On Wed, 26 Feb 2025 08:02:55 +0100, Michal Pecio wrote: > After d56b0b2ab142, TDs are immediately skipped when handling those > Stopped events. This poses a potential problem in case of Stopped - > Length Invalid, which occurs either on completed TDs (likely already > given back) or Link and No-Op TRBs. Such event won't be recognized > as matching any TD (unless it's the rare Link TRB inside a TD) and > will result in skipping all pending TDs, giving them back possibly > before they are done, risking isoc data loss and maybe UAF by HW. Actually, Stopped and Stopped - Short Packet may be unsafe too. As far as I understand, one of those (depending on SPC capability) can occur on the second TRB of a TD whose first TRB completed with Short Packet. Then the TD is already given back and removed from td_list, so no match will be found with this Stopped event. I suspect this is the reason why the driver has a policy to silently ignore Stopped events which don't match the pending TD, and not only Stopped - Length Invalid. Not sure why Stopped - Short Packet isn't also ignored and yet apparently doesn't cause problems.
