xhci: detect stop endpoint race using pending timer instead of counter.
authorMathias Nyman <mathias.nyman@linux.intel.com>
Mon, 23 Jan 2017 12:19:53 +0000 (14:19 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 25 Jan 2017 09:57:34 +0000 (10:57 +0100)
A counter was used to find out if the stop endpoint completion raced with
the stop endpoint timeout timer. This was needed in case the stop ep
completion failed to delete the timer as it was running on anoter cpu.

The EP_STOP_CMD_PENDING flag was not enough as a new stop endpoint command
may be queued between the command completion and timeout function, which
would set the flag back.

Instead of the separate counter that was used we can detect the race by
checking both the STOP_EP_PENDING flag and timer_pending in the timeout
function.

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/host/xhci-ring.c
drivers/usb/host/xhci.c
drivers/usb/host/xhci.h

index 213cb02cbfdbd17b1a5bb813392559682e5a58a2..2ce132b44525589effbdfce33cdd4b6629bcb70c 100644 (file)
@@ -627,12 +627,8 @@ static void xhci_stop_watchdog_timer_in_irq(struct xhci_hcd *xhci,
                struct xhci_virt_ep *ep)
 {
        ep->ep_state &= ~EP_STOP_CMD_PENDING;
-       /* Can't del_timer_sync in interrupt, so we attempt to cancel.  If the
-        * timer is running on another CPU, we don't decrement stop_cmds_pending
-        * (since we didn't successfully stop the watchdog timer).
-        */
-       if (del_timer(&ep->stop_cmd_timer))
-               ep->stop_cmds_pending--;
+       /* Can't del_timer_sync in interrupt */
+       del_timer(&ep->stop_cmd_timer);
 }
 
 /*
@@ -895,10 +891,8 @@ static void xhci_kill_endpoint_urbs(struct xhci_hcd *xhci,
  * simple flag to say whether there is a pending stop endpoint command for a
  * particular endpoint.
  *
- * Instead we use a combination of that flag and a counter for the number of
- * pending stop endpoint commands.  If the timer is the tail end of the last
- * stop endpoint command, and the endpoint's command is still pending, we assume
- * the host is dying.
+ * Instead we use a combination of that flag and checking if a new timer is
+ * pending.
  */
 void xhci_stop_endpoint_command_watchdog(unsigned long arg)
 {
@@ -912,13 +906,11 @@ void xhci_stop_endpoint_command_watchdog(unsigned long arg)
 
        spin_lock_irqsave(&xhci->lock, flags);
 
-       ep->stop_cmds_pending--;
-
-       if (ep->stop_cmds_pending || !(ep->ep_state & EP_STOP_CMD_PENDING)) {
-               xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
-                               "Stop EP timer ran, but no command pending, "
-                               "exiting.");
+       /* bail out if cmd completed but raced with stop ep watchdog timer.*/
+       if (!(ep->ep_state & EP_STOP_CMD_PENDING) ||
+           timer_pending(&ep->stop_cmd_timer)) {
                spin_unlock_irqrestore(&xhci->lock, flags);
+               xhci_dbg(xhci, "Stop EP timer raced with cmd completion, exit");
                return;
        }
 
@@ -927,7 +919,10 @@ void xhci_stop_endpoint_command_watchdog(unsigned long arg)
        /* Oops, HC is dead or dying or at least not responding to the stop
         * endpoint command.
         */
+
        xhci->xhc_state |= XHCI_STATE_DYING;
+       ep->ep_state &= ~EP_STOP_CMD_PENDING;
+
        /* Disable interrupts from the host controller and start halting it */
        xhci_quiesce(xhci);
        spin_unlock_irqrestore(&xhci->lock, flags);
index fcb3fa4a6f792a239cc246e8195ba63d3bef95d8..fb7a6dc00226250174c4868c5ccc69e0c7f52ed5 100644 (file)
@@ -1570,7 +1570,6 @@ int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
                        goto done;
                }
                ep->ep_state |= EP_STOP_CMD_PENDING;
-               ep->stop_cmds_pending++;
                ep->stop_cmd_timer.expires = jiffies +
                        XHCI_STOP_EP_CMD_TIMEOUT * HZ;
                add_timer(&ep->stop_cmd_timer);
index 198f40388344fa919cf4bcc707415c3c55a97a07..cdf8c037d481a048c9fcfad0757b7d1b974ff487 100644 (file)
@@ -924,7 +924,6 @@ struct xhci_virt_ep {
        unsigned int            stopped_stream;
        /* Watchdog timer for stop endpoint command to cancel URBs */
        struct timer_list       stop_cmd_timer;
-       int                     stop_cmds_pending;
        struct xhci_hcd         *xhci;
        /* Dequeue pointer and dequeue segment for a submitted Set TR Dequeue
         * command.  We'll need to update the ring's dequeue segment and dequeue