[PATCH 5.4 20/69] xhci: Fix command ring pointer corruption while aborting a command

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Pavankumar Kondeti <pkondeti@codeaurora.org>,
	Mathias Nyman <mathias.nyman@linux.intel.com>
Subject: [PATCH 5.4 20/69] xhci: Fix command ring pointer corruption while aborting a command
Date: Mon, 18 Oct 2021 15:24:18 +0200	[thread overview]
Message-ID: <20211018132330.137108183@linuxfoundation.org> (raw)
In-Reply-To: <20211018132329.453964125@linuxfoundation.org>

From: Pavankumar Kondeti <pkondeti@codeaurora.org>

commit ff0e50d3564f33b7f4b35cadeabd951d66cfc570 upstream.

The command ring pointer is located at [6:63] bits of the command
ring control register (CRCR). All the control bits like command stop,
abort are located at [0:3] bits. While aborting a command, we read the
CRCR and set the abort bit and write to the CRCR. The read will always
give command ring pointer as all zeros. So we essentially write only
the control bits. Since we split the 64 bit write into two 32 bit writes,
there is a possibility of xHC command ring stopped before the upper
dword (all zeros) is written. If that happens, xHC updates the upper
dword of its internal command ring pointer with all zeros. Next time,
when the command ring is restarted, we see xHC memory access failures.
Fix this issue by only writing to the lower dword of CRCR where all
control bits are located.

Cc: stable@vger.kernel.org
Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20211008092547.3996295-5-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci-ring.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -339,16 +339,22 @@ static void xhci_handle_stopped_cmd_ring
 /* Must be called with xhci->lock held, releases and aquires lock back */
 static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags)
 {
-	u64 temp_64;
+	u32 temp_32;
 	int ret;

 	xhci_dbg(xhci, "Abort command ring\n");

 	reinit_completion(&xhci->cmd_ring_stop_completion);

-	temp_64 = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
-	xhci_write_64(xhci, temp_64 | CMD_RING_ABORT,
-			&xhci->op_regs->cmd_ring);
+	/*
+	 * The control bits like command stop, abort are located in lower
+	 * dword of the command ring control register. Limit the write
+	 * to the lower dword to avoid corrupting the command ring pointer
+	 * in case if the command ring is stopped by the time upper dword
+	 * is written.
+	 */
+	temp_32 = readl(&xhci->op_regs->cmd_ring);
+	writel(temp_32 | CMD_RING_ABORT, &xhci->op_regs->cmd_ring);

 	/* Section 4.6.1.2 of xHCI 1.0 spec says software should also time the
 	 * completion of the Command Abort operation. If CRR is not negated in 5

next prev parent reply	other threads:[~2021-10-18 13:37 UTC|newest]

