From patchwork Mon Aug 30 15:16:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juerg Haefliger X-Patchwork-Id: 1522262 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=I4sP2kCO; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Gyv7l5FYBz9sWS; Tue, 31 Aug 2021 01:17:23 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mKj2G-0004zO-AZ; Mon, 30 Aug 2021 15:17:20 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mKj20-0004tE-Jf for kernel-team@lists.ubuntu.com; Mon, 30 Aug 2021 15:17:04 +0000 Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 6CD7D3F31C for ; Mon, 30 Aug 2021 15:17:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1630336624; bh=BzDTv882NxVV9/QMuezUt4F7bB/A62o5w9uZtiB2yIA=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=I4sP2kCOgN8zYvtKBiBDvR2rwxLwJvej+2husx0hjMBXPcwtVqgNi//YuXYgfOmaK 018K022X5wxvfgC0BdCwjG0S4hp6EvBOp2VhWzhRtBfUT+ZGhHIZa7uIZZGNLnY9ma t3+Buf9rJa+qUqEC4aQ1Hw6i0la41DAV4nrlfFcXgBqoLde+DJFxSTK8GlkpfrGHKU BCcM0y9rxdy/y5qU8BE3MIhus7VHOUwM7j/f0FwcsZz2AVaBN30LJ/kHOP+OWovXMN Zq+zJQ9ykYkyZxWPv16Syne2zmrI0Ck5hZ4NrbHelM2ygVoXW9P3KBatb13GI4V7H2 mR47SiuF/K+Xg== Received: by mail-wm1-f72.google.com with SMTP id c2-20020a7bc8420000b0290238db573ab7so10198387wml.5 for ; Mon, 30 Aug 2021 08:17:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BzDTv882NxVV9/QMuezUt4F7bB/A62o5w9uZtiB2yIA=; b=ofeqlDymaZOxyNuwz4BmPzvYlMtamRVgBhqk4DaQ+W1UJYmcHcazl5WVgpHuCVrnJR BJh3pIP9JjQDJmGVuGijjGosJ+gC7BeDo0Xe2JMHqOo4SD+/ASBxEG8eLwseXmc0nkLF dK0TN09m7B0Z2LV5CoIhMj75/6R/njEqU1uesXvuHE8ACMEtFDVm5qpAkt9VxWm506qV hj1+eKb81MsrSFZpIperOYs5phbIuE1a26ksmLSo3q4qNpegil9UGJYQWLeoG6R4bW+E QWs7VtBBXErhpd2iw8SjGcwBMxlQV5aMSgo4BAyq/ZqtUyOBCZb6DKODy5HDK2IQtyW/ EKhg== X-Gm-Message-State: AOAM530+gnZqs2jMpqk/z5niXjaYI3IrPJXkv9uKP0zMyybiP/9HW5cW JQsjfpRwUHvoykshI0uBsKvYsOkyWxsaKr73BLR69Cw5fE16GjvOle9OyYoO1Uj3X7SzVJAyN+E uBiv/P/MFV5KB9CTjb/UFEk3ZFxfFvp++vJJ30+2SNQ== X-Received: by 2002:a05:600c:2f90:: with SMTP id t16mr34304056wmn.136.1630336624188; Mon, 30 Aug 2021 08:17:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxVQ4zP90ArXJFLJ8sIdcTAklLTPuQSwhJvdUEotEBnkBFDePobhvV6FUbpchTFEwfpCKzKNw== X-Received: by 2002:a05:600c:2f90:: with SMTP id t16mr34304032wmn.136.1630336623934; Mon, 30 Aug 2021 08:17:03 -0700 (PDT) Received: from gollum.fritz.box ([194.191.244.86]) by smtp.gmail.com with ESMTPSA id n1sm15378527wrp.49.2021.08.30.08.17.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Aug 2021 08:17:03 -0700 (PDT) From: Juerg Haefliger X-Google-Original-From: Juerg Haefliger To: kernel-team@lists.ubuntu.com Subject: [SRU][F/raspi][H/raspi][PATCH 2/2] xhci: guard accesses to ep_state in xhci_endpoint_reset() Date: Mon, 30 Aug 2021 17:16:30 +0200 Message-Id: <20210830151630.289267-3-juergh@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210830151630.289267-1-juergh@canonical.com> References: <20210830151630.289267-1-juergh@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jonathan Bell BugLink: https://bugs.launchpad.net/bugs/1930629 See https://github.com/raspberrypi/linux/issues/3981 Two read-modify-write cycles on ep->ep_state are not guarded by xhci->lock. Fix these. Signed-off-by: Jonathan Bell (cherry picked from commit cd04fbfe663b53bd9936f2b736da68fb8b21ffc8 rpi-5.10.y) Signed-off-by: Juerg Haefliger --- drivers/usb/host/xhci.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 27ce0e5c933b..21cbaba2edc8 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -3393,10 +3393,13 @@ static void xhci_endpoint_reset(struct usb_hcd *hcd, return; /* Bail out if toggle is already being cleared by a endpoint reset */ + spin_lock_irqsave(&xhci->lock, flags); if (ep->ep_state & EP_HARD_CLEAR_TOGGLE) { ep->ep_state &= ~EP_HARD_CLEAR_TOGGLE; + spin_unlock_irqrestore(&xhci->lock, flags); return; } + spin_unlock_irqrestore(&xhci->lock, flags); /* Only interrupt and bulk ep's use data toggle, USB2 spec 5.5.4-> */ if (usb_endpoint_xfer_control(&host_ep->desc) || usb_endpoint_xfer_isoc(&host_ep->desc)) @@ -3482,8 +3485,10 @@ static void xhci_endpoint_reset(struct usb_hcd *hcd, xhci_free_command(xhci, cfg_cmd); cleanup: xhci_free_command(xhci, stop_cmd); + spin_lock_irqsave(&xhci->lock, flags); if (ep->ep_state & EP_SOFT_CLEAR_TOGGLE) ep->ep_state &= ~EP_SOFT_CLEAR_TOGGLE; + spin_unlock_irqrestore(&xhci->lock, flags); } static int xhci_check_streams_endpoint(struct xhci_hcd *xhci,