From patchwork Tue Jun 11 12:06:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mathias Nyman X-Patchwork-Id: 13693614 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7BE1617623D; Tue, 11 Jun 2024 12:04:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718107470; cv=none; b=bQ49lHIE/yOuECW8gzOX3r9HmdNhtO3dmFAS0C8TcjTQgnNxi2SEX0jTl3TxtEt5TZS0ux1MVMu9oftXfxFQA2Q1u68glGuVfcGK/qQJUyEXChkr46JgfzpE6tl4HIExJP293KHKba9jVyh8oszVsfbeOkvkgm4pq029wsr8F/k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718107470; c=relaxed/simple; bh=1nSyM6YW2dR/MWHSSAghG64Mqg7LH86n8D6WFtRNn6g=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=O36+BP48maI2dZs4WN4NARQsuyyukgrgTTO6J2T6YWtLdaEVSLA+XYWCUSfMr3bc4QEqc5h7ftsECvhjymAnivr+tPxbVF+8uqgbFs8CwB5kehCZyZnHQoWd82iZvulY4E7La8zDtvbWOpDF9O/7cEy6doH7WjGLYHl8UQqyd4E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=iDGDNDbP; arc=none smtp.client-ip=198.175.65.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="iDGDNDbP" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1718107468; x=1749643468; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=1nSyM6YW2dR/MWHSSAghG64Mqg7LH86n8D6WFtRNn6g=; b=iDGDNDbPKvrL2dh3Kywgt5NBl63WwSTuO+bLIECWFBqSURD79PzqwVfz y2O9svrwSOnuOwOQyjBnJd+VPxsuslV/n7r/BTdBhC09WVSRS6KIyLC8+ SGw3/wY3GVQ/7puSQAz2cInVp2E3h+r4pAASoa7eFnWY+3YYoNrVM8Ce7 EEgbNLjZjS3WGqtehZd/VHiSiiX6ezkb/Z5aEZED+NPkVdNW28yBInm2f RH3dlhgaED9R7pPjcOXY3M8EpJPs4BlZu4KwrMTQwyL3nCuTKYxZ02apg 3FFgnu5VxTnec6bh48fpnXArmBhmqFXVLC54ifmYcmqnwyJA26XdLuQCu w==; X-CSE-ConnectionGUID: FELixaNdQxq8kL1SPXdjYw== X-CSE-MsgGUID: Hk4+XB8oTKKNJq40yqZ25g== X-IronPort-AV: E=McAfee;i="6600,9927,11099"; a="18641743" X-IronPort-AV: E=Sophos;i="6.08,230,1712646000"; d="scan'208";a="18641743" Received: from orviesa001.jf.intel.com ([10.64.159.141]) by orvoesa106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jun 2024 05:04:28 -0700 X-CSE-ConnectionGUID: lHmZS5cZSkiSgSBVwDoSzg== X-CSE-MsgGUID: UoBwV39nQre4FfDC48D/UQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.08,230,1712646000"; d="scan'208";a="76879631" Received: from mattu-haswell.fi.intel.com ([10.237.72.199]) by orviesa001.jf.intel.com with ESMTP; 11 Jun 2024 05:04:26 -0700 From: Mathias Nyman To: Cc: , Mathias Nyman , Pierre Tomon , stable@vger.kernel.org, Alan Stern Subject: [PATCH 1/4] xhci: Set correct transferred length for cancelled bulk transfers Date: Tue, 11 Jun 2024 15:06:07 +0300 Message-Id: <20240611120610.3264502-2-mathias.nyman@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240611120610.3264502-1-mathias.nyman@linux.intel.com> References: <20240611120610.3264502-1-mathias.nyman@linux.intel.com> Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The transferred length is set incorrectly for cancelled bulk transfer TDs in case the bulk transfer ring stops on the last transfer block with a 'Stop - Length Invalid' completion code. length essentially ends up being set to the requested length: urb->actual_length = urb->transfer_buffer_length Length for 'Stop - Length Invalid' cases should be the sum of all TRB transfer block lengths up to the one the ring stopped on, _excluding_ the one stopped on. Fix this by always summing up TRB lengths for 'Stop - Length Invalid' bulk cases. This issue was discovered by Alan Stern while debugging https://bugzilla.kernel.org/show_bug.cgi?id=218890, but does not solve that bug. Issue is older than 4.10 kernel but fix won't apply to those due to major reworks in that area. Tested-by: Pierre Tomon Cc: stable@vger.kernel.org # v4.10+ Cc: Alan Stern Signed-off-by: Mathias Nyman --- drivers/usb/host/xhci-ring.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 9e90d2952760..1db61bb2b9b5 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -2524,9 +2524,8 @@ static int process_bulk_intr_td(struct xhci_hcd *xhci, struct xhci_virt_ep *ep, goto finish_td; case COMP_STOPPED_LENGTH_INVALID: /* stopped on ep trb with invalid length, exclude it */ - ep_trb_len = 0; - remaining = 0; - break; + td->urb->actual_length = sum_trb_lengths(xhci, ep_ring, ep_trb); + goto finish_td; case COMP_USB_TRANSACTION_ERROR: if (xhci->quirks & XHCI_NO_SOFT_RETRY || (ep->err_count++ > MAX_SOFT_RETRY) || From patchwork Tue Jun 11 12:06:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mathias Nyman X-Patchwork-Id: 13693615 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D40017B437; Tue, 11 Jun 2024 12:04:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718107471; cv=none; b=A/K4OtJ0TSQ723j0OtkyEqWYvE+nmDUjriofXvM4S9wLjVJsZ8WVdZOV4Y9XFUcmz4AyBwI0o7Rpq1k1GQaMCmUc+5ilJ8XlkYHHZLJXOreJHRAs95No4XC/X9D4kqSnFlECyamL230xd6P5SRsUT2LG65A4tuoabMVHIrnizh4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718107471; c=relaxed/simple; bh=FOaE2PstEhFjh4wEaU+eChjM+aBc8E33yTqCu+HkY/E=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ieLILeUIYJ4xKSchoZINznyzQ5fOKzAjXXexy/12IQwd/u4gPBkzhG9iZvaUgijsSNSHp3q0bi3qGnWvPg+Q2CVM03kURIg0xZXyQJoLkWsYcb9bUJ3oZYzE+ZY09fceEzoVBny/qaU6fgqeKqTJkQ/KqLFvlWe4TuXGUG/l9+I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=kL0ohCOJ; arc=none smtp.client-ip=198.175.65.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="kL0ohCOJ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1718107470; x=1749643470; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=FOaE2PstEhFjh4wEaU+eChjM+aBc8E33yTqCu+HkY/E=; b=kL0ohCOJpI3/Nkt4Iii98vupeQIXPrgKOM5D/66xZHqzo5tvBeTi1oGS vixz+lOx0odHaFg2GcYcJTVfTh8WYVbmIc5rh2mRDiue1AKm97tgZKYI5 ilkEl5js5bF/lHOcK9qQ1RMiuyIJVyTQ7WN/um7MfZzqxPO/DSKlqdXuI dR6hxZdGUnx0ohEd7X0PQOxuJHxIwwVIMR0b1AUEc6PV8ChMINwG2MUu/ 10Yj8Tczuw2fpThKTeJnfDzk6MOyFgsvdXre/VdTbU3ywiWjXjA/s1t/H 2C/iAaO6l8EPFY75iIHqY/RN68gB4iZovLEyhopXlhiywtXdluStOBqri A==; X-CSE-ConnectionGUID: sIAHlajKT3CpGDa1bZCZEQ== X-CSE-MsgGUID: 0vCNxJ/cRpmz8Nj3E9gc5w== X-IronPort-AV: E=McAfee;i="6600,9927,11099"; a="18641751" X-IronPort-AV: E=Sophos;i="6.08,230,1712646000"; d="scan'208";a="18641751" Received: from orviesa001.jf.intel.com ([10.64.159.141]) by orvoesa106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jun 2024 05:04:30 -0700 X-CSE-ConnectionGUID: rckRqGqcQtqQOJeKuH1Znw== X-CSE-MsgGUID: yDDokXqSRBiwWlH3asPzQQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.08,230,1712646000"; d="scan'208";a="76879639" Received: from mattu-haswell.fi.intel.com ([10.237.72.199]) by orviesa001.jf.intel.com with ESMTP; 11 Jun 2024 05:04:29 -0700 From: Mathias Nyman To: Cc: , Kuangyi Chiang , stable@vger.kernel.org, Mathias Nyman Subject: [PATCH 2/4] xhci: Apply reset resume quirk to Etron EJ188 xHCI host Date: Tue, 11 Jun 