tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

xhci: Fix commad ring abort, write all 64 bits to CRCR register.

Turns out some xHC controllers require all 64 bits in the CRCR register
to be written to execute a command abort.

The lower 32 bits containing the command abort bit is written first.
In case the command ring stops before we write the upper 32 bits then
hardware may use these upper bits to set the commnd ring dequeue pointer.

Solve this by making sure the upper 32 bits contain a valid command
ring dequeue pointer.

The original patch that only wrote the first 32 to stop the ring went
to stable, so this fix should go there as well.

Fixes: ff0e50d3564f ("xhci: Fix command ring pointer corruption while aborting a command")
Cc: stable@vger.kernel.org
Tested-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20211126122340.1193239-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by Mathias Nyman and committed by Greg Kroah-Hartman 09f736aa d58071a8

+14 -7
unified split
+14 -7
drivers/usb/host/xhci-ring.c
··· 366 366 /* Must be called with xhci->lock held, releases and aquires lock back */ 367 367 static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags) 368 368 { 369 - u32 temp_32; 369 + struct xhci_segment *new_seg = xhci->cmd_ring->deq_seg; 370 + union xhci_trb *new_deq = xhci->cmd_ring->dequeue; 371 + u64 crcr; 370 372 int ret; 371 373 372 374 xhci_dbg(xhci, "Abort command ring\n"); ··· 377 375 378 376 /* 379 377 * The control bits like command stop, abort are located in lower 380 - * dword of the command ring control register. Limit the write 381 - * to the lower dword to avoid corrupting the command ring pointer 382 - * in case if the command ring is stopped by the time upper dword 383 - * is written. 378 + * dword of the command ring control register. 379 + * Some controllers require all 64 bits to be written to abort the ring. 380 + * Make sure the upper dword is valid, pointing to the next command, 381 + * avoiding corrupting the command ring pointer in case the command ring 382 + * is stopped by the time the upper dword is written. 384 383 */ 385 - temp_32 = readl(&xhci->op_regs->cmd_ring); 386 - writel(temp_32 | CMD_RING_ABORT, &xhci->op_regs->cmd_ring); 384 + next_trb(xhci, NULL, &new_seg, &new_deq); 385 + if (trb_is_link(new_deq)) 386 + next_trb(xhci, NULL, &new_seg, &new_deq); 387 + 388 + crcr = xhci_trb_virt_to_dma(new_seg, new_deq); 389 + xhci_write_64(xhci, crcr | CMD_RING_ABORT, &xhci->op_regs->cmd_ring); 387 390 388 391 /* Section 4.6.1.2 of xHCI 1.0 spec says software should also time the 389 392 * completion of the Command Abort operation. If CRR is not negated in 5