Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-6.9.y 2024-06-27T11:52:18Z 2024-06-27T11:52:18Z Mathias Nyman mathias.nyman@linux.intel.com 2024-04-29T14:02:36Z urn:sha1:c106b0f768813051b91f75b18a30b4140c60cea8 [ Upstream commit 34b67198244f2d7d8409fa4eb76204c409c0c97e ] If this quirk was set then driver would treat transfer events with 'Success' completion code as 'Short packet' if there were untransferred bytes left. This is so common that turn it into default behavior. xhci_warn_ratelimited() is no longer used after this, so remove it. A success event with untransferred bytes left doesn't always mean a misbehaving controller. If there was an error mid a multi-TRB TD it's allowed to issue a success event for the last TRB in that TD. See xhci 1.2 spec 4.9.1 Transfer Descriptors "Note: If an error is detected while processing a multi-TRB TD, the xHC shall generate a Transfer Event for the TRB that the error was detected on with the appropriate error Condition Code, then may advance to the next TD. If in the process of advancing to the next TD, a Transfer TRB is encountered with its IOC flag set, then the Condition Code of the Transfer Event generated for that Transfer TRB should be Success, because there was no error actually associated with the TRB that generated the Event. However, an xHC implementation may redundantly assert the original error Condition Code." Co-developed-by: Niklas Neronin <niklas.neronin@linux.intel.com> Signed-off-by: Niklas Neronin <niklas.neronin@linux.intel.com> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Link: https://lore.kernel.org/r/20240429140245.3955523-10-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-06-21T12:40:13Z Hector Martin marcan@marcan.st 2024-06-11T12:06:10Z urn:sha1:61593dc413c3655e4328a351555235bc3089486a commit 5ceac4402f5d975e5a01c806438eb4e554771577 upstream. When multiple streams are in use, multiple TDs might be in flight when an endpoint is stopped. We need to issue a Set TR Dequeue Pointer for each, to ensure everything is reset properly and the caches cleared. Change the logic so that any N>1 TDs found active for different streams are deferred until after the first one is processed, calling xhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to queue another command until we are done with all of them. Also change the error/"should never happen" paths to ensure we at least clear any affected TDs, even if we can't issue a command to clear the hardware cache, and complain loudly with an xhci_warn() if this ever happens. This problem case dates back to commit e9df17eb1408 ("USB: xhci: Correct assumptions about number of rings per endpoint.") early on in the XHCI driver's life, when stream support was first added. It was then identified but not fixed nor made into a warning in commit 674f8438c121 ("xhci: split handling halted endpoints into two steps"), which added a FIXME comment for the problem case (without materially changing the behavior as far as I can tell, though the new logic made the problem more obvious). Then later, in commit 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs."), it was acknowledged again. [Mathias: commit 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs.") was a targeted regression fix to the previously mentioned patch. Users reported issues with usb stuck after unmounting/disconnecting UAS devices. This rolled back the TD clearing of multiple streams to its original state.] Apparently the commit author was aware of the problem (yet still chose to submit it): It was still mentioned as a FIXME, an xhci_dbg() was added to log the problem condition, and the remaining issue was mentioned in the commit description. The choice of making the log type xhci_dbg() for what is, at this point, a completely unhandled and known broken condition is puzzling and unfortunate, as it guarantees that no actual users would see the log in production, thereby making it nigh undebuggable (indeed, even if you turn on DEBUG, the message doesn't really hint at there being a problem at all). It took me *months* of random xHC crashes to finally find a reliable repro and be able to do a deep dive debug session, which could all have been avoided had this unhandled, broken condition been actually reported with a warning, as it should have been as a bug intentionally left in unfixed (never mind that it shouldn't have been left in at all). > Another fix to solve clearing the caches of all stream rings with > cancelled TDs is needed, but not as urgent. 