Thread overview: 73+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-18 13:23 [PATCH 5.4 00/69] 5.4.155-rc1 review Greg Kroah-Hartman
2021-10-18 13:23 ` [PATCH 5.4 01/69] ovl: simplify file splice Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 02/69] ALSA: usb-audio: Add quirk for VF0770 Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 03/69] ALSA: seq: Fix a potential UAF by wrong private_free call order Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 04/69] ALSA: hda/realtek: Complete partial device name to avoid ambiguity Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 05/69] ALSA: hda/realtek: Add quirk for Clevo X170KM-G Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 06/69] ALSA: hda/realtek - ALC236 headset MIC recording issue Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 07/69] ALSA: hda/realtek: Fix the mic type detection issue for ASUS G551JW Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 08/69] nds32/ftrace: Fix Error: invalid operands (*UND* and *UND* sections) for `^ Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 09/69] s390: fix strrchr() implementation Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 10/69] csky: dont let sigreturn play with priveleged bits of status register Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 11/69] csky: Fixup regs.sr broken in ptrace Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 12/69] btrfs: unlock newly allocated extent buffer after error Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 13/69] btrfs: deal with errors when replaying dir entry during log replay Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 14/69] btrfs: deal with errors when adding inode reference " Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 15/69] btrfs: check for error when looking up inode during dir entry replay Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 16/69] watchdog: orion: use 0 for unset heartbeat Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 17/69] x86/resctrl: Free the ctrlval arrays when domain_setup_mon_state() fails Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 18/69] mei: me: add Ice Lake-N device id Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 19/69] xhci: guard accesses to ep_state in xhci_endpoint_reset() Greg Kroah-Hartman
2021-10-18 13:24 ` Greg Kroah-Hartman [this message]
2021-10-18 13:24 ` [PATCH 5.4 21/69] xhci: Enable trust tx length quirk for Fresco FL11 USB controller Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 22/69] cb710: avoid NULL pointer subtraction Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 23/69] efi/cper: use stack buffer for error record decoding Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 24/69] efi: Change down_interruptible() in virt_efi_reset_system() to down_trylock() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 25/69] usb: musb: dsps: Fix the probe error path Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 26/69] Input: xpad - add support for another USB ID of Nacon GC-100 Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 27/69] USB: serial: qcserial: add EM9191 QDL support Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 28/69] USB: serial: option: add Quectel EC200S-CN module support Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 29/69] USB: serial: option: add Telit LE910Cx composition 0x1204 Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 30/69] USB: serial: option: add prod. id for Quectel EG91 Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 31/69] virtio: write back F_VERSION_1 before validate Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 32/69] EDAC/armada-xp: Fix output of uncorrectable error counter Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 33/69] nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 34/69] KVM: PPC: Book3S HV: Fix stack handling in idle_kvm_start_guest() Greg Kroah-Hartman
2021-10-19 10:34   ` Michael Ellerman
2021-10-18 13:24 ` [PATCH 5.4 35/69] KVM: PPC: Book3S HV: Make idle_kvm_start_guest() return 0 if it went to guest Greg Kroah-Hartman
2021-10-19 10:54   ` Michael Ellerman
2021-10-18 13:24 ` [PATCH 5.4 36/69] x86/Kconfig: Do not enable AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT automatically Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 37/69] powerpc/xive: Discard disabled interrupts in get_irqchip_state() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 38/69] iio: adc: aspeed: set driver data when adc probe Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 39/69] iio: adc128s052: Fix the error handling path of adc128_probe() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 40/69] iio: mtk-auxadc: fix case IIO_CHAN_INFO_PROCESSED Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 41/69] iio: light: opt3001: Fixed timeout error when 0 lux Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 42/69] iio: ssp_sensors: add more range checking in ssp_parse_dataframe() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 43/69] iio: ssp_sensors: fix error code in ssp_print_mcu_debug() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 44/69] iio: dac: ti-dac5571: fix an error code in probe() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 45/69] sctp: account stream padding length for reconf chunk Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 46/69] gpio: pca953x: Improve bias setting Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 47/69] net: arc: select CRC32 Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 48/69] net: korina: " Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 49/69] net/mlx5e: Mutually exclude RX-FCS and RX-port-timestamp Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 50/69] net: stmmac: fix get_hw_feature() on old hardware Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 51/69] net: encx24j600: check error in devm_regmap_init_encx24j600 Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 52/69] ethernet: s2io: fix setting mac address during resume Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 53/69] nfc: fix error handling of nfc_proto_register() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 54/69] NFC: digital: fix possible memory leak in digital_tg_listen_mdaa() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 55/69] NFC: digital: fix possible memory leak in digital_in_send_sdd_req() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 56/69] pata_legacy: fix a couple uninitialized variable bugs Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 57/69] ata: ahci_platform: fix null-ptr-deref in ahci_platform_enable_regulators() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 58/69] mlxsw: thermal: Fix out-of-bounds memory accesses Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 59/69] platform/mellanox: mlxreg-io: Fix argument base in kstrtou32() call Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 60/69] drm/panel: olimex-lcd-olinuxino: select CRC32 Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 61/69] drm/msm: Fix null pointer dereference on pointer edp Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 62/69] drm/msm/mdp5: fix cursor-related warnings Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 63/69] drm/msm/dsi: Fix an error code in msm_dsi_modeset_init() Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 64/69] drm/msm/dsi: fix off by one in dsi_bus_clk_enable error handling Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 65/69] acpi/arm64: fix next_platform_timer() section mismatch error Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 66/69] mqprio: Correct stats in mqprio_dump_class_stats() Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 67/69] qed: Fix missing error code in qed_slowpath_start() Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 68/69] r8152: select CRC32 and CRYPTO/CRYPTO_HASH/CRYPTO_SHA256 Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 69/69] ionic: dont remove netdev->dev_addr when syncing uc list Greg Kroah-Hartman
2021-10-18 14:11 ` [PATCH 5.4 00/69] 5.4.155-rc1 review Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211018132330.137108183@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mathias.nyman@linux.intel.com \
    --cc=pkondeti@codeaurora.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox