Re: Regression: plugging in USB scanner breaks all USB functionality

From: Robert Munteanu
Date: Fri Dec 03 2021 - 10:33:33 EST

Next message: Zhou Qingyang: "[PATCH v2] drm/gma500/cdv_intel_lvds: Fix a wild pointer dereference in cdv_intel_lvds_get_modes()"
Previous message: Andrea Monaco: "4.19.132: ENOENT is misleading when attempting exec of foreign executable"
In reply to: Greg Kroah-Hartman: "Re: Regression: plugging in USB scanner breaks all USB functionality"
Next in thread: Mathias Nyman: "Re: Regression: plugging in USB scanner breaks all USB functionality"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2021-12-02 at 16:17 +0100, Greg Kroah-Hartman wrote:
> On Thu, Dec 02, 2021 at 03:55:44PM +0100, Robert Munteanu wrote:
> > Hi,
> >
> > After updating from kernel 5.14.11 to 5.14.14 I am seeing the
> > following
> > problem:
>
> Can you run 'git bisect' between those kernel versions to get the
> offending commit located? It shouldn't take that long as there's not a
> lot of changes there.

A full bisect run, as suspected in other messages, results in

e54abefe703ab7c4e5983e889babd1447738ca42 is the first bad commit
commit e54abefe703ab7c4e5983e889babd1447738ca42
Author: Pavankumar Kondeti <pkondeti@xxxxxxxxxxxxxx>
Date: Fri Oct 8 12:25:46 2021 +0300

xhci: Fix command ring pointer corruption while aborting a command

commit ff0e50d3564f33b7f4b35cadeabd951d66cfc570 upstream.

The command ring pointer is located at [6:63] bits of the command
ring control register (CRCR). All the control bits like command
stop,
abort are located at [0:3] bits. While aborting a command, we read
the
CRCR and set the abort bit and write to the CRCR. The read will
always
give command ring pointer as all zeros. So we essentially write
only
the control bits. Since we split the 64 bit write into two 32 bit
writes,
there is a possibility of xHC command ring stopped before the upper
dword (all zeros) is written. If that happens, xHC updates the
upper
dword of its internal command ring pointer with all zeros. Next
time,
when the command ring is restarted, we see xHC memory access
failures.
Fix this issue by only writing to the lower dword of CRCR where all
control bits are located.

Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Pavankumar Kondeti <pkondeti@xxxxxxxxxxxxxx>
Signed-off-by: Mathias Nyman <mathias.nyman@xxxxxxxxxxxxxxx>
Link:
https://lore.kernel.org/r/20211008092547.3996295-5-mathias.nyman@xxxxxxxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

drivers/usb/host/xhci-ring.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)

I will try the patch linked by Matias as soon as the openSUSE kernel
build is complete.

Thanks,
Robert

Next message: Zhou Qingyang: "[PATCH v2] drm/gma500/cdv_intel_lvds: Fix a wild pointer dereference in cdv_intel_lvds_get_modes()"
Previous message: Andrea Monaco: "4.19.132: ENOENT is misleading when attempting exec of foreign executable"
In reply to: Greg Kroah-Hartman: "Re: Regression: plugging in USB scanner breaks all USB functionality"
Next in thread: Mathias Nyman: "Re: Regression: plugging in USB scanner breaks all USB functionality"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]