Skip to content

Commit

Permalink
USB: OHCI: Fix race between ED unlink and URB submission
Browse files Browse the repository at this point in the history 
This patch fixes a bug introduced by commit 977dcfd ("USB: OHCI:
don't lose track of EDs when a controller dies").  The commit changed
ed_state from ED_UNLINK to ED_IDLE too early, before finish_urb() had
been called.  The user-visible consequence is that the driver
occasionally crashes or locks up when an URB is submitted while
another URB for the same endpoint is being unlinked.

This patch moves the ED state change later, to the right place.  The
drawback is that now we may unnecessarily execute some instructions
multiple times when a controller dies.  Since controllers dying is an
exceptional occurrence, a little wasted time won't matter.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Heiko Przybyl <lil_tux@web.de>
Tested-by: Heiko Przybyl <lil_tux@web.de>
Fixes: 977dcfd
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
Alan Stern authored and Greg Kroah-Hartman committed Jul 22, 2015
1 parent 2d2a316 commit 7d8021c
Showing 1 changed file with 1 addition and 6 deletions.
7 changes: 1 addition & 6 deletions drivers/usb/host/ohci-q.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -981,10 +981,6 @@ static void finish_unlinks(struct ohci_hcd *ohci)
int completed, modified;
__hc32 *prev;

/* Is this ED already invisible to the hardware? */
if (ed->state == ED_IDLE)
goto ed_idle;

/* only take off EDs that the HC isn't using, accounting for
* frame counter wraps and EDs with partially retired TDs
*/
Expand Down Expand Up @@ -1012,12 +1008,10 @@ static void finish_unlinks(struct ohci_hcd *ohci)
}

/* ED's now officially unlinked, hc doesn't see */
ed->state = ED_IDLE;
ed->hwHeadP &= ~cpu_to_hc32(ohci, ED_H);
ed->hwNextED = 0;
wmb();
ed->hwINFO &= ~cpu_to_hc32(ohci, ED_SKIP | ED_DEQUEUE);
ed_idle:

/* reentrancy: if we drop the schedule lock, someone might
* have modified this list. normally it's just prepending
Expand Down Expand Up @@ -1088,6 +1082,7 @@ static void finish_unlinks(struct ohci_hcd *ohci)
if (list_empty(&ed->td_list)) {
*last = ed->ed_next;
ed->ed_next = NULL;
ed->state = ED_IDLE;
list_del(&ed->in_use_list);
} else if (ohci->rh_state == OHCI_RH_RUNNING) {
*last = ed->ed_next;
Expand Down

0 comments on commit 7d8021c

Please sign in to comment.