, risking isoc data loss and maybe UAF by HW.

As a compromise, don't skip and don't clear the skip flag on this
kind of event. Then the next event will skip missed TDs. A downside
of not handling Stopped - Length Invalid on a Link inside a TD is
that if the TD is cancelled, its actual length will not be updated
to account for TRBs (silently) completed before the TD was stopped.

I had no luck producing this sequence of completion events so there
is no compelling demonstration of any resulting disaster. It may be
a very rare, obscure condition. The sole motivation for this patch
is that if such unlikely event does occur, I'd rather risk reporting
a cancelled partially done isoc frame as empty than gamble with UAF.

This will be fixed more properly by looking at Stopped event's TRB
pointer when making skipping decisions, but such rework is unlikely
to be backported to v6.12, which will stay around for a few years.

Fixes: d56b0b2ab142 ("usb: xhci: ensure skipped isoc TDs are returned when isoc ring is stopped")
Cc: stable@vger.kernel.org
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
---
 drivers/usb/host/xhci-ring.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 67f3d8128b10..96b90819aec7 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -2870,6 +2870,10 @@ static int handle_tx_event(struct xhci_hcd *xhci,
 		if (!ep_seg) {
 
 			if (ep->skip && usb_endpoint_xfer_isoc(&td->urb->ep->desc)) {
+				/* this event is unlikely to match any TD, don't skip them all */
+				if (trb_comp_code == COMP_STOPPED_LENGTH_INVALID)
+					return 0;
+
 				skip_isoc_td(xhci, td, ep, status);
 				if (!list_empty(&ep_ring->td_list))
 					continue;

