Unverified Commit 5b9f9daa authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!9471 CVE-2021-47434 

Merge Pull Request from: @ci-robot 
 
PR sync from: Yuan Can <yuancan@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/4FPTZYCOGAJAQZLYTH4OOZG3AT5XUB3R/ 
Mathias Nyman (1):
  xhci: Fix commad ring abort, write all 64 bits to CRCR register.

Pavankumar Kondeti (1):
  xhci: Fix command ring pointer corruption while aborting a command


-- 
2.17.1
 
https://gitee.com/src-openeuler/kernel/issues/I9RB55 
 
Link:https://gitee.com/openeuler/kernel/pulls/9471

 

Reviewed-by: default avatarWeilong Chen <chenweilong@huawei.com>
Reviewed-by: default avatarLiu YongQiang <liuyongqiang13@huawei.com>
Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
parents 2acc543f 9db0f118

drivers/usb/host/xhci-ring.c

+17 −4
Original line number Diff line number Diff line
@@ -339,16 +339,29 @@ static void xhci_handle_stopped_cmd_ring(struct xhci_hcd *xhci, 
/* Must be called with xhci->lock held, releases and aquires lock back */

static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags)

{

	u64 temp_64;

	struct xhci_segment *new_seg	= xhci->cmd_ring->deq_seg;

	union xhci_trb *new_deq		= xhci->cmd_ring->dequeue;

	u64 crcr;

	int ret;



	xhci_dbg(xhci, "Abort command ring\n");



	reinit_completion(&xhci->cmd_ring_stop_completion);



	temp_64 = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);

	xhci_write_64(xhci, temp_64 | CMD_RING_ABORT,

			&xhci->op_regs->cmd_ring);

	/*

	 * The control bits like command stop, abort are located in lower

	 * dword of the command ring control register.

	 * Some controllers require all 64 bits to be written to abort the ring.

	 * Make sure the upper dword is valid, pointing to the next command,

	 * avoiding corrupting the command ring pointer in case the command ring

	 * is stopped by the time the upper dword is written.

	 */

	next_trb(xhci, NULL, &new_seg, &new_deq);

	if (trb_is_link(new_deq))

		next_trb(xhci, NULL, &new_seg, &new_deq);



	crcr = xhci_trb_virt_to_dma(new_seg, new_deq);

	xhci_write_64(xhci, crcr | CMD_RING_ABORT, &xhci->op_regs->cmd_ring);



	/* Section 4.6.1.2 of xHCI 1.0 spec says software should also time the

	 * completion of the Command Abort operation. If CRR is not negated in 5