3 years after that statement and 14 years after the original bug was introduced, I think it's finally time to fix it. And maybe next time let's not leave bugs unfixed (that are actually worse than the original bug), and let's actually get people to review kernel commits please. Fixes xHC crashes and IOMMU faults with UAS devices when handling errors/faults. Easiest repro is to use `hdparm` to mark an early sector (e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop. At least in the case of JMicron controllers, the read errors end up having to cancel two TDs (for two queued requests to different streams) and the one that didn't get cleared properly ends up faulting the xHC entirely when it tries to access DMA pages that have since been unmapped, referred to by the stale TDs. This normally happens quickly (after two or three loops). After this fix, I left the `cat` in a loop running overnight and experienced no xHC failures, with all read errors recovered properly. Repro'd and tested on an Apple M1 Mac Mini (dwc3 host). On systems without an IOMMU, this bug would instead silently corrupt freed memory, making this a security bug (even on systems with IOMMUs this could silently corrupt memory belonging to other USB devices on the same controller, so it's still a security bug). Given that the kernel autoprobes partition tables, I'm pretty sure a malicious USB device pretending to be a UAS device and reporting an error with the right timing could deliberately trigger a UAF and write to freed memory, with no user action. [Mathias: Commit message and code comment edit, original at:] https://lore.kernel.org/linux-usb/20240524-xhci-streams-v1-1-6b1f13819bea@marcan.st/ Fixes: e9df17eb1408 ("USB: xhci: Correct assumptions about number of rings per endpoint.") Fixes: 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs.") Fixes: 674f8438c121 ("xhci: split handling halted endpoints into two steps") Cc: stable@vger.kernel.org Cc: security@kernel.org Reviewed-by: Neal Gompa <neal@gompa.dev> Signed-off-by: Hector Martin <marcan@marcan.st> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Link: https://lore.kernel.org/r/20240611120610.3264502-5-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-06-12T09:39:15Z Niklas Neronin niklas.neronin@linux.intel.com 2024-04-29T14:02:30Z urn:sha1:f39f4626bd13b330d9fcb2165e09be983198ce8e [ Upstream commit db4460b6ecf07574d580f01cd88054a62607068c ] Check if requested segments ('segs' or 'ERST_DEFAULT_SEGS') exceeds the maximum amount ERST supports. When 'segs' is '0', 'ERST_DEFAULT_SEGS' is used instead. But both values may not exceed ERST max. Macro 'ERST_MAX_SEGS' is renamed to 'ERST_DEFAULT_SEGS'. The new name better represents the macros, which is the number of Event Ring segments to allocate, when the amount is not specified. Additionally, rename and change xhci_create_secondary_interrupter()'s argument 'int num_segs' to 'unsigned int segs'. This makes it the same as its counter part in xhci_alloc_interrupter(). Fixes: c99b38c41234 ("xhci: add support to allocate several interrupters") Signed-off-by: Niklas Neronin <niklas.neronin@linux.intel.com> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Link: https://lore.kernel.org/r/20240429140245.3955523-4-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-03-02T19:25:27Z Niklas Neronin niklas.neronin@intel.com 2024-02-29T14:14:32Z urn:sha1:74151b5349266bd1a3a8307a05449a22bf0ba9de Slot ID is a index of a virtual device in struct 'xhci_hcd->devs[]'. Previously, to get the slot ID associated with a port, we had to loop through all devices and compare ports, which is very inefficient. Instead, the slot ID (of the device which is directly connected to the port), is added to the its corresponding 'xhci_port' struct. As a result, finding the port's device is quick and easy. Function 'xhci_find_slot_id_by_port()' is removed, as it is no longer needed. Signed-off-by: Niklas Neronin <niklas.neronin@intel.com> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Link: https://lore.kernel.org/r/20240229141438.619372-4-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-03-02T19:25:27Z Niklas Neronin niklas.neronin@intel.com 2024-02-29T14:14:31Z urn:sha1:06790c19086fe8f54afcd49184916132c7a8da4e Variables real & fake port do not convey their purpose, thus they are replaced with a pointer to the root hub port 'struct xhci_port *rhub_port'. 