From patchwork Wed Feb 26 07:03:39 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: =?utf-8?q?Micha=C5=82_Pecio?= <michal.pecio@gmail.com>
X-Patchwork-Id: 13991623
Received: from mail-ej1-f54.google.com (mail-ej1-f54.google.com
 [209.85.218.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9A44526B082;
	Wed, 26 Feb 2025 07:03:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.218.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1740553428; cv=none;
 b=VCdSI+Cu3N8zoYDrkqcOdb0SBt9EGVAdbASu7tnbkzhAjr0VdzW2t8Vjk6UHRBJyqYRa0DsMAppQzBquNOGf1sinfQFX15irRrTAKwxFng2Ju/LfVL93Ep3ugZIr+Nv0IQZ7G9l8P0uQi5xSbwSrjInCpIW2VSh2kvUh4UEaqSA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1740553428; c=relaxed/simple;
	bh=lg5xkInCCwHlj1b6qb13Q5pFBbFsY2hO58/hDsErG8E=;
	h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=lmP6S+z6P9+BRx57KNidZQlBMQljPS8EcyuYJLx4TnXwX3ADsSHxXJfGU3TzbA+gP/j+o4ZQzjjnWdU1J1+uBWArErZgVkc3Av2e/fhFebvnX1vEgf/0FGlZb++jO9oFiL7+HVG+5mqls8KqdPtjeCCqZjGB9qJE9hv11Dyc9QM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=ZAE/42cF; arc=none smtp.client-ip=209.85.218.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="ZAE/42cF"
Received: by mail-ej1-f54.google.com with SMTP id
 a640c23a62f3a-abb7a6ee2deso983153966b.0;
        Tue, 25 Feb 2025 23:03:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1740553423; x=1741158223;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=/W3Ho66mSXM+hQEN++82iNqyLxgCXWfzOB2XZuQsdM8=;
        b=ZAE/42cFdv7b/g25uLXEuKbu9Tmg3Q0PNgoi9i/M3m7fnmU7L+bIAj2HrLF5h82rMn
         oLtkyfrA57NW5+CZ8J7DgQDblemMoDhjneA1+Jyfm3aeuVEyIiEwOLNlsIKGH21DTFOM
         WCe25I+QhV6HXQDrmTL/Ca9+zjr5q7osZ4+zftExaxmr9QagXyDf0TTQ+8rneAgmjH62
         4VWyZ2qQ0kOPD1QiiS8I/D+qz0y6QK3H69DAx7f4OK44roSUs04FbbFUHMb1gKPO6C+G
         wx6gm7kRsqtPGIBdgPG8OyXZLMlKJYtJy5012xY1Ph4HQcaQHcyexzaHMG0PAOcJ99Xq
         6p2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740553423; x=1741158223;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=/W3Ho66mSXM+hQEN++82iNqyLxgCXWfzOB2XZuQsdM8=;
        b=a8EC07zRfBD5GkF2F+dQ4E1TON+ZBjjk6XiN4BfQq4Ha0EmHCGvD8v5ldQEG9rbvrc
         90rvIxsjh4pEJ5LsZUKTvevt81rsOX5UaUAPXW3dJo29H3ufkSqO/PwjSU6fU+EKnG8M
         JAm22e9tmq+0E6nx45/McZfDy0Xg1MC9eXnTIS16k8gRHutqd/Q2ZkNBIG/qD7MeCMmN
         jL0LbggSkzFSS+nQfih7XX4v2rEB6OUN/e7IVJPBMlggENiW0rVRHc4nH4v1ayoio2s8
         pR8ahxudb6Pkerz1HsnH+1koyADYKhFKLcKL9Iw5CWezX5OKWlPjRfkZBKD84g3T6y88
         x0Wg==
X-Forwarded-Encrypted: i=1;
 AJvYcCU4CbQrmREVUG8V9ZAQwDO+gXvdWaenHulNOm6dL+ERDiyDGYbwHk7+rS0lXVAuCAE+vWftiyQMs5/x@vger.kernel.org,
 AJvYcCVBMg+qg+EqvhCohdStA9G9993vzSRtDN/BdnIYrIyIg8heI0XvzHvlGQci24c7Bngfi1knCwFSua1YcD8=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy66xgAWu3AWnKN69bzJU4m3Oo675GqDn8fT/Zl/i/G28uiuTWe
	u5ydojd1ryMyGUcvkYIfUhDJPTfowYEqkg22dnofgyy97Fy/lQBF8GOmeQ==
X-Gm-Gg: ASbGncsvZ2sSb1f+w0Ck78FlKkD7Gcai9lMgVgILt71YMmIovFG802sgyOfv2mbxw93
	yNXVFr2/0EcD2RTj6fIY/UowC/KgDlLy/+i/NGdMVpYVAIBN/GjpNtzRyi1N7fVw2TpFpfFKULi
	hPokHnp8JCN7jMn46yHcwx1HcPIyicIFotFACRU2/SlPNrk/uEgePtLZiYso/EF8QOBV7iiPtxi
	LKq8jSdvII8/TJLBCd9+cGLw9kz7ypVWpiQ5hGwH/0t7DsINH3irgih7a5BKlVITFiadNB6O0JK
	4jXBe9iVxiwq+nwVIQzZVTy/a8Um/+txGbLIG97p
X-Google-Smtp-Source: 
 AGHT+IFVPawhbUD41Nr8VH4XWzPchWy5psMYaYGyyH6S9ZBAi4EnsR2RKOBAzRyL8sq2WTC0Mw0M6Q==
X-Received: by 2002:a17:906:689a:b0:abe:fa19:5a07 with SMTP id
 a640c23a62f3a-abefa196890mr46315266b.52.1740553422682;
        Tue, 25 Feb 2025 23:03:42 -0800 (PST)
Received: from foxbook (adqi59.neoplus.adsl.tpnet.pl. [79.185.142.59])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-abed20b5985sm278546466b.172.2025.02.25.23.03.41
        (version=TLS1_2 cipher=AES128-SHA bits=128/128);
        Tue, 25 Feb 2025 23:03:42 -0800 (PST)
Date: Wed, 26 Feb 2025 08:03:39 +0100
From: Michal Pecio <michal.pecio@gmail.com>
To: Mathias Nyman <mathias.nyman@intel.com>, Greg Kroah-Hartman
 <gregkh@linuxfoundation.org>
Cc: Niklas Neronin <niklas.neronin@linux.intel.com>,
 linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v3 2/5] usb: xhci: Complete 'error mid TD' transfers when
 handling Missed Service
Message-ID: <20250226080339.3499c49e@foxbook>
In-Reply-To: <20250226080202.7eb5e142@foxbook>
References: <20250226080202.7eb5e142@foxbook>
Precedence: bulk
X-Mailing-List: linux-usb@vger.kernel.org
List-Id: <linux-usb.vger.kernel.org>
List-Subscribe: <mailto:linux-usb+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-usb+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Missed Service Error after an error mid TD means that the failed TD has
already been passed by the xHC without acknowledgment of the final TRB,
a known hardware bug. So don't wait any more and give back the TD.

Reproduced on NEC uPD720200 under conditions of ludicrously bad USB link
quality, confirmed to behave as expected using dynamic debug.

Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
---
 drivers/usb/host/xhci-ring.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 96b90819aec7..5eaf4f9154b9 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -2794,7 +2794,7 @@ static int handle_tx_event(struct xhci_hcd *xhci,
 		xhci_dbg(xhci,
 			 "Miss service interval error for slot %u ep %u, set skip flag\n",
 			 slot_id, ep_index);
-		return 0;
+		break;
 	case COMP_NO_PING_RESPONSE_ERROR:
 		ep->skip = true;
 		xhci_dbg(xhci,
@@ -2842,6 +2842,10 @@ static int handle_tx_event(struct xhci_hcd *xhci,
 		xhci_dequeue_td(xhci, td, ep_ring, td->status);
 	}
 
+	/* Missed TDs will be skipped on the next event */
+	if (trb_comp_code == COMP_MISSED_SERVICE_ERROR)
+		return 0;
+
 	if (list_empty(&ep_ring->td_list)) {
 		/*
 		 * Don't print wanings if ring is empty due to a stopped endpoint generating an

