mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-28 01:28:59 +00:00
9e86e0b33b
Changelogs: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.67 https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.68 https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.69 Upstreamed patches: target/linux/generic/backport-6.1/740-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch [1] target/linux/generic/backport-6.1/740-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch [2] target/linux/generic/backport-6.1/790-48-STABLE-net-dsa-mt7530-trap-link-local-frames-regardless-of-.patch [3] target/linux/generic/backport-6.1/790-50-v6.10-net-dsa-mt7530-fix-mirroring-frames-received-on-loca.patch [4] target/linux/generic/backport-6.1/790-16-v6.4-net-dsa-mt7530-set-all-CPU-ports-in-MT7531_CPU_PMAP.patch [5] target/linux/generic/backport-6.1/790-46-v6.9-net-dsa-mt7530-fix-improper-frames-on-all-25MHz-and-.patch [6] target/linux/generic/backport-6.1/790-47-v6.10-net-dsa-mt7530-fix-enabling-EEE-on-MT7531-switch-on-.patch [7] target/linux/mediatek/patches-6.1/220-v6.3-clk-mediatek-clk-gate-Propagate-struct-device-with-m.patch [8] target/linux/mediatek/patches-6.1/222-v6.3-clk-mediatek-clk-mtk-Propagate-struct-device-for-com.patch [9] target/linux/mediatek/patches-6.1/223-v6.3-clk-mediatek-clk-mux-Propagate-struct-device-for-mtk.patch [10] target/linux/mediatek/patches-6.1/226-v6.3-clk-mediatek-clk-mtk-Extend-mtk_clk_simple_probe.patch [11] Symbol changes: MITIGATION_SPECTRE_BHI (new) [12] SPECTRE_BHI_{ON,OFF} (deprecated) [12] References: [1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.89&id=8bf7c76a2a207ca2b4cfda0a279192adf27678d7 [2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.89&id=f1c3c61701a0b12f4906152c1626a5de580ea3d2 [3] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.89&id=19643bf8c9b5bb5eea5163bf2f6a3eee6fb5b99b [4] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.89&id=e86c9db58eba290e858e2bb80efcde9e3973a5ef [5] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.89&id=013c787d231188a6408e2991150d3c9bf9a2aa0b [6] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.89&id=41a004ffba9b1fd8a5a7128ebd0dfa3ed39c3316 [7] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.89&id=7d51db455ca03e5270cc585a75a674abd063fa6c [8] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.89&id=082b831488a41257b7ac7ffa1d80a0b60d98394d [9] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.89&id=6f5f72a684a2823f21efbfd20c7e4b528c44a781 [10] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.89&id=a4fe8813a7868ba5867e42e60de7a2b8baac30ff [11] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.89&id=c1d87d56af063c87961511ee25f6b07a5676d27d [12] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.89&id=d844df110084ef8bd950a52194865f3f63b561ca Signed-off-by: Shiji Yang <yangshiji66@qq.com>
85 lines
2.8 KiB
Diff
85 lines
2.8 KiB
Diff
From 18f08bf8df95c687d6fee3d2bb747cbd2fa0b878 Mon Sep 17 00:00:00 2001
|
|
From: Jonathan Bell <jonathan@raspberrypi.com>
|
|
Date: Thu, 22 Sep 2022 14:55:54 +0100
|
|
Subject: [PATCH] usb: xhci: account for num_trbs_free when
|
|
invalidating TDs
|
|
|
|
If a ring has a number of TDs enqueued past the dequeue pointer, and the
|
|
URBs corresponding to these TDs are dequeued, then num_trbs_free isn't
|
|
updated to show that these TDs have been converted to no-ops and
|
|
effectively "freed". This means that num_trbs_free creeps downwards
|
|
until the count is exhausted, which then triggers xhci_ring_expansion()
|
|
and effectively leaks memory by infinitely growing the transfer ring.
|
|
|
|
This is commonly encounted through the use of a usb-serial port where
|
|
the port is repeatedly opened, read, then closed.
|
|
|
|
Move the num_trbs_free crediting out of the Set TR Dequeue Pointer
|
|
handling and into xhci_invalidate_cancelled_tds().
|
|
|
|
There is a potential for overestimating the actual space on the ring if
|
|
the ring is nearly full and TDs are arbitrarily enqueued by a device
|
|
driver while it is dequeueing them, but dequeues are usually batched
|
|
during device close/shutdown or endpoint error recovery.
|
|
|
|
See https://github.com/raspberrypi/linux/issues/5088
|
|
|
|
Signed-off-by: Jonathan Bell <jonathan@raspberrypi.com>
|
|
---
|
|
drivers/usb/host/xhci-ring.c | 14 +++-----------
|
|
1 file changed, 3 insertions(+), 11 deletions(-)
|
|
|
|
--- a/drivers/usb/host/xhci-ring.c
|
|
+++ b/drivers/usb/host/xhci-ring.c
|
|
@@ -1013,11 +1013,13 @@ static int xhci_invalidate_cancelled_tds
|
|
td->urb->stream_id, td->urb,
|
|
cached_td->urb->stream_id, cached_td->urb);
|
|
cached_td = td;
|
|
+ ring->num_trbs_free += td->num_trbs;
|
|
break;
|
|
}
|
|
} else {
|
|
td_to_noop(xhci, ring, td, false);
|
|
td->cancel_status = TD_CLEARED;
|
|
+ ring->num_trbs_free += td->num_trbs;
|
|
}
|
|
}
|
|
|
|
@@ -1265,10 +1267,7 @@ static void update_ring_for_set_deq_comp
|
|
unsigned int ep_index)
|
|
{
|
|
union xhci_trb *dequeue_temp;
|
|
- int num_trbs_free_temp;
|
|
- bool revert = false;
|
|
|
|
- num_trbs_free_temp = ep_ring->num_trbs_free;
|
|
dequeue_temp = ep_ring->dequeue;
|
|
|
|
/* If we get two back-to-back stalls, and the first stalled transfer
|
|
@@ -1283,8 +1282,6 @@ static void update_ring_for_set_deq_comp
|
|
}
|
|
|
|
while (ep_ring->dequeue != dev->eps[ep_index].queued_deq_ptr) {
|
|
- /* We have more usable TRBs */
|
|
- ep_ring->num_trbs_free++;
|
|
ep_ring->dequeue++;
|
|
if (trb_is_link(ep_ring->dequeue)) {
|
|
if (ep_ring->dequeue ==
|
|
@@ -1294,15 +1291,10 @@ static void update_ring_for_set_deq_comp
|
|
ep_ring->dequeue = ep_ring->deq_seg->trbs;
|
|
}
|
|
if (ep_ring->dequeue == dequeue_temp) {
|
|
- revert = true;
|
|
+ xhci_dbg(xhci, "Unable to find new dequeue pointer\n");
|
|
break;
|
|
}
|
|
}
|
|
-
|
|
- if (revert) {
|
|
- xhci_dbg(xhci, "Unable to find new dequeue pointer\n");
|
|
- ep_ring->num_trbs_free = num_trbs_free_temp;
|
|
- }
|
|
}
|
|
|
|
/*
|