2024 15:06:08 +0300 Message-Id: <20240611120610.3264502-3-mathias.nyman@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240611120610.3264502-1-mathias.nyman@linux.intel.com> References: <20240611120610.3264502-1-mathias.nyman@linux.intel.com> Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Kuangyi Chiang As described in commit c877b3b2ad5c ("xhci: Add reset on resume quirk for asrock p67 host"), EJ188 have the same issue as EJ168, where completely dies on resume. So apply XHCI_RESET_ON_RESUME quirk to EJ188 as well. Cc: Signed-off-by: Kuangyi Chiang Signed-off-by: Mathias Nyman --- drivers/usb/host/xhci-pci.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c index c040d816e626..dd8256e4e02a 100644 --- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -36,6 +36,7 @@ #define PCI_VENDOR_ID_ETRON 0x1b6f #define PCI_DEVICE_ID_EJ168 0x7023 +#define PCI_DEVICE_ID_EJ188 0x7052 #define PCI_DEVICE_ID_INTEL_LYNXPOINT_XHCI 0x8c31 #define PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI 0x9c31 @@ -395,6 +396,10 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) xhci->quirks |= XHCI_RESET_ON_RESUME; xhci->quirks |= XHCI_BROKEN_STREAMS; } + if (pdev->vendor == PCI_VENDOR_ID_ETRON && + pdev->device == PCI_DEVICE_ID_EJ188) + xhci->quirks |= XHCI_RESET_ON_RESUME; + if (pdev->vendor == PCI_VENDOR_ID_RENESAS && pdev->device == 0x0014) { xhci->quirks |= XHCI_ZERO_64B_REGS; From patchwork Tue Jun 11 12:06:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mathias Nyman X-Patchwork-Id: 13693616 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7597E17BB03; Tue, 11 Jun 2024 12:04:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718107473; cv=none; b=PlHDsqfhj2PAnqenpL6tcCGeb11DgF2mSQfC7/tGQ8Nt0q892BbCooiGaCfVooh+c9hmKB5QXuP2bz+rpIq1JTjGC4gmZkGKsEAC/aetLQZXfUIVr/1XUBqEkZNoezPEa2/kT0gXuYk03y/T1YKRkIEqSld0xoJAX0A4yaYfFeA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718107473; c=relaxed/simple; bh=L/XqlaATQ5L2nB1nKSC4asLA3WxkfcILDCl56wqJrfk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Tjq0FNvGsuw708oTI4ibx8WuL/4cRG6j+leycYEMWVqlVaeS5ZvxuFK8tbEyLe9wDZOOtpCjkUpjC/P51JUVoso/qfmBzdRg3XYh7JbJKMvSjTiWZM/KF5Ny5goRfR2zLGmC21KTwL2bmYvLKUr4o+r0lztssYHVIMBYbKO35OM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=RR92QDtL; arc=none smtp.client-ip=198.175.65.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="RR92QDtL" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1718107472; x=1749643472; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=L/XqlaATQ5L2nB1nKSC4asLA3WxkfcILDCl56wqJrfk=; b=RR92QDtLly7kGvJ4+spHvbr793sm78UhVGBTWVkSS9RpOVNY5QmnoIZL DjoV3N9Zh9dHVW3JCCfERvWzFSjaUm65qBtMJCBRxFbm1khGz6GOPZ00p 92iIiZMwhBIpGSf68kx40j7x412OJa3I3FSxvmB7KhpAvUdaS2ATxKMXn Bfv5nnJLuu6bSYvneIQSsafriSQTMqV/UDwOWDjpytGcbm9WHJYzdAhuV VXdAjI52jyylnxzBMYb3p8UV8A2sNr/Qh/5DATRfYLNrWjyvqAYcr9B/y R/2+CMO49pVFdB3UqaXa/jPtK6HyUSf3rsz0URkg0QBmmkY1qLi318bsV A==; X-CSE-ConnectionGUID: 3ap7P1lhSsq6IlbxEYXA9A== X-CSE-MsgGUID: AKQ4zeTkSE2abb6bhHkhAg== X-IronPort-AV: E=McAfee;i="6600,9927,11099"; a="18641756" X-IronPort-AV: E=Sophos;i="6.08,230,1712646000"; d="scan'208";a="18641756" Received: from orviesa001.jf.intel.com ([10.64.159.141]) by orvoesa106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jun 2024 05:04:32 -0700 X-CSE-ConnectionGUID: RfX+raOZR7qrS+zdkIUV1g== X-CSE-MsgGUID: 6K/UjChsS1u/RDQ76gQZ5w== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.08,230,1712646000"; d="scan'208";a="76879657" Received: from mattu-haswell.fi.intel.com ([10.237.72.199]) by orviesa001.jf.intel.com with ESMTP; 11 Jun 2024 05:04:31 -0700 From: Mathias Nyman To: Cc: , Kuangyi Chiang , stable@vger.kernel.org, Mathias Nyman Subject: [PATCH 3/4] xhci: Apply broken streams quirk to Etron EJ188 xHCI host Date: Tue, 11 Jun 2024 15:06:09 +0300 Message-Id: <20240611120610.3264502-4-mathias.nyman@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240611120610.3264502-1-mathias.nyman@linux.intel.com> References: <20240611120610.3264502-1-mathias.nyman@linux.intel.com> Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Kuangyi Chiang As described in commit 8f873c1ff4ca ("xhci: Blacklist using streams on the Etron EJ168 controller"), EJ188 have the same issue as EJ168, where Streams do not work reliable on EJ188. So apply XHCI_BROKEN_STREAMS quirk to EJ188 as well. Cc: Signed-off-by: Kuangyi Chiang Signed-off-by: Mathias Nyman --- drivers/usb/host/xhci-pci.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c index dd8256e4e02a..05881153883e 100644 --- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -397,8 +397,10 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) xhci->quirks |= XHCI_BROKEN_STREAMS; } if (pdev->vendor == PCI_VENDOR_ID_ETRON && - pdev->device == PCI_DEVICE_ID_EJ188) + pdev->device == PCI_DEVICE_ID_EJ188) { xhci->quirks |= XHCI_RESET_ON_RESUME; + xhci->quirks |= XHCI_BROKEN_STREAMS; + } if (pdev->vendor == PCI_VENDOR_ID_RENESAS && pdev->device == 0x0014) { From patchwork Tue Jun 11 12:06:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mathias Nyman X-Patchwork-Id: 13693617 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 941AC17BB28; Tue, 11 Jun 2024 12:04:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718107476; cv=none; b=FLN5acvmJmjbXfdQbubViTKJYA//R3dftTAmaMeIMPqQMpyLHjNcDRcUi4bTEcXKCMpC5JfW44q4vMqlKJ96VVm4Fa7BS0xTybipotm3q3UiWDXTVnSZa6mCGqjJ5GqI2POegvF/KXXCTQWUg+aRr+rP3oS9K9WKMCkOso8Zrj4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718107476; c=relaxed/simple; bh=ne7wuQL9I2SgZ6QG3Rspi4VyIajsSMl3qDn2zbrMZ8k=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=dZTqbO2FLHNkuOHf359uVpx5MpEf2DeXANVHSlk1kzhFA0lWZxi4iOr5cUs8Gqon3K30MxSJLPSeTjU49KmnJSOwjiBs54QqHehl+CYsSRj4HlaokOhv8C6OqeJeAaezCbxXFjwmYgzefAdVhVAPU8QVjsKtryXqtxMpc58yWyE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=L40SV94K; arc=none smtp.client-ip=198.175.65.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="L40SV94K" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1718107474; x=1749643474; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=ne7wuQL9I2SgZ6QG3Rspi4VyIajsSMl3qDn2zbrMZ8k=; b=L40SV94KSK4y03toeH4q6l5eU3hSe8jF4wM3v9y6UhVY/2+LIKLLZEbJ QaEdq03v5v60FleyKwa/AUqiUQBeWLrP0d4NlEChxeJ/agkatUtJ9H3DP iLwqox2Q9D++CcUPSI4EOE+QmwarUhKccBEXHDo0mKi1BwF5DuMaCWwdt tcJz2WocG9Cyp2lcq/pBMgEzL/XuCAnhaF1tfkms6yEBGpzlwcEV38OdI wjEMfcUR2mjAxrZxq4EAjUuAKRU+Tpy4RLP1AgxcXri6kgXyr/wN+/o2I QxdkMm4C1Wb5/RZTRvaY9S4Bw7rnz/krShStQsPUCoqkMKMhNkQunSdVZ w==; X-CSE-ConnectionGUID: E1e3YLgnQkytLAWUIWHTAA== X-CSE-MsgGUID: ybMhcltvTbWiol7GxskG2g== X-IronPort-AV: E=McAfee;i="6600,9927,11099"; a="18641764" X-IronPort-AV: E=Sophos;i="6.08,230,1712646000"; d="scan'208";a="18641764" Received: from orviesa001.jf.intel.com ([10.64.159.141]) by orvoesa106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jun 2024 05:04:34 -0700 X-CSE-ConnectionGUID: 3boQbHSkT9GMRlH+g6zM/w== X-CSE-MsgGUID: N4SZk4ITQY2pQBGGcp3TmA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.08,230,1712646000"; d="scan'208";a="76879670" Received: from mattu-haswell.fi.intel.com ([10.237.72.199]) by orviesa001.jf.intel.com with ESMTP; 11 Jun 2024 05:04:33 -0700 From: Mathias Nyman To: Cc: , Hector Martin , stable@vger.kernel.org, security@kernel.org, Neal Gompa , Mathias Nyman Subject: [PATCH 4/4] xhci: Handle TD clearing for multiple streams case Date: Tue, 11 Jun 2024 15:06:10 +0300 Message-Id: <20240611120610.3264502-5-mathias.nyman@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240611120610.3264502-1-mathias.nyman@linux.intel.com> References: <20240611120610.3264502-1-mathias.nyman@linux.intel.com> Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Hector Martin When multiple streams are in use, multiple TDs might be in flight when an endpoint is stopped. We need to issue a Set TR Dequeue Pointer for each, to ensure everything is reset properly and the caches cleared. Change the logic so that any N>1 TDs found active for different streams are deferred until after the first one is processed, calling xhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to queue another command until we are done with all of them. Also change the error/"should never happen" paths to ensure we at least clear any affected TDs, even if we can't issue a command to clear the hardware cache, and complain loudly with an xhci_warn() if this ever happens. This problem case dates back to commit e9df17eb1408 ("USB: xhci: Correct assumptions about number of rings per endpoint.") early on in the XHCI driver's life, when stream support was first added. It was then identified but not fixed nor made into a warning in commit 674f8438c121 ("xhci: split handling halted endpoints into two steps"), which added a FIXME comment for the problem case (without materially changing the behavior as far as I can tell, though the new logic made the problem more obvious). Then later, in commit 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs."), it was acknowledged again. [Mathias: commit 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs.") was a targeted regression fix to the previously mentioned patch. Users reported issues with usb stuck after unmounting/disconnecting UAS devices. This rolled back the TD clearing of multiple streams to its original state.] Apparently the commit author was aware of the problem (yet still chose to submit it): It was still mentioned as a FIXME, an xhci_dbg() was added to log the problem condition, and the remaining issue was mentioned in the commit description. The choice of making the log type xhci_dbg() for what is, at this point, a completely unhandled and known broken condition is puzzling and unfortunate, as it guarantees that no actual users would see the log in production, thereby making it nigh undebuggable (indeed, even if you turn on DEBUG, the message doesn't really