Commit df0a1ce9 authored by Alan Stern's avatar Alan Stern Committed by Kamal Mostafa

USB: OHCI: Fix race between ED unlink and URB submission

commit 7d8021c9 upstream.

This patch fixes a bug introduced by commit 977dcfdc ("USB: OHCI:
don't lose track of EDs when a controller dies").  The commit changed
ed_state from ED_UNLINK to ED_IDLE too early, before finish_urb() had
been called.  The user-visible consequence is that the driver
occasionally crashes or locks up when an URB is submitted while
another URB for the same endpoint is being unlinked.

This patch moves the ED state change later, to the right place.  The
drawback is that now we may unnecessarily execute some instructions
multiple times when a controller dies.  Since controllers dying is an
exceptional occurrence, a little wasted time won't matter.
Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
Reported-by: default avatarHeiko Przybyl <lil_tux@web.de>
Tested-by: default avatarHeiko Przybyl <lil_tux@web.de>
Fixes: 977dcfdcSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
parent dd0ed483
...@@ -929,10 +929,6 @@ finish_unlinks (struct ohci_hcd *ohci, u16 tick) ...@@ -929,10 +929,6 @@ finish_unlinks (struct ohci_hcd *ohci, u16 tick)
int completed, modified; int completed, modified;
__hc32 *prev; __hc32 *prev;
/* Is this ED already invisible to the hardware? */
if (ed->state == ED_IDLE)
goto ed_idle;
/* only take off EDs that the HC isn't using, accounting for /* only take off EDs that the HC isn't using, accounting for
* frame counter wraps and EDs with partially retired TDs * frame counter wraps and EDs with partially retired TDs
*/ */
...@@ -963,14 +959,12 @@ finish_unlinks (struct ohci_hcd *ohci, u16 tick) ...@@ -963,14 +959,12 @@ finish_unlinks (struct ohci_hcd *ohci, u16 tick)
} }
/* ED's now officially unlinked, hc doesn't see */ /* ED's now officially unlinked, hc doesn't see */
ed->state = ED_IDLE;
if (quirk_zfmicro(ohci) && ed->type == PIPE_INTERRUPT) if (quirk_zfmicro(ohci) && ed->type == PIPE_INTERRUPT)
ohci->eds_scheduled--; ohci->eds_scheduled--;
ed->hwHeadP &= ~cpu_to_hc32(ohci, ED_H); ed->hwHeadP &= ~cpu_to_hc32(ohci, ED_H);
ed->hwNextED = 0; ed->hwNextED = 0;
wmb(); wmb();
ed->hwINFO &= ~cpu_to_hc32(ohci, ED_SKIP | ED_DEQUEUE); ed->hwINFO &= ~cpu_to_hc32(ohci, ED_SKIP | ED_DEQUEUE);
ed_idle:
/* reentrancy: if we drop the schedule lock, someone might /* reentrancy: if we drop the schedule lock, someone might
* have modified this list. normally it's just prepending * have modified this list. normally it's just prepending
...@@ -1041,6 +1035,7 @@ finish_unlinks (struct ohci_hcd *ohci, u16 tick) ...@@ -1041,6 +1035,7 @@ finish_unlinks (struct ohci_hcd *ohci, u16 tick)
if (list_empty(&ed->td_list)) { if (list_empty(&ed->td_list)) {
*last = ed->ed_next; *last = ed->ed_next;
ed->ed_next = NULL; ed->ed_next = NULL;
ed->state = ED_IDLE;
} else if (ohci->rh_state == OHCI_RH_RUNNING) { } else if (ohci->rh_state == OHCI_RH_RUNNING) {
*last = ed->ed_next; *last = ed->ed_next;
ed->ed_next = NULL; ed->ed_next = NULL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment