commit b234c70fefa7532d34ebee104de64cc16f1b21e4 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

xhci: Fix failure to detect ring expansion need.

Ring expansion checker may incorrectly assume a completely full ring
is empty, missing the need for expansion.

This is due to a special empty ring case where the dequeue ends up
ahead of the enqueue pointer. This is seen when enqueued TRBs fill up
exactly a segment, with enqueue then pointing to the end link TRB.
Once those TRBs are handled the dequeue pointer will follow the link
TRB and end up pointing to the first entry on the next segment, past
the enqueue.

This same enqueue - dequeue condition can be true if a ring is full,
with enqueue ending on that last link TRB before the dequeue pointer
on the next segment.

This can be seen when queuing several ~510 small URBs via usbfs in
one go before a single one is handled (i.e. dequeue not moved from first
entry in segment).

Expand the ring already when enqueue reaches the link TRB before the
dequeue segment, instead of expanding it when enqueue moves into the
dequeue segment.

Reported-by: Chris Yokum <linux-usb@mail.totalphase.com>
Closes: https://lore.kernel.org/all/949223224.833962.1709339266739.JavaMail.zimbra@totalphase.com
Tested-by: Chris Yokum <linux-usb@mail.totalphase.com>
Fixes: f5af638f0609 ("xhci: Fix transfer ring expansion size calculation")
Cc: stable@vger.kernel.org # v6.5+
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20240305132312.955171-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by Mathias Nyman and committed by Greg Kroah-Hartman 2 years ago b234c70f 69c63350

options

unified split

Changed files

+7 -1

drivers

usb

host

xhci-ring.c

+7 -1

drivers/usb/host/xhci-ring.c

··· 326 326 /* how many trbs will be queued past the enqueue segment? */ 327 327 trbs_past_seg = enq_used + num_trbs - (TRBS_PER_SEGMENT - 1); 328 328 329 - if (trbs_past_seg <= 0) 329 + /* 330 + * Consider expanding the ring already if num_trbs fills the current 331 + * segment (i.e. trbs_past_seg == 0), not only when num_trbs goes into 332 + * the next segment. Avoids confusing full ring with special empty ring 333 + * case below 334 + */ 335 + if (trbs_past_seg < 0) 330 336 return 0; 331 337 332 338 /* Empty ring special case, enqueue stuck on link trb while dequeue advanced */