From patchwork Fri Aug 9 12:44:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mathias Nyman X-Patchwork-Id: 818543 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6883E1946D1; Fri, 9 Aug 2024 12:42:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.12 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723207349; cv=none; b=Bz+urIX0HhpYzfDqm0Qt4DO6R+j5R6VQsKFhR3p2g8YdY/GLmJ9l20sRqu++CqJaeoUHaZrg7asq8nBzssvbZkWRggYTLEekJsDfZ0P9rdczTvuMke2gb9s4aTk/H2y5WKieJOrypq8+rO469B5WdpgOgj1M32TZZQXnUUH1AoY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723207349; c=relaxed/simple; bh=mrRLj2dMPicPoVdGssgYUJyUt94R7FX/32VQ7phXNxI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=r4VD+lv801JkxjaOVqc89BPjhX8JNzQz1tMHfrG24dmRgvxZ1BZ8cRbCjO+2YvDQhi5cLUCbdduJvrJeBLyLx3kEiL1dS+fyZjAtQmSgXGgmKynbLEKez0iGASPE0FlImUF/3dCuZ7oHW9vG7NgwM/MRf/EvNNtG+CIEw8TsOjU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=S0hD7d/B; arc=none smtp.client-ip=198.175.65.12 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="S0hD7d/B" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1723207348; x=1754743348; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=mrRLj2dMPicPoVdGssgYUJyUt94R7FX/32VQ7phXNxI=; b=S0hD7d/Bc+objFHTGj88vcB8te4gN3UdQgzTU0+RNpLdboXSjeujP+jB qfeUvB024WDUMS9R7uT5SC9/APnDfj0IMlm8kca7bzUx9stHGTZ86eMJ+ Z+hOKPoJLVdvhBmYBGAUITYVX82foR5Bi3xzCdZNjyUcDmVtcaBCCxQFA UumVjVV01u4pL12lNnc2kzJCyM8RV/d1oKn/xIwIoUS9sS89H/XOR+hK8 oT6YabiI6w7FoQHy8IgNVKdSnFr0WSWBfBBudHFQr09szx2ChzE+8GjMn URnB1pwDtBHmjq11Tn2Ty4uaEYqsKTRwzUmwZgYKXD6gkDBM2rHVTNpcv g==; X-CSE-ConnectionGUID: Ozbq3iAhQJKOF+UAQDTRCA== X-CSE-MsgGUID: QPYZFIaHRQWvPH3gWvqWhg== X-IronPort-AV: E=McAfee;i="6700,10204,11158"; a="32768611" X-IronPort-AV: E=Sophos;i="6.09,276,1716274800"; d="scan'208";a="32768611" Received: from orviesa009.jf.intel.com ([10.64.159.149]) by orvoesa104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Aug 2024 05:42:28 -0700 X-CSE-ConnectionGUID: 2APYhJCISeOGnLluIimoWA== X-CSE-MsgGUID: kVuM3rqOS2K/d+J4P8QDEQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.09,276,1716274800"; d="scan'208";a="57473988" Received: from mattu-haswell.fi.intel.com ([10.237.72.199]) by orviesa009.jf.intel.com with ESMTP; 09 Aug 2024 05:42:26 -0700 From: Mathias Nyman To: Cc: , Marc Zyngier , Mathias Nyman , Wesley Cheng , stable@vger.kernel.org Subject: [PATCH 1/2] usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup() Date: Fri, 9 Aug 2024 15:44:07 +0300 Message-Id: <20240809124408.505786-2-mathias.nyman@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240809124408.505786-1-mathias.nyman@linux.intel.com> References: <20240809124408.505786-1-mathias.nyman@linux.intel.com> Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Marc Zyngier If xhci_mem_init() fails, it calls into xhci_mem_cleanup() to mop up the damage. If it fails early enough, before xhci->interrupters is allocated but after xhci->max_interrupters has been set, which happens in most (all?) cases, things get uglier, as xhci_mem_cleanup() unconditionally derefences xhci->interrupters. With prejudice. Gate the interrupt freeing loop with a check on xhci->interrupters being non-NULL. Found while debugging a DMA allocation issue that led the XHCI driver on this exact path. Fixes: c99b38c41234 ("xhci: add support to allocate several interrupters") Cc: Mathias Nyman Cc: Wesley Cheng Cc: Greg Kroah-Hartman Signed-off-by: Marc Zyngier Cc: stable@vger.kernel.org # 6.8+ Signed-off-by: Mathias Nyman --- drivers/usb/host/xhci-mem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index d7654f475daf..937ce5fd5809 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -1872,7 +1872,7 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci) cancel_delayed_work_sync(&xhci->cmd_timer); - for (i = 0; i < xhci->max_interrupters; i++) { + for (i = 0; xhci->interrupters && i < xhci->max_interrupters; i++) { if (xhci->interrupters[i]) { xhci_remove_interrupter(xhci, xhci->interrupters[i]); xhci_free_interrupter(xhci, xhci->interrupters[i]); From patchwork Fri Aug 9 12:44:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mathias Nyman X-Patchwork-Id: 818253 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5395E194A5A for ; Fri, 9 Aug 2024 12:42:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.12 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723207351; cv=none; b=CZvgZ+WtrgImtuYAOhBDsqKTu3SuQlx6L8C7e5lcay+jiArB3eyavp1h7udKb3YnxQeKt0X8dQHzkRVmeep1UISP5IUlHOJSMwmKI5sWar7c8P6kerxHT0VZGU2UDIHascxbU46KzKTryPp5X6jqIv7Xpp1ePNKyiVXUAmlThf8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723207351; c=relaxed/simple; bh=/tgxg9Rz9lLOKJNNeC9Ad+nzDvDpm+GDVGMfJrFQD/g=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=g7giYSDPaZDyCqoikF53HN8Ta2SsNUV7aY/HBrPskcRDPfmzpM4UBbZSDKvQvh+j+Bb57/jc7gr+kQpNd2IQlzP58YsufVNvjRrPw3c9K4zxLwC+aJ3bTtCaAT2lkeAdJqkioA7aNdztnQ/gmoqezENQLpwrXlFxPoaKCXVd3H4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=duY3yw7Y; arc=none smtp.client-ip=198.175.65.12 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="duY3yw7Y" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1723207350; x=1754743350; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=/tgxg9Rz9lLOKJNNeC9Ad+nzDvDpm+GDVGMfJrFQD/g=; b=duY3yw7YD0AaMhnkDNMrOwZu6sRgsx+tr2Qxee5qDSv2RoXE+H1/2ltX xUu4P/U2U4mUof6ix0uU8wWQNaQTewz1K8v60sy4p9Gr1vWU8Cx78a1Le ttttC87pE7jEBT1vgsO0K73KIIlVHh/sCQrvnAj16VB2ZfkPrW8w0G8KP uQOK+gkCz21RrwlxPTagIJ+gtK+X1bR9EYah9S9+nqUvzfkGQiUN1aYds T622o/KD7Ak6iN7Y+IKnexSTE5gBNDbx06ydl/mwUgopmXjwbI7JRQpzI 8PKu3qMqm0M1RSZTtYyS8stWjM1ytPPghyxU+aO4CAsIR3C57ksTfgVJ5 w==; X-CSE-ConnectionGUID: V1Y1B3GWTzaL8szVcS83QQ== X-CSE-MsgGUID: SzzLCzCIQdKMhPsp0ybuiA== X-IronPort-AV: E=McAfee;i="6700,10204,11158"; a="32768618" X-IronPort-AV: E=Sophos;i="6.09,276,1716274800"; d="scan'208";a="32768618" Received: from orviesa009.jf.intel.com ([10.64.159.149]) by orvoesa104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Aug 2024 05:42:30 -0700 X-CSE-ConnectionGUID: IWus64/sSousJdgDTUkFkw== X-CSE-MsgGUID: eV9iidRrSeehjq79aCd5Zw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.09,276,1716274800"; d="scan'208";a="57473989" Received: from mattu-haswell.fi.intel.com ([10.237.72.199]) by orviesa009.jf.intel.com with ESMTP; 09 Aug 2024 05:42:28 -0700 From: Mathias Nyman To: Cc: , Niklas Neronin , Michal Pecio , Mathias Nyman Subject: [PATCH 2/2] usb: xhci: fix duplicate stall handling in handle_tx_event() Date: Fri, 9 Aug 2024 15:44:08 +0300 Message-Id: <20240809124408.505786-3-mathias.nyman@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240809124408.505786-1-mathias.nyman@linux.intel.com> References: <20240809124408.505786-1-mathias.nyman@linux.intel.com> Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Niklas Neronin Stall handling is managed in the 'process_*' functions, which are called right before the 'goto' stall handling code snippet. Thus, there should be a return after the 'process_*' functions. Otherwise, the stall code may run twice. Fixes: 1b349f214ac7 ("usb: xhci: add 'goto' for halted endpoint check in handle_tx_event()") Reported-by: Michal Pecio Signed-off-by: Niklas Neronin Signed-off-by: Mathias Nyman --- drivers/usb/host/xhci-ring.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index b7517c3c8059..4ea2c3e072a9 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -2910,6 +2910,7 @@ static int handle_tx_event(struct xhci_hcd *xhci, process_isoc_td(xhci, ep, ep_ring, td, ep_trb, event); else process_bulk_intr_td(xhci, ep, ep_ring, td, ep_trb, event); + return 0; check_endpoint_halted: if (xhci_halted_host_endpoint(ep_ctx, trb_comp_code))