hint at there being a problem at all). It took me *months* of random xHC crashes to finally find a reliable repro and be able to do a deep dive debug session, which could all have been avoided had this unhandled, broken condition been actually reported with a warning, as it should have been as a bug intentionally left in unfixed (never mind that it shouldn't have been left in at all). > Another fix to solve clearing the caches of all stream rings with > cancelled TDs is needed, but not as urgent. 3 years after that statement and 14 years after the original bug was introduced, I think it's finally time to fix it. And maybe next time let's not leave bugs unfixed (that are actually worse than the original bug), and let's actually get people to review kernel commits please. Fixes xHC crashes and IOMMU faults with UAS devices when handling errors/faults. Easiest repro is to use `hdparm` to mark an early sector (e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop. At least in the case of JMicron controllers, the read errors end up having to cancel two TDs (for two queued requests to different streams) and the one that didn't get cleared properly ends up faulting the xHC entirely when it tries to access DMA pages that have since been unmapped, referred to by the stale TDs. This normally happens quickly (after two or three loops). After this fix, I left the `cat` in a loop running overnight and experienced no xHC failures, with all read errors recovered properly. Repro'd and tested on an Apple M1 Mac Mini (dwc3 host). On systems without an IOMMU, this bug would instead silently corrupt freed memory, making this a security bug (even on systems with IOMMUs this could silently corrupt memory belonging to other USB devices on the same controller, so it's still a security bug). Given that the kernel autoprobes partition tables, I'm pretty sure a malicious USB device pretending to be a UAS device and reporting an error with the right timing could deliberately trigger a UAF and write to freed memory, with no user action. [Mathias: Commit message and code comment edit, original at:] https://lore.kernel.org/linux-usb/20240524-xhci-streams-v1-1-6b1f13819bea@marcan.st/ Fixes: e9df17eb1408 ("USB: xhci: Correct assumptions about number of rings per endpoint.") Fixes: 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs.") Fixes: 674f8438c121 ("xhci: split handling halted endpoints into two steps") Cc: stable@vger.kernel.org Cc: security@kernel.org Reviewed-by: Neal Gompa Signed-off-by: Hector Martin Signed-off-by: Mathias Nyman --- drivers/usb/host/xhci-ring.c | 54 ++++++++++++++++++++++++++++-------- drivers/usb/host/xhci.h | 1 + 2 files changed, 44 insertions(+), 11 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 1db61bb2b9b5..fd0cde3d1569 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1031,13 +1031,27 @@ static int xhci_invalidate_cancelled_tds(struct xhci_virt_ep *ep) break; case TD_DIRTY: /* TD is cached, clear it */ case TD_HALTED: + case TD_CLEARING_CACHE_DEFERRED: + if (cached_td) { + if (cached_td->urb->stream_id != td->urb->stream_id) { + /* Multiple streams case, defer move dq */ + xhci_dbg(xhci, + "Move dq deferred: stream %u URB %p\n", + td->urb->stream_id, td->urb); + td->cancel_status = TD_CLEARING_CACHE_DEFERRED; + break; + } + + /* Should never happen, but clear the TD if it does */ + xhci_warn(xhci, + "Found multiple active URBs %p and %p in stream %u?\n", + td->urb, cached_td->urb, + td->urb->stream_id); + td_to_noop(xhci, ring, cached_td, false); + cached_td->cancel_status = TD_CLEARED; + } + td->cancel_status = TD_CLEARING_CACHE; - if (cached_td) - /* FIXME stream case, several stopped rings */ - xhci_dbg(xhci, - "Move dq past stream %u URB %p instead of stream %u URB %p\n", - td->urb->stream_id, td->urb, - cached_td->urb->stream_id, cached_td->urb); cached_td = td; break; } @@ -1057,10 +1071,16 @@ static int xhci_invalidate_cancelled_tds(struct xhci_virt_ep *ep) if (err) { /* Failed to move past cached td, just set cached TDs to no-op */ list_for_each_entry_safe(td, tmp_td, &ep->cancelled_td_list, cancelled_td_list) { - if (td->cancel_status != TD_CLEARING_CACHE) + /* + * Deferred TDs need to have the deq pointer set after the above command + * completes, so if that failed we just give up on all of them (and + * complain loudly since this could cause issues due to caching). + */ + if (td->cancel_status != TD_CLEARING_CACHE && + td->cancel_status != TD_CLEARING_CACHE_DEFERRED) continue; - xhci_dbg(xhci, "Failed to clear cancelled cached URB %p, mark clear anyway\n", - td->urb); + xhci_warn(xhci, "Failed to clear cancelled cached URB %p, mark clear anyway\n", + td->urb); td_to_noop(xhci, ring, td, false); td->cancel_status = TD_CLEARED; } @@ -1346,6 +1366,7 @@ static void xhci_handle_cmd_set_deq(struct xhci_hcd *xhci, int slot_id, struct xhci_ep_ctx *ep_ctx; struct xhci_slot_ctx *slot_ctx; struct xhci_td *td, *tmp_td; + bool deferred = false; ep_index = TRB_TO_EP_INDEX(le32_to_cpu(trb->generic.field[3])); stream_id = TRB_TO_STREAM_ID(le32_to_cpu(trb->generic.field[2])); @@ -1432,6 +1453,8 @@ static void xhci_handle_cmd_set_deq(struct xhci_hcd *xhci, int slot_id, xhci_dbg(ep->xhci, "%s: Giveback cancelled URB %p TD\n", __func__, td->urb); xhci_td_cleanup(ep->xhci, td, ep_ring, td->status); + } else if (td->cancel_status == TD_CLEARING_CACHE_DEFERRED) { + deferred = true; } else { xhci_dbg(ep->xhci, "%s: Keep cancelled URB %p TD as cancel_status is %d\n", __func__, td->urb, td->cancel_status); @@ -1441,8 +1464,17 @@ static void xhci_handle_cmd_set_deq(struct xhci_hcd *xhci, int slot_id, ep->ep_state &= ~SET_DEQ_PENDING; ep->queued_deq_seg = NULL; ep->queued_deq_ptr = NULL; - /* Restart any rings with pending URBs */ - ring_doorbell_for_active_rings(xhci, slot_id, ep_index); + + if (deferred) { + /* We have more streams to clear */ + xhci_dbg(ep->xhci, "%s: Pending TDs to clear, continuing with invalidation\n", + __func__); + xhci_invalidate_cancelled_tds(ep); + } else { + /* Restart any rings with pending URBs */ + xhci_dbg(ep->xhci, "%s: All TDs cleared, ring doorbell\n", __func__); + ring_doorbell_for_active_rings(xhci, slot_id, ep_index); + } } static void xhci_handle_cmd_reset_ep(struct xhci_hcd *xhci, int slot_id, diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index 30415158ed3c..78d014c4d884 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1276,6 +1276,7 @@ enum xhci_cancelled_td_status { TD_DIRTY = 0, TD_HALTED, TD_CLEARING_CACHE, + TD_CLEARING_CACHE_DEFERRED, TD_CLEARED, };