From: Mathias Nyman <mathias.nyman@linux.intel.com>
To: <gregkh@linuxfoundation.org>
Cc: <linux-usb@vger.kernel.org>,
Pavankumar Kondeti <pkondeti@codeaurora.org>,
stable@vger.kernel.org,
Mathias Nyman <mathias.nyman@linux.intel.com>
Subject: [PATCH 4/5] xhci: Fix command ring pointer corruption while aborting a command
Date: Fri, 8 Oct 2021 12:25:46 +0300 [thread overview]
Message-ID: <20211008092547.3996295-5-mathias.nyman@linux.intel.com> (raw)
In-Reply-To: <20211008092547.3996295-1-mathias.nyman@linux.intel.com>
From: Pavankumar Kondeti <pkondeti@codeaurora.org>
The command ring pointer is located at [6:63] bits of the command
ring control register (CRCR). All the control bits like command stop,
abort are located at [0:3] bits. While aborting a command, we read the
CRCR and set the abort bit and write to the CRCR. The read will always
give command ring pointer as all zeros. So we essentially write only
the control bits. Since we split the 64 bit write into two 32 bit writes,
there is a possibility of xHC command ring stopped before the upper
dword (all zeros) is written. If that happens, xHC updates the upper
dword of its internal command ring pointer with all zeros. Next time,
when the command ring is restarted, we see xHC memory access failures.
Fix this issue by only writing to the lower dword of CRCR where all
control bits are located.
Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
---
drivers/usb/host/xhci-ring.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 7dbd26a9bc24..311597bba80e 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -366,16 +366,22 @@ static void xhci_handle_stopped_cmd_ring(struct xhci_hcd *xhci,
/* Must be called with xhci->lock held, releases and aquires lock back */
static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags)
{
- u64 temp_64;
+ u32 temp_32;
int ret;
xhci_dbg(xhci, "Abort command ring\n");
reinit_completion(&xhci->cmd_ring_stop_completion);
- temp_64 = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
- xhci_write_64(xhci, temp_64 | CMD_RING_ABORT,
- &xhci->op_regs->cmd_ring);
+ /*
+ * The control bits like command stop, abort are located in lower
+ * dword of the command ring control register. Limit the write
+ * to the lower dword to avoid corrupting the command ring pointer
+ * in case if the command ring is stopped by the time upper dword
+ * is written.
+ */
+ temp_32 = readl(&xhci->op_regs->cmd_ring);
+ writel(temp_32 | CMD_RING_ABORT, &xhci->op_regs->cmd_ring);
/* Section 4.6.1.2 of xHCI 1.0 spec says software should also time the
* completion of the Command Abort operation. If CRR is not negated in 5
--
2.25.1
next prev parent reply other threads:[~2021-10-08 9:23 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-08 9:25 [PATCH 0/5] xhci fixes for usb-linus Mathias Nyman
2021-10-08 9:25 ` [PATCH 1/5] xhci: guard accesses to ep_state in xhci_endpoint_reset() Mathias Nyman
2021-10-08 9:25 ` [PATCH 2/5] xhci: add quirk for host controllers that don't update endpoint DCS Mathias Nyman
2021-10-08 9:25 ` [PATCH 3/5] USB: xhci: dbc: fix tty registration race Mathias Nyman
2021-10-08 9:25 ` Mathias Nyman [this message]
2021-10-22 10:59 ` [PATCH 4/5] xhci: Fix command ring pointer corruption while aborting a command youling257
2021-10-22 11:00 ` youling 257
2021-10-25 11:21 ` Mathias Nyman
2021-10-25 15:01 ` youling 257
2021-10-25 15:21 ` Mathias Nyman
2021-10-26 10:49 ` Pavan Kondeti
2021-10-27 13:59 ` Mathias Nyman
2021-10-28 8:03 ` Pavan Kondeti
2021-10-29 12:48 ` Mathias Nyman
2021-10-29 12:51 ` [RFT PATCH] xhci: Fix commad ring abort, write all 64 bits to CRCR register Mathias Nyman
2021-10-29 15:35 ` youling 257
2021-11-01 8:37 ` Mathias Nyman
2021-11-01 3:31 ` Pavan Kondeti
2021-11-01 8:36 ` Mathias Nyman
2021-10-08 9:25 ` [PATCH 5/5] xhci: Enable trust tx length quirk for Fresco FL11 USB controller Mathias Nyman
2021-10-08 16:13 ` [PATCH 0/5] xhci fixes for usb-linus Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211008092547.3996295-5-mathias.nyman@linux.intel.com \
--to=mathias.nyman@linux.intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
--cc=pkondeti@codeaurora.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.