From patchwork Wed Feb 26 07:04:19 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: =?utf-8?q?Micha=C5=82_Pecio?= <michal.pecio@gmail.com>
X-Patchwork-Id: 13991624
Received: from mail-ej1-f50.google.com (mail-ej1-f50.google.com
 [209.85.218.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EC9B025D537;
	Wed, 26 Feb 2025 07:04:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.218.50
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1740553466; cv=none;
 b=XBTF2cfD3cGpwPEPvyDBkLgHonzjAPumiGgIRmSATnj/PQjgvAalwR9U9KAY/cgxJlm8IqyQRIETkh00FPFsLZ3L/rcNxFSYX5+HA6o4mxMpnc8EBTp6cJra175UXvxI3EdHrUCkR7wGNDtPuBpkQ19qjCcyyEdJDGZ4DZjfG/I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1740553466; c=relaxed/simple;
	bh=Hf47wUPU5PSZdp8K88iySJw3zZhHMlfTz18hB0UbGWo=;
	h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=ZJluzcFF1r80rNvvc2onD6EPo3xmP3BhwseBJlQ1YBzS/wPt+7vMkEYcIAebidFJ+TczRTx3hYGlHtNa/Jlu+GdR+AN7j+2MT0Pf22fEeU0q/6PsqOK/IYT4Kyv4tXCStThsZ8GK5sEXRwn60dljhr+pf7biBfgmQBFCSoCTPzs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=kZp+kkNi; arc=none smtp.client-ip=209.85.218.50
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="kZp+kkNi"
Received: by mail-ej1-f50.google.com with SMTP id
 a640c23a62f3a-aaec61d0f65so1295929266b.1;
        Tue, 25 Feb 2025 23:04:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1740553463; x=1741158263;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=EY9NxuSsp68sAr3D7gRmaRundsRETCiw9T3ziIxTlVc=;
        b=kZp+kkNi+S8xlk+SabNvN8vhYKFVVL6orMtqme2dE1Cr3j95/SMWL4QSN1FKTmi+39
         2Fk3F4n1xBswakd7XTY9ERovqVl4wtciI2R2TIdXKXhi3UdRPO9lm11C6Dl+Kg0MUph7
         qjfOdwx5VComQKYFktUixHiAwbAGtrD9Cf0QkOX5YCIbJXo3HaHAvuK/FUQ6+AuXl1hL
         amE7uCRyyng+pcYqiLbRjsQX70TB2+J3Imgm5C8QxZRn2O270Ye6tFKg+RyiZCyKTJQt
         XvKmmtZLY2co0YCIH99mu5smJ9j/jvXghvuE/Iv85uxmyT5DLmqgbHOXIMWdHUI+seZD
         aeiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740553463; x=1741158263;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=EY9NxuSsp68sAr3D7gRmaRundsRETCiw9T3ziIxTlVc=;
        b=YBXSaHoOeM0c3lXbFke5woV9ClitoweCE/1x93YpThB/3/8f52mu2V9vzgpAFuWpSW
         5KwPFKyDosXielOJq8XOAELKRQPyCTPvMZTYAZnG/KhQdtdxLne8FI/ju6O/0NrniBWU
         nsq9YWp77bquBumHN0zMxK73QVAtGUlMP09SpuT6NSS1iCljERRaX/imO1HnSOJhHz1n
         sZo57m+jyT7nZqUXj3jS1YvrhWn1m+N5OLd0wyspDj+rnaqVPd50mXrBPkTz50Ahne8h
         7osXDXZYbSc7jZ0rKFZmk83mbZVOinKZ4ye8N+6D9D+upgdOaMke2oWqzFU1hIHk0/J4
         tN+Q==
X-Forwarded-Encrypted: i=1;
 AJvYcCUstZhJGwdOmDC99lKsPpUHPJ0mfG7STOJRU3avA0oG/uBJbyoP5T7H4hpQQ7QIMnCyRN3bdJhCgKN5@vger.kernel.org,
 AJvYcCXqG9G6YI7Q12fy0521PmoMRRzkcDIRE15v/cU0mndWm8uXGVmLoWzEmaCke8KHgdJFiovjTGyN9FGJsCA=@vger.kernel.org
X-Gm-Message-State: AOJu0Yz9SVH/mpZQ9xcx7V2SH6RkdojBVEH7uI9qzfBirkpu5V/aXM8k
	semNFfN9RdwgQNOG2COP/FVeejb0q+Xr7mZNkT4I1GX/SA+EBcFT
X-Gm-Gg: ASbGnctMiY26AjYd7lL23Y1k+AIy3ucIjrwBUftVkrTMPNf9q7I50aTJKHnzRr3R2k9
	1eCvx8EL+QpQ2oG8qLh2TneqClsf3rtzcHRlEJR40/6cuXa0DWGKFUnexGoo5ukrlOJ7MYNRBrG
	4GERLjcJEhfgWROBib5+tQbNDUKDXIpfw1RVNrLMyLs+HU+9nEslA/AW9G8lFnmEdG/y5Q3CISQ
	FB3h8pWcciolpvj6EdC1dIjASHRbfvDu3+O4KcChgCQCFF1InHfA1lvbfq3MkeN1BeCGL6P3IFY
	Kh4SxSig3xfw69O5qB8EXeZgGvw94cpiKgQwlqUo
X-Google-Smtp-Source: 
 AGHT+IGRewZvFr5jlBvs/DA5Q/FybcdCz7C7HSccKLVMjPKhdq3S7b0EZ6CxTJIX9dXvroKDh7u6Rw==
X-Received: by 2002:a17:907:98b:b0:abb:b1a4:b0fe with SMTP id
 a640c23a62f3a-abed0c63635mr722120566b.1.1740553462861;
        Tue, 25 Feb 2025 23:04:22 -0800 (PST)
Received: from foxbook (adqi59.neoplus.adsl.tpnet.pl. [79.185.142.59])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-abed1cd5607sm275393466b.6.2025.02.25.23.04.21
        (version=TLS1_2 cipher=AES128-SHA bits=128/128);
        Tue, 25 Feb 2025 23:04:22 -0800 (PST)
Date: Wed, 26 Feb 2025 08:04:19 +0100
From: Michal Pecio <michal.pecio@gmail.com>
To: Mathias Nyman <mathias.nyman@intel.com>, Greg Kroah-Hartman
 <gregkh@linuxfoundation.org>
Cc: Niklas Neronin <niklas.neronin@linux.intel.com>,
 linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v3 3/5] usb: xhci: Fix isochronous Ring Underrun/Overrun
 event handling
Message-ID: <20250226080419.79139d90@foxbook>
In-Reply-To: <20250226080202.7eb5e142@foxbook>
References: <20250226080202.7eb5e142@foxbook>
Precedence: bulk
X-Mailing-List: linux-usb@vger.kernel.org
List-Id: <linux-usb.vger.kernel.org>
List-Subscribe: <mailto:linux-usb+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-usb+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

