[PATCH v2 OLK-5.10 1/8] xhci: use xhci_td_cleanup() helper when giving back cancelled URBs

From: Mathias Nyman mathias.nyman@linux.intel.com

mainline inclusion from mainline-v5.12-rc1 commit e1a298390e987ddeb767cad18d913cb2782fda15 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACV8P CVE: CVE-2024-40927

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

--------------------------------

use the existing xhci_td_cleanup() to give back cancelled TDs when a ring is stopped.

A minor change to make sure we don't try to remove an already removed td from the list is needed as cancelled TDs are already removed from the td_list immediatelty when it's cancelled.

Signed-off-by: Mathias Nyman mathias.nyman@linux.intel.com Link: https://lore.kernel.org/r/20210129130044.206855-18-mathias.nyman@linux.intel... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- drivers/usb/host/xhci-ring.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 5abd9e69391a..aeb929253a19 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -795,8 +795,10 @@ static int xhci_td_cleanup(struct xhci_hcd *xhci, struct xhci_td *td, urb->actual_length = 0; status = 0; } - list_del_init(&td->td_list); - /* Was this TD slated to be cancelled but completed anyway? */ + /* TD might be removed from td_list if we are giving back a cancelled URB */ + if (!list_empty(&td->td_list)) + list_del_init(&td->td_list); + /* Giving back a cancelled URB, or if a slated TD completed anyway */ if (!list_empty(&td->cancelled_td_list)) list_del_init(&td->cancelled_td_list);

@@ -995,15 +997,11 @@ static void xhci_handle_cmd_stop_ep(struct xhci_hcd *xhci, int slot_id, struct xhci_td, cancelled_td_list); list_del_init(&cur_td->cancelled_td_list);

- /* Clean up the cancelled URB */ /* Doesn't matter what we pass for status, since the core will * just overwrite it (because the URB has been unlinked). */ ep_ring = xhci_urb_to_transfer_ring(xhci, cur_td->urb); - xhci_unmap_td_bounce_buffer(xhci, ep_ring, cur_td); - inc_td_cnt(cur_td->urb); - if (last_td_in_urb(cur_td)) - xhci_giveback_urb_in_irq(xhci, cur_td, 0); + xhci_td_cleanup(xhci, cur_td, ep_ring, 0);

/* Stop processing the cancelled list if the watchdog timer is * running.