'rhub_port' contains real & fake ports in zero-based format, which happens to be more widely used inside the xHCI driver: - 'real_port' is ('rhub_port->hw_portnum' + 1) - 'fake_port' is ('rhub_port->hcd_portnum' + 1) One reason for real port being one-based, is to signal other functions in case struct 'xhci_virt_device' initialization failed, in this case the value will remain 0. This is no longer needed, instead we check whether or not 'rhub_port' is 'NULL'. Signed-off-by: Niklas Neronin <niklas.neronin@intel.com> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Link: https://lore.kernel.org/r/20240229141438.619372-3-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-02-19T19:59:52Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2024-02-19T19:59:52Z urn:sha1:3bf0514dc6f36f81ee11b1becd977cb87b4c90c6 This reverts commit 9affb1d9a9d9918adff519a129daba5e369dd741. It's not ready to be merged, based on reviews. Reported-by: Mathias Nyman <mathias.nyman@linux.intel.com> Link: https://lore.kernel.org/r/96ab6033-2cb9-daa7-ddad-090138896739@linux.intel.com Cc: Wesley Cheng <quic_wcheng@quicinc.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-02-17T15:24:38Z Mathias Nyman mathias.nyman@linux.intel.com 2024-02-17T00:09:36Z urn:sha1:9affb1d9a9d9918adff519a129daba5e369dd741 Expose xhci_stop_endpoint_sync() which is a synchronous variant of xhci_queue_stop_endpoint(). This is useful for client drivers that are using the secondary interrupters, and need to stop/clean up the current session. The stop endpoint command handler will also take care of cleaning up the ring. Modifications to repurpose the new API into existing stop endpoint sequences was implemented by Wesley Cheng. Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Co-developed-by: Wesley Cheng <quic_wcheng@quicinc.com> Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com> Link: https://lore.kernel.org/r/20240217001017.29969-11-quic_wcheng@quicinc.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-02-17T15:24:37Z Mathias Nyman mathias.nyman@linux.intel.com 2024-02-17T00:09:29Z urn:sha1:becbd202af8425e336b1c25e9254616a5c03d819 isoc_bei_interval is used to balance how often completed isochronous events cause interrupts. If interval is too large then the event ring may fill up before the completed isoc TRBs are handled. isoc_bei_interval is tuned based on how full the event ring is. isoc_bei_interval variable needs to be per interrupter as with several interrupters each one has its own event ring. move isoc_bei_interval variable to the interrupter structure. if a secondary interrupter does not care about this feature then keep isoc_bei_interval 0. Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com> Link: https://lore.kernel.org/r/20240217001017.29969-4-quic_wcheng@quicinc.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-02-17T15:24:37Z Mathias Nyman mathias.nyman@linux.intel.com 2024-02-17T00:09:27Z urn:sha1:4f022aad80dc8b175e309197720f4fca8004fb2e Each interrupter has an interrupt pending (IP) bit that should be cleared in the interrupt handler. This is done automatically for systems using MSI/MSI-X interrupts. Secondary interrupters used by audio offload may not actually trigger MSI/MSI-X messages, so driver may need to clear the IP bit manually for these, even if the primary interrupter IP is cleared automatically. Add an ip_autoclear flag to each interrupter that driver can configure when requesting an interrupt for that xHC interrupter, and move the interrupt pending clearing code to its own helper function. Use this ip_autoclear flag instead of the current hcd->msi_enabled to check if IP flag is cleared by software. [Moved ip_autoclear into xhci and set based on msi_enabled -wcheng] Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com> Link: https://lore.kernel.org/r/20240217001017.29969-2-quic_wcheng@quicinc.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-02-04T14:19:37Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2024-02-04T14:19:37Z urn:sha1:ed5551279c9100aff6adf337d809057a7532b6f7 We need the USB fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>