The TRB pointer of these events points at enqueue at the time of error
occurrence on xHCI 1.1+ HCs or it's NULL on older ones. By the time we
are handling the event, a new TD may be queued at this ring position.

I can trigger this race by rising interrupt moderation to increase IRQ
handling delay. Similar delay may occur naturally due to system load.

If this ever happens after a Missed Service Error, missed TDs will be
skipped and the new TD processed as if it matched the event. It could
be given back prematurely, risking data loss or buffer UAF by the xHC.

Don't complete TDs on xrun events and don't warn if queued TDs don't
match the event's TRB pointer, which can be NULL or a link/no-op TRB.
Don't warn if there are no queued TDs at all.

Now that it's safe, also handle xrun events if the skip flag is clear.
This ensures completion of any TD stuck in 'error mid TD' state right
before the xrun event, which could happen if a driver submits a finite
number of URBs to a buggy HC and then an error occurs on the last TD.

Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
---
 drivers/usb/host/xhci-ring.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 5eaf4f9154b9..995f8a9b5b53 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -2669,6 +2669,7 @@ static int handle_tx_event(struct xhci_hcd *xhci,
 	int status = -EINPROGRESS;
 	struct xhci_ep_ctx *ep_ctx;
 	u32 trb_comp_code;
+	bool ring_xrun_event = false;
 
 	slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags));
 	ep_index = TRB_TO_EP_ID(le32_to_cpu(event->flags)) - 1;
@@ -2775,14 +2776,12 @@ static int handle_tx_event(struct xhci_hcd *xhci,
 		 * Underrun Event for OUT Isoch endpoint.
 		 */
 		xhci_dbg(xhci, "Underrun event on slot %u ep %u\n", slot_id, ep_index);
-		if (ep->skip)
-			break;
-		return 0;
+		ring_xrun_event = true;
+		break;
 	case COMP_RING_OVERRUN:
 		xhci_dbg(xhci, "Overrun event on slot %u ep %u\n", slot_id, ep_index);
-		if (ep->skip)
-			break;
-		return 0;
+		ring_xrun_event = true;
+		break;
 	case COMP_MISSED_SERVICE_ERROR:
 		/*
 		 * When encounter missed service error, one or more isoc tds
@@ -2855,6 +2854,7 @@ static int handle_tx_event(struct xhci_hcd *xhci,
 		 */
 		if (trb_comp_code != COMP_STOPPED &&
 		    trb_comp_code != COMP_STOPPED_LENGTH_INVALID &&
+		    !ring_xrun_event &&
 		    !ep_ring->last_td_was_short) {
 			xhci_warn(xhci, "Event TRB for slot %u ep %u with no TDs queued\n",
 				  slot_id, ep_index);
@@ -2889,6 +2889,10 @@ static int handle_tx_event(struct xhci_hcd *xhci,
 				goto check_endpoint_halted;
 			}
 
+			/* TD was queued after xrun, maybe xrun was on a link, don't panic yet */
+			if (ring_xrun_event)
+				return 0;
+
 			/*
 			 * Skip the Force Stopped Event. The 'ep_trb' of FSE is not in the current
 			 * TD pointed by 'ep_ring->dequeue' because that the hardware dequeue
@@ -2935,6 +2939,10 @@ static int handle_tx_event(struct xhci_hcd *xhci,
 	 */
 	} while (ep->skip);
 
+	/* Get out if a TD was queued at enqueue after the xrun occurred */
+	if (ring_xrun_event)
+		return 0;
+
 	if (trb_comp_code == COMP_SHORT_PACKET)
 		ep_ring->last_td_was_short = true;
 	else

From patchwork Wed Feb 26 07:05:00 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: =?utf-8?q?Micha=C5=82_Pecio?= <michal.pecio@gmail.com>
X-Patchwork-Id: 13991625
Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com
 [209.85.208.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C6312267B7C;
	Wed, 26 Feb 2025 07:05:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.208.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1740553507; cv=none;
 b=rc5i8j833NTqf/N/EOILPRTmP2Fp+nS4DAw8W3/VhBlCUk9Ci6f4e/kTu6L5Ht9PkRKTund5AaYm0l5cuqcQk4EzgeRXOfqqDYqP3zsQSaChYpBglYoisvDVo7wFgMe3BVEwWPNHVrJb1mE2z1EjOqUZyjo4gSLeJw/eW2aWVbE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1740553507; c=relaxed/simple;
	bh=Mwe1Q6lK+MDpBCu+LDN9wvfYhowtWJBOsvWFBI5wg7M=;
	h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=UjxgV3eYzlQ7/dUWyNuaCyprbVDEQ+EvNFsQ51YcETX0r2BGkQllgxBFniFKiYd/QanFqhkRH6zAndR3Mf9tenivFhE3H58/n62trwNRpyL9AFkEeOSfRFxobaXb8OXVwHvpKbxy8RKGCeNNR5m/kVxMWgPI8SztPV98bFFLGnk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=PcsBVOTo; arc=none smtp.client-ip=209.85.208.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="PcsBVOTo"
Received: by mail-ed1-f43.google.com with SMTP id
 4fb4d7f45d1cf-5e0505275b7so10318040a12.3;
        Tue, 25 Feb 2025 23:05:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1740553504; x=1741158304;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=qZfqkUpDLwGIxh59vSygbGAq14kIWND9MVXfHaC/zN8=;
        b=PcsBVOTo42QkLeZRjNy9whJCopElgprKDpPN8UvaZNfmDI02FcLPWx1/blzolGAgsZ
         5JugOBjG4mkMEc9WBL0A//dWeVrfIyklJDONvTC+/chaMON7uS/J+9o/bPXr3DZ/momX
         mN+t3TchR9Hx+roEczgQDG/IeEJt9jKLLFRuUG3+1Vf0fQWZicqB4EqE4IASqLWzMvVW
         F0h3K5jetbMaRWqClKzbwEZl8upQZPmvUilOob6DKOASG5h83ytd/LMslWCJ/YKCx7aX
         woyWnTWaQdVAeaWa9szTBEL7QX5urNWIiNyqWCpLMwEnmNgn/JM+g2oJhp74v9LNMXpw
         pehg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740553504; x=1741158304;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=qZfqkUpDLwGIxh59vSygbGAq14kIWND9MVXfHaC/zN8=;
        b=oET+V6yayFO47LPD8hV8PvKUCFcT5SUwNJDUWcX+sN34wb1wthEAW9JW4YqZCd4N9F
         lgZLp+HRWBqCzyLe4IRktI1ghDe4kVOceCtZCsAtafMZEFFYxPpShrPxXMs7d/dgSF1S
         tKDOgYMSPfrQ9h2g6CPe+rtsKWuhiUhEnv+AZYD2Uy8GWYltgzq/cesEhTc6xn1fLnLA
         3faSn1uMnfyLvNx5+SbFDUptDqo85S5+qY4LFKuGn7PxqxbjeZ7ZQQTgEOtTGb7LSc5U
         IfGkiU6pKY6Wjst5AJGkyvIFLoyoy6DuTh09wzaoDrgancUFXiFhvl5MPB5fJVi2j43q
         rVDQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCUVn5YnqfzT3IbT9NQkV/Lpv5QLCbc2Q78ey1F5yT5N/rIpHmlyUVFMqoP+HwiysyfNnsR5RvkWkDNUpiQ=@vger.kernel.org,
 AJvYcCWaVpyZqh/FMD/1qG5kT/pCovEOnT/WO1qUDNlxq6NJ5Q9RAzjfFdWJke/pF23C+kjHM6jaAQ/hsyIc@vger.kernel.org
X-Gm-Message-State: AOJu0YyyiLKY1Q2h73jm7ejOaH71MkvFohTZ53uTapTVshW07lM3NXHB
	ls5oKO0qNpHve/cKrYuQpdfw4T2oLgenY+fKQmfzscJd/qanvIFb
X-Gm-Gg: ASbGnctzZuPGp1VRkm37VHLLR2chvs9AAYWPjCC26JLtwefbci2Yo+n5WN4uYwjsFtJ
	ABuTRUSyaPV4wbq4xbsoNXnr2xC3a9OchROOD/OKiWMWrfJE/vwi3yaML4xtS0Ev0ajsHAqDK1z
	DhOjXmVYggrhFYSJwTcitVcoSlzM9jJN3zSOMGI6PTktUAAbHhvdhLRU4ro2WwFUGGH0GhZBPqD
	9KYGBzxkgCFLAfWmraOP/uAzXBPQthiEG+muR6l2EOS6nnJy8CmFDqXsSZ9JS/IqRjXWeaHi7f9
	31elt30GLMulNDi/lgBuEWs4VaULwSA2T3Bwb1SK
X-Google-Smtp-Source: 
 AGHT+IHYcwYNitr6Qg5vYK1r+V82tKKkgntkWLDcD3tpc23zc0lbhcAIrXViLxi0Yu1694jE3mP9ew==
X-Received: by 2002:a05:6402:354c:b0:5dc:c531:e5c0 with SMTP id
 4fb4d7f45d1cf-5e4a0e19b0fmr2269918a12.27.1740553503845;
        Tue, 25 Feb 2025 23:05:03 -0800 (PST)
Received: from foxbook (adqi59.neoplus.adsl.tpnet.pl. [79.185.142.59])
        by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-5e4a6353eb6sm540138a12.48.2025.02.25.23.05.03
        (version=TLS1_2 cipher=AES128-SHA bits=128/128);
        Tue, 25 Feb 2025 23:05:03 -0800 (PST)
Date: Wed, 26 Feb 2025 08:05:00 +0100
From: Michal Pecio <michal.pecio@gmail.com>
To: Mathias Nyman <mathias.nyman@intel.com>, Greg Kroah-Hartman
 <gregkh@linuxfoundation.org>
Cc: Niklas Neronin <niklas.neronin@linux.intel.com>,
 linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v3 4/5] usb: xhci: Expedite skipping missed isoch TDs on
 modern HCs
Message-ID: <20250226080500.4299ff8a@foxbook>
In-Reply-To: <20250226080202.7eb5e142@foxbook>
References: <20250226080202.7eb5e142@foxbook>
Precedence: bulk
X-Mailing-List: linux-usb@vger.kernel.org
List-Id: <linux-usb.vger.kernel.org>
List-Subscribe: <mailto:linux-usb+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-usb+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

xHCI spec rev. 1.0 allowed the TRB pointer of Missed Service events
to be NULL. Having no idea which of the queued TDs were missed and
which are waiting, we can only set a flag to skip missed TDs later.

But HCs are also allowed to give us pointer to the last missed TRB,
and this became mandatory in spec rev. 1.1 and later.

Use this pointer, if available, to immediately skip all missed TDs.
This reduces latency and risk of skipping-related bugs, because we
can now leave the skip flag cleared for future events.

Handle Missed Service Error events as 'error mid TD', if applicable,
because rev. 1.0 spec excplicitly says so in notes to 4.10.3.2 and
later revs in 4.10.3.2 and 4.11.2.5.2. Notes to 4.9.1 seem to apply.

Tested on ASM1142 and ASM3142 v1.1 xHCs which provide TRB pointers.
Tested on AMD, Etron, Renesas v1.0 xHCs which provide TRB pointers.
Tested on NEC v0.96 and VIA v1.0 xHCs which send a NULL pointer.

Change inspired by a discussion about realtime USB audio.

Link: https://lore.kernel.org/linux-usb/76e1a191-020d-4a76-97f6-237f9bd0ede0@gmx.net/T/
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
---
 drivers/usb/host/xhci-ring.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 995f8a9b5b53..ad5f0e439200 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -2481,6 +2481,12 @@ static void process_isoc_td(struct xhci_hcd *xhci, struct xhci_virt_ep *ep,
 		if (ep_trb != td->end_trb)
 			td->error_mid_td = true;
 		break;
+	case COMP_MISSED_SERVICE_ERROR:
+		frame->status = -EXDEV;
+		sum_trbs_for_length = true;
+		if (ep_trb != td->end_trb)
+			td->error_mid_td = true;
+		break;
 	case COMP_INCOMPATIBLE_DEVICE_ERROR:
 	case COMP_STALL_ERROR:
 		frame->status = -EPROTO;
@@ -2791,8 +2797,8 @@ static int handle_tx_event(struct xhci_hcd *xhci,
 		 */
 		ep->skip = true;
 		xhci_dbg(xhci,
-			 "Miss service interval error for slot %u ep %u, set skip flag\n",
-			 slot_id, ep_index);
+			 "Miss service interval error for slot %u ep %u, set skip flag%s\n",
+			 slot_id, ep_index, ep_trb_dma ? ", skip now" : "");
 		break;
 	case COMP_NO_PING_RESPONSE_ERROR:
 		ep->skip = true;
@@ -2841,8 +2847,8 @@ static int handle_tx_event(struct xhci_hcd *xhci,
 		xhci_dequeue_td(xhci, td, ep_ring, td->status);
 	}
 
