CVE-2021-47434

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xhci: Fix command ring pointer corruption while aborting a command<br /> <br /> The command ring pointer is located at [6:63] bits of the command<br /> ring control register (CRCR). All the control bits like command stop,<br /> abort are located at [0:3] bits. While aborting a command, we read the<br /> CRCR and set the abort bit and write to the CRCR. The read will always<br /> give command ring pointer as all zeros. So we essentially write only<br /> the control bits. Since we split the 64 bit write into two 32 bit writes,<br /> there is a possibility of xHC command ring stopped before the upper<br /> dword (all zeros) is written. If that happens, xHC updates the upper<br /> dword of its internal command ring pointer with all zeros. Next time,<br /> when the command ring is restarted, we see xHC memory access failures.<br /> Fix this issue by only writing to the lower dword of CRCR where all<br /> control bits are located.