Commit 370e2d20 authored Dec 03, 2024 by Mathias Nyman Committed by Yongqiang Liu Dec 03, 2024

xhci: fix giving back URB with incorrect status regression in 5.12

mainline inclusion
from mainline-v5.13-rc4
commit a80c203c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACV8P
CVE: CVE-2024-40927

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a80c203c3f1c06d2201c19ae071d0ae770a2b1ca



--------------------------------

5.12 kernel changes how xhci handles cancelled URBs and halted
endpoints. Among these changes cancelled and stalled URBs are no longer
given back before they are cleared from xHC hardware cache.

These changes unfortunately cleared the -EPIPE status of a stalled
transfer in one case before giving bak the URB, causing a USB card reader
to fail from working.

Fixes: 674f8438 ("xhci: split handling halted endpoints into two steps")
Cc: <stable@vger.kernel.org> # 5.12
Reported-by: Peter Ganzhorn <peter.ganzhorn@googlemail.com>
Tested-by: Peter Ganzhorn <peter.ganzhorn@googlemail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20210525074100.1154090-2-mathias.nyman@linux.intel.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

parent 3415469c

drivers/usb/host/xhci-ring.c

+1 −5

Original line number	Diff line number	Diff line
		@@ -831,14 +831,10 @@ static void xhci_giveback_invalidated_tds(struct xhci_virt_ep *ep)
		list_for_each_entry_safe(td, tmp_td, &ep->cancelled_td_list,
		cancelled_td_list) {

		/*
		* Doesn't matter what we pass for status, since the core will
		* just overwrite it (because the URB has been unlinked).
		*/
		ring = xhci_urb_to_transfer_ring(ep->xhci, td->urb);

		if (td->cancel_status == TD_CLEARED)
		xhci_td_cleanup(ep->xhci, td, ring, 0);
		xhci_td_cleanup(ep->xhci, td, ring, td->status);

		if (ep->xhci->xhc_state & XHCI_STATE_DYING)
		return;