-	/* Missed TDs will be skipped on the next event */
-	if (trb_comp_code == COMP_MISSED_SERVICE_ERROR)
+	/* If the TRB pointer is NULL, missed TDs will be skipped on the next event */
+	if (trb_comp_code == COMP_MISSED_SERVICE_ERROR && !ep_trb_dma)
 		return 0;
 
 	if (list_empty(&ep_ring->td_list)) {

From patchwork Wed Feb 26 07:05:36 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: =?utf-8?q?Micha=C5=82_Pecio?= <michal.pecio@gmail.com>
X-Patchwork-Id: 13991626
Received: from mail-ed1-f54.google.com (mail-ed1-f54.google.com
 [209.85.208.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3F8AD192D84;
	Wed, 26 Feb 2025 07:05:41 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.208.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1740553543; cv=none;
 b=c+f5iWTDmi3pdl3yLSC3VINSJj5efs9TdF3KVtoDbARVGYKjyydNKIV8Tuu36zJMzQGLAl4Lqgb9rXeiBGZIAAioxAY2w2kcIGtPqGr+AxVPZGzLu7pMofh+BZwFt4k1kTvd0TYN2kiiX2ZbB7pV+kwWwPXOVPszPWtR8US0Du8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1740553543; c=relaxed/simple;
	bh=Gk2NOsd/J//xRxLUPvfvBLSPupHBrxHxFuGx3y8W788=;
	h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=HTkHVl7pt+F8AwMj69axyl3aS9WLY75/twqp0ZiOlZyVVq9YBLEMVGZ58Q1MJEVuTXIoPDqZdidGoWFAIvx0uCEO32yaJlSRi/+mZ73pKx+iBmnC39oj4jYRnFTUZ+yYMFRJSwMWvQjQqNj04GKJP7L0zvLZjsDJlHrAM2Ix+bo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=AkeLbFeJ; arc=none smtp.client-ip=209.85.208.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="AkeLbFeJ"
Received: by mail-ed1-f54.google.com with SMTP id
 4fb4d7f45d1cf-5e0b70fb1daso8704811a12.1;
        Tue, 25 Feb 2025 23:05:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1740553540; x=1741158340;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=mkJ817mz5egdhi58ZIWEmLBtlaoU7i9Gaj/7Bxj66wY=;
        b=AkeLbFeJ9JPG+2L18jh9izAuDMXQcFA21wGLPZQwkKSnIHGywaux9O7DFx0LGxGOr/
         /tlexjHKwlYKObTuc0tpMUrXQlH06U8z1bGOOuC4tx+1eW4oN8gN2Lyi9zfX7R2jHUP8
         ntJEm1WnmztAtabi0XuCyglgX+OXV7N1LG3fihdL+g0kPvJ7Jndk7FC3MZL/mpI4kGer
         labZ7oVySoOqw74u8zWdpCrw+Ma1klJ2szmokaghYglgYp7DNdnbWPQnJHNqT+4MGlnF
         aqXiXohOQNhN3S8e5SYvXg1s6YEfpweUSgdbIf4F6X/v/+NBzfMeO4uIpr80qIT+Sf3m
         sqEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740553540; x=1741158340;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=mkJ817mz5egdhi58ZIWEmLBtlaoU7i9Gaj/7Bxj66wY=;
        b=tioeg8Ba5wUUIk9gYvfNUJ/wCDeOo+VG1KkB51ZwRayA/YF/Jj/u/qaZjzXb3l7eTg
         V/sbf9Ay09yUopOlXp5RlWSCmXtJElho1cNid/eHaZj+z3ELDSI0qCHlrAawUwX7Gnpc
         ch4BHcRVQ0bG2n+ldyXIQ8F9QDW2NwLJ64rFINLwyqlrlZMtKEP7TKTmGgQ9xcxONAie
         L1BWjZg6+MjSGKr0sJC9iFW+6/45JUWDw36ZgiWsEMnsqDcLy4J1qPp7mPw6eGatA/z3
         Lp503WRPglWezTO1O2zNguU6venNsFcG1mhiHZmLd3wrBzJhZVO5FRpyLrhGgS7UpEAS
         GYGA==
X-Forwarded-Encrypted: i=1;
 AJvYcCWj5fMp25RWLRCU3J6SEQHbH4IAugSTeayIILyhfPwg3i2JQ1KYSzTIVKQTf67cwzsZnL/M/p9cOWjw9IM=@vger.kernel.org,
 AJvYcCX90NalwsG/Z3lengqxcbF5gxEvGGp5vsKwz8aGQWjYd5qZHnFwtxinhM1RNhz2q0VsUmxGzGpXmJe6@vger.kernel.org
X-Gm-Message-State: AOJu0YxhjxZrO5CHAuIjRuduU53TH3UG0YoGLsg4xbtPNxD/i6IUJHxC
	oWYROC2fCXthHJQWViOJZ5Rab0O1nbRKmGrMjFrXMKYg+6STR+OV
X-Gm-Gg: ASbGncuXMz5ovmwYmbSggRCcXAi4GM0+0fsI4Rw9DkoH35w22orl+/bCdqV6XRM/yRW
	LpA1KV8hywAHARrtVmITFV8s/lTjApOXhA9M0FdXlhHll+2Y6z8AFgaHkPvj795bjFam1D7WyES
	+IBSfRjlOZkuck0/NKTVmaKeIbp2gTHX9bP1nnGGhWpxSlfg6Ifj9yT1GoUD9Ii7KQbCU+KGwJn
	ShlIYyASzlrg4TFl7K1U7DSS65Ty0Hk83vM/UimbtYgDLCyXZyC2e+zZm/i/X1G1ntMKepkYMGX
	tv9vWow53im4SqmI6Cj1yNenTyeEvbCVq3VeiZCJ
X-Google-Smtp-Source: 
 AGHT+IEC1/k6GzG+zCvlAtOOJEZgDQR+mHRxEYNcXErOnLu63oM3/CoHm7JPuq/yW42KPJGGuf3kKw==
X-Received: by 2002:a17:906:b2c4:b0:abe:e2ac:62db with SMTP id
 a640c23a62f3a-abeeed11204mr189466466b.7.1740553540289;
        Tue, 25 Feb 2025 23:05:40 -0800 (PST)
Received: from foxbook (adqi59.neoplus.adsl.tpnet.pl. [79.185.142.59])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-abed20ac11bsm268083666b.163.2025.02.25.23.05.39
        (version=TLS1_2 cipher=AES128-SHA bits=128/128);
        Tue, 25 Feb 2025 23:05:40 -0800 (PST)
Date: Wed, 26 Feb 2025 08:05:36 +0100
From: Michal Pecio <michal.pecio@gmail.com>
To: Mathias Nyman <mathias.nyman@intel.com>, Greg Kroah-Hartman
 <gregkh@linuxfoundation.org>
Cc: Niklas Neronin <niklas.neronin@linux.intel.com>,
 linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v3 5/5] usb: xhci: Skip only one TD on Ring Underrun/Overrun
Message-ID: <20250226080536.4f6f7e93@foxbook>
In-Reply-To: <20250226080202.7eb5e142@foxbook>
References: <20250226080202.7eb5e142@foxbook>
Precedence: bulk
X-Mailing-List: linux-usb@vger.kernel.org
List-Id: <linux-usb.vger.kernel.org>
List-Subscribe: <mailto:linux-usb+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-usb+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

