From patchwork Mon Aug 30 15:16:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juerg Haefliger X-Patchwork-Id: 1522261 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=qn30gXp9; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Gyv7d3mCCz9sWc; Tue, 31 Aug 2021 01:17:17 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mKj2A-0004xJ-45; Mon, 30 Aug 2021 15:17:14 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mKj20-0004t8-2i for kernel-team@lists.ubuntu.com; Mon, 30 Aug 2021 15:17:04 +0000 Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id E59233F226 for ; Mon, 30 Aug 2021 15:17:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1630336623; bh=OFdgOVOoOORPSI9XVCCQHb+nKoVC8189SPKknZiZ9wk=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=qn30gXp9s4U3EBvLJgpfs5k2qy8UNyWmX0s0qyHjMggp/AXocSJKJ7hiYXSS4m6UJ IoSD8if9ipAjVmW43MpLAhozItr1IcQ3M/kA6Z08HFAn17sguydg+oq981lW2ZR/wd Z8KqNa7htRqCyKueVir73CmyXY6KXctQXI7s5Zej9nYWsvFJBOFT7LWNdXhSMmqSpN uSobRjQWwBB5qIwl5DX55Ln1zxNGEcG9jcbVKYERN0vEjQATzWFLZdLer96eHFZOQn ciuem/8C6DsWwKGkW6CzRFPCTPx8t2MjQV2Qip/04lPHnN0xiXJbVVsMgwUPpW0gdB jwXDPi7EHgsog== Received: by mail-wr1-f71.google.com with SMTP id h14-20020a056000000e00b001575b00eb08so3369624wrx.13 for ; Mon, 30 Aug 2021 08:17:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OFdgOVOoOORPSI9XVCCQHb+nKoVC8189SPKknZiZ9wk=; b=e2DiQLzK43indw7kmJCGbgUVWVIIDsS6RmjOY70qLpSE5BF2ptsfZT6buqhlGPNM+y w8f0e+6zpNw+qGeXhvELVF41sxVig4c33GWofEhVJcuWbcSuQvncYUwsd00i1XLUkgBn Yx4cHr1mx9ur3iI4o9ZibB8va0nnHAbQQpkLMCjxqzeysvO8RjKJjvMkI8mTxIDL8WMg xiFYeZkIrN5vo1NdyPjLqJ/qHY64VsteMG0BO7t+PWLLeBPGz37bVfzNWxGaQKhM9kWj hYN791Db3GbDV5C4otb0gxdE+xbIigDK+jkDcmA2G5x3bKdXKl2S127YbqBROILvT022 zJRA== X-Gm-Message-State: AOAM533G/hFBOtu6k544bsbgMDReeO7tcEUKVDsAMnDe/jiDsYJZjq93 bd9c6ce4LKJsI74ShZAK/jjCglF4huxPi/Wgz3Mp40/K0WcfaXBTTYlZp5paWc4EE1XWJmCOO3a trTrGi8+7xWQO+nvISpdD5IPDgd385AfWDcXMCHhqVg== X-Received: by 2002:adf:eacb:: with SMTP id o11mr26749682wrn.418.1630336623622; Mon, 30 Aug 2021 08:17:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxZPNCvLVreZXPeJLSD4ZE4ta1lisV+CH1rY9BqpPntBTRQkGQypwmfqscF1uXeSn7TQ1zNaw== X-Received: by 2002:adf:eacb:: with SMTP id o11mr26749659wrn.418.1630336623436; Mon, 30 Aug 2021 08:17:03 -0700 (PDT) Received: from gollum.fritz.box ([194.191.244.86]) by smtp.gmail.com with ESMTPSA id n1sm15378527wrp.49.2021.08.30.08.17.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Aug 2021 08:17:03 -0700 (PDT) From: Juerg Haefliger X-Google-Original-From: Juerg Haefliger To: kernel-team@lists.ubuntu.com Subject: [SRU][F/raspi][H/raspi][PATCH 1/2] usb: xhci: workaround for bogus SET_DEQ_PENDING endpoint state Date: Mon, 30 Aug 2021 17:16:29 +0200 Message-Id: <20210830151630.289267-2-juergh@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210830151630.289267-1-juergh@canonical.com> References: <20210830151630.289267-1-juergh@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jonathan Bell BugLink: https://bugs.launchpad.net/bugs/1930629 See https://github.com/raspberrypi/linux/issues/3981 An unknown unsafe memory access can result in the ep_state variable in xhci_virt_ep being trampled with a stuck SET_DEQ_PENDING state despite successful completion of a Set TR Deq Pointer command. All URB enqueue/dequeue calls for the endpoint will fail in this state so no transfers are possible until the device is reconnected. As a workaround, clear the flag if we see it set and issue a new Set TR Deq command anyway - this should be harmless, as a prior Set TR Deq command will only have been issued in the Stopped state, and if the endpoint is Running then the controller is required to ignore it and respond with a Context State Error event TRB. Signed-off-by: Jonathan Bell (cherry picked from commit 9d6d498b5b5471fe9bab3e60bf2800c7490241b9 rpi-5.10.y) Signed-off-by: Juerg Haefliger --- drivers/usb/host/xhci-ring.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 9e15e442a4eb..96144c5077f8 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -4225,9 +4225,9 @@ void xhci_queue_new_dequeue_state(struct xhci_hcd *xhci, } ep = &xhci->devs[slot_id]->eps[ep_index]; if ((ep->ep_state & SET_DEQ_PENDING)) { - xhci_warn(xhci, "WARN Cannot submit Set TR Deq Ptr\n"); - xhci_warn(xhci, "A Set TR Deq Ptr command is pending.\n"); - return; + xhci_warn(xhci, "WARN A Set TR Deq Ptr command is pending for slot %u ep %u\n", + slot_id, ep_index); + ep->ep_state &= ~SET_DEQ_PENDING; } /* This function gets called from contexts where it cannot sleep */ From patchwork Mon Aug 30 15:16:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juerg Haefliger X-Patchwork-Id: 1522262 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=I4sP2kCO; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Gyv7l5FYBz9sWS; Tue, 31 Aug 2021 01:17:23 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mKj2G-0004zO-AZ; Mon, 30 Aug 2021 15:17:20 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mKj20-0004tE-Jf for kernel-team@lists.ubuntu.com; Mon, 30 Aug 2021 15:17:04 +0000 Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 6CD7D3F31C for ; Mon, 30 Aug 2021 15:17:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1630336624; bh=BzDTv882NxVV9/QMuezUt4F7bB/A62o5w9uZtiB2yIA=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=I4sP2kCOgN8zYvtKBiBDvR2rwxLwJvej+2husx0hjMBXPcwtVqgNi//YuXYgfOmaK 018K022X5wxvfgC0BdCwjG0S4hp6EvBOp2VhWzhRtBfUT+ZGhHIZa7uIZZGNLnY9ma t3+Buf9rJa+qUqEC4aQ1Hw6i0la41DAV4nrlfFcXgBqoLde+DJFxSTK8GlkpfrGHKU BCcM0y9rxdy/y5qU8BE3MIhus7VHOUwM7j/f0FwcsZz2AVaBN30LJ/kHOP+OWovXMN Zq+zJQ9ykYkyZxWPv16Syne2zmrI0Ck5hZ4NrbHelM2ygVoXW9P3KBatb13GI4V7H2 mR47SiuF/K+Xg== Received: by mail-wm1-f72.google.com with SMTP id c2-20020a7bc8420000b0290238db573ab7so10198387wml.5 for ; Mon, 30 Aug 2021 08:17:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BzDTv882NxVV9/QMuezUt4F7bB/A62o5w9uZtiB2yIA=; b=ofeqlDymaZOxyNuwz4BmPzvYlMtamRVgBhqk4DaQ+W1UJYmcHcazl5WVgpHuCVrnJR BJh3pIP9JjQDJmGVuGijjGosJ+gC7BeDo0Xe2JMHqOo4SD+/ASBxEG8eLwseXmc0nkLF dK0TN09m7B0Z2LV5CoIhMj75/6R/njEqU1uesXvuHE8ACMEtFDVm5qpAkt9VxWm506qV hj1+eKb81MsrSFZpIperOYs5phbIuE1a26ksmLSo3q4qNpegil9UGJYQWLeoG6R4bW+E QWs7VtBBXErhpd2iw8SjGcwBMxlQV5aMSgo4BAyq/ZqtUyOBCZb6DKODy5HDK2IQtyW/ EKhg== X-Gm-Message-State: AOAM530+gnZqs2jMpqk/z5niXjaYI3IrPJXkv9uKP0zMyybiP/9HW5cW JQsjfpRwUHvoykshI0uBsKvYsOkyWxsaKr73BLR69Cw5fE16GjvOle9OyYoO1Uj3X7SzVJAyN+E uBiv/P/MFV5KB9CTjb/UFEk3ZFxfFvp++vJJ30+2SNQ== X-Received: by 2002:a05:600c:2f90:: with SMTP id t16mr34304056wmn.136.1630336624188; Mon, 30 Aug 2021 08:17:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxVQ4zP90ArXJFLJ8sIdcTAklLTPuQSwhJvdUEotEBnkBFDePobhvV6FUbpchTFEwfpCKzKNw== X-Received: by 2002:a05:600c:2f90:: with SMTP id t16mr34304032wmn.136.1630336623934; Mon, 30 Aug 2021 08:17:03 -0700 (PDT) Received: from gollum.fritz.box ([194.191.244.86]) by smtp.gmail.com with ESMTPSA id n1sm15378527wrp.49.2021.08.30.08.17.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Aug 2021 08:17:03 -0700 (PDT) From: Juerg Haefliger X-Google-Original-From: Juerg Haefliger To: kernel-team@lists.ubuntu.com Subject: [SRU][F/raspi][H/raspi][PATCH 2/2] xhci: guard accesses to ep_state in xhci_endpoint_reset() Date: Mon, 30 Aug 2021 17:16:30 +0200 Message-Id: <20210830151630.289267-3-juergh@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210830151630.289267-1-juergh@canonical.com> References: <20210830151630.289267-1-juergh@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jonathan Bell BugLink: https://bugs.launchpad.net/bugs/1930629 See https://github.com/raspberrypi/linux/issues/3981 Two read-modify-write cycles on ep->ep_state are not guarded by xhci->lock. Fix these. Signed-off-by: Jonathan Bell (cherry picked from commit cd04fbfe663b53bd9936f2b736da68fb8b21ffc8 rpi-5.10.y) Signed-off-by: Juerg Haefliger --- drivers/usb/host/xhci.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 27ce0e5c933b..21cbaba2edc8 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -3393,10 +3393,13 @@ static void xhci_endpoint_reset(struct usb_hcd *hcd, return; /* Bail out if toggle is already being cleared by a endpoint reset */ + spin_lock_irqsave(&xhci->lock, flags); if (ep->ep_state & EP_HARD_CLEAR_TOGGLE) { ep->ep_state &= ~EP_HARD_CLEAR_TOGGLE; + spin_unlock_irqrestore(&xhci->lock, flags); return; } + spin_unlock_irqrestore(&xhci->lock, flags); /* Only interrupt and bulk ep's use data toggle, USB2 spec 5.5.4-> */ if (usb_endpoint_xfer_control(&host_ep->desc) || usb_endpoint_xfer_isoc(&host_ep->desc)) @@ -3482,8 +3485,10 @@ static void xhci_endpoint_reset(struct usb_hcd *hcd, xhci_free_command(xhci, cfg_cmd); cleanup: xhci_free_command(xhci, stop_cmd); + spin_lock_irqsave(&xhci->lock, flags); if (ep->ep_state & EP_SOFT_CLEAR_TOGGLE) ep->ep_state &= ~EP_SOFT_CLEAR_TOGGLE; + spin_unlock_irqrestore(&xhci->lock, flags); } static int xhci_check_streams_endpoint(struct xhci_hcd *xhci,