| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251119120208.6a025eb0.michal.pecio@gmail.com> Date: Wed, 19 Nov 2025 12:02:08 +0100 From: Michal Pecio <michal.pecio@...il.com> To: Mathias Nyman <mathias.nyman@...el.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org> Cc: linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org Subject: [PATCH 0/5] xHCI: Decouple updating Dequeue from giveback Hi, This introduces unified mechanism for handling all short transfers and errors mid TD plus their later events, accurately and in-spec. I have been working on this code on and off for the last few months, it's dead simple conceptually and tested a lot on various hardware. When a TD completes early, store its end_trb on ep_ring and give it back. Use end_trb to recognize future events for the TD. Remove the SPURIOUS_SUCCESS quirk and unreliable comp code guesswork. Isochronous TDs with errors are given back instantly, which reduces latency and eliminates the need for error_mid_td flag and some hacks like handling Missed Service only to give back error_mid_td. Dequeue will be moved in accordance with received events, never to the next TD right away. Previous code would do that on Short Packet, allowing overwriting of remaining TRBs if it happens across segment boundary. Rare enough that no one complained, but obviously wrong. We will need a trb_in_range(), and I used this as an opportunity to smuggle some long-discussed changes and improve trb_in_td() usage. After converting from dma_addr_t to trb* once in handle_tx_event(), pass ep_trb instead ep_trb_dma to trb_in_td(). This requires a rewrite of trb_in_td(). New version is easier and shorter. While I'm aware it could be shorter still by using segment numbers, it has two advantages which I thought are neat: * It can detect when "suspect" TRB is on a different ring than TD. This means it has a loop, but common cases never enter it. (And yes, I've seen this warning once, but I suspect corruption - DMA UAF was involved. Things improved with pdev->untrusted = 1). * Needs only one segment pointer (suspect). Call sites are tidier and I don't need to store last TD's end_seg together with end_trb. Alternatively, segment numbers can also be used, but I really wanted to see if the code could be less noisy. Regards, Michal Michal Pecio (5): usb: xhci: Track transfer ring dequeue progress properly usb: xhci: Find transfer TRB early in handle_tx_event() usb: xhci: Refactor and generalize trb_in_td() usb: xhci: Reduce error mid TD latency with a new "done TD" mechanism usb: xhci: Handle short transfers as "done TDs" drivers/usb/host/xhci-mtk.c | 5 - drivers/usb/host/xhci-pci.c | 5 - drivers/usb/host/xhci-ring.c | 318 +++++++++++++++++++---------------- drivers/usb/host/xhci.c | 7 - drivers/usb/host/xhci.h | 5 +- 5 files changed, 174 insertions(+), 166 deletions(-)
Powered by blists - more mailing lists