If skipping is deferred to events other than Missed Service Error itsef,
it means we are running on an xHCI 1.0 host and don't know how many TDs
were missed until we reach some ordinary transfer completion event.

And in case of ring xrun, we can't know where the xrun happened either.

If we skip all pending TDs, we may prematurely give back TDs added after
the xrun had occurred, risking data loss or buffer UAF by the xHC.

If we skip none, a driver may become confused and stop working when all
its URBs are missed and appear to be "in flight" forever.

Skip exactly one TD on each xrun event - the first one that was missed,
as we can now be sure that the HC has finished processing it. Provided
that one more TD is queued before any subsequent doorbell ring, it will
become safe to skip another TD by the time we get an xrun again.

Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
---
 drivers/usb/host/xhci-ring.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index ad5f0e439200..2749ebe23a33 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -2885,8 +2885,21 @@ static int handle_tx_event(struct xhci_hcd *xhci,
 					return 0;
 
 				skip_isoc_td(xhci, td, ep, status);
-				if (!list_empty(&ep_ring->td_list))
+
+				if (!list_empty(&ep_ring->td_list)) {
+					if (ring_xrun_event) {
+						/*
+						 * If we are here, we are on xHCI 1.0 host with no
+						 * idea how many TDs were missed or where the xrun
+						 * occurred. New TDs may have been added after the
+						 * xrun, so skip only one TD to be safe.
+						 */
+						xhci_dbg(xhci, "Skipped one TD for slot %u ep %u",
+								slot_id, ep_index);
+						return 0;
+					}
 					continue;
+				}
 
 				xhci_dbg(xhci, "All TDs skipped for slot %u ep %u. Clear skip flag.\n",
 					 slot_id, ep_index);