Commit 274bcf15 authored by Mathias Nyman's avatar Mathias Nyman Committed by Yongqiang Liu
Browse files

xhci: use xhci_td_cleanup() helper when giving back cancelled URBs 

mainline inclusion
from mainline-v5.12-rc1
commit e1a29839
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACV8P
CVE: CVE-2024-40927

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e1a298390e987ddeb767cad18d913cb2782fda15



--------------------------------

use the existing xhci_td_cleanup() to give back cancelled TDs when a
ring is stopped.

A minor change to make sure we don't try to remove an already removed
td from the list is needed as cancelled TDs are already removed from the
td_list immediatelty when it's cancelled.

Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20210129130044.206855-18-mathias.nyman@linux.intel.com


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarYongqiang Liu <liuyongqiang13@huawei.com>
parent 74e85e88

drivers/usb/host/xhci-ring.c

+5 −7
Original line number Diff line number Diff line
@@ -795,8 +795,10 @@ static int xhci_td_cleanup(struct xhci_hcd *xhci, struct xhci_td *td, 
		urb->actual_length = 0;

		status = 0;

	}

	/* TD might be removed from td_list if we are giving back a cancelled URB */

	if (!list_empty(&td->td_list))

		list_del_init(&td->td_list);

	/* Was this TD slated to be cancelled but completed anyway? */

	/* Giving back a cancelled URB, or if a slated TD completed anyway */

	if (!list_empty(&td->cancelled_td_list))

		list_del_init(&td->cancelled_td_list);
@@ -995,15 +997,11 @@ static void xhci_handle_cmd_stop_ep(struct xhci_hcd *xhci, int slot_id, 
				struct xhci_td, cancelled_td_list);

		list_del_init(&cur_td->cancelled_td_list);



		/* Clean up the cancelled URB */

		/* Doesn't matter what we pass for status, since the core will

		 * just overwrite it (because the URB has been unlinked).

		 */

		ep_ring = xhci_urb_to_transfer_ring(xhci, cur_td->urb);

		xhci_unmap_td_bounce_buffer(xhci, ep_ring, cur_td);

		inc_td_cnt(cur_td->urb);

		if (last_td_in_urb(cur_td))

			xhci_giveback_urb_in_irq(xhci, cur_td, 0);

		xhci_td_cleanup(xhci, cur_td, ep_ring, 0);



		/* Stop processing the cancelled list if the watchdog timer is

		 * running.