From 6babba42877cc2be6c953fe033eb41e901b5aef9 Mon Sep 17 00:00:00 2001 From: leoliu-oc Date: Mon, 15 Jan 2024 18:31:57 +0800 Subject: [PATCH] xhci: guard accesses to ep_state in xhci_endpoint_reset() ANBZ: #7911 commit a01ba2a3378be85538e0183ae5367c1bc1d5aaf3 upstream. Two read-modify-write cycles on ep->ep_state are not guarded by xhci->lock. Fix these. Fixes: f524946 ("xhci: Clear the host side toggle manually when endpoint is soft reset") Cc: stable@vger.kernel.org Signed-off-by: Jonathan Bell Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20211008092547.3996295-2-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: leoliu-oc --- drivers/usb/host/xhci.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 82cdc334de1d..d8b8fae58f29 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -3073,10 +3073,13 @@ static void xhci_endpoint_reset(struct usb_hcd *hcd, ep = &vdev->eps[ep_index]; /* Bail out if toggle is already being cleared by a endpoint reset */ + spin_lock_irqsave(&xhci->lock, flags); if (ep->ep_state & EP_HARD_CLEAR_TOGGLE) { ep->ep_state &= ~EP_HARD_CLEAR_TOGGLE; + spin_unlock_irqrestore(&xhci->lock, flags); return; } + spin_unlock_irqrestore(&xhci->lock, flags); /* Only interrupt and bulk ep's use data toggle, USB2 spec 5.5.4-> */ if (usb_endpoint_xfer_control(&host_ep->desc) || usb_endpoint_xfer_isoc(&host_ep->desc)) @@ -3151,7 +3154,9 @@ static void xhci_endpoint_reset(struct usb_hcd *hcd, wait_for_completion(cfg_cmd->completion); + spin_lock_irqsave(&xhci->lock, flags); ep->ep_state &= ~EP_SOFT_CLEAR_TOGGLE; + spin_unlock_irqrestore(&xhci->lock, flags); xhci_free_command(xhci, cfg_cmd); cleanup: xhci_free_command(xhci, stop_cmd); -- Gitee