usb: xhci: hold lock over xhci_abort_cmd_ring()

In command timer function, xhci_handle_command_timeout(), xhci->lock is unlocked before call into xhci_abort_cmd_ring(). This might cause race between the timer function and the event handler. The xhci_abort_cmd_ring() function sets the CMD_RING_ABORT bit in the command register and polling it until the setting takes effect. A stop command ring event might be handled between writing the abort bit and polling for it. The event handler will restart the command ring, which causes the failure of polling, and we ever believed that we failed to stop it. As a bonus, this also fixes some issues of calling functions without locking in xhci_handle_command_timeout(). Cc: <stable@vger.kernel.org> # 3.7+ Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Lu Baolu <baolu.lu@linux.intel.com> 2017-01-03 11:28:49 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-01-03 11:37:32 -0500
commit: 4dea70778c0f48b4385c7720c363ec8d37a401b4 (patch)
tree: 0686ab962da1dfddbbd61f9cd20e5414421a0fb2
parent: a5a1b9514154437aa1ed35c291191f82fd3e941a (diff)
1 files changed, 9 insertions, 4 deletions
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 935193c6bf23..2f453e442ac7 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1287,29 +1287,34 @@ void xhci_handle_command_timeout(unsigned long data)
        hw_ring_state = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
        if ((xhci->cmd_ring_state & CMD_RING_STATE_RUNNING) &&
            (hw_ring_state & CMD_RING_RUNNING))  {
-                spin_unlock_irqrestore(&xhci->lock, flags);
                xhci_dbg(xhci, "Command timeout\n");
                ret = xhci_abort_cmd_ring(xhci);
                if (unlikely(ret == -ESHUTDOWN)) {
                        xhci_err(xhci, "Abort command ring failed\n");
                        xhci_cleanup_command_queue(xhci);
+                        spin_unlock_irqrestore(&xhci->lock, flags);
                        usb_hc_died(xhci_to_hcd(xhci)->primary_hcd);
                        xhci_dbg(xhci, "xHCI host controller is dead.\n");
+                        return;
                }
-                return;
+                goto time_out_completed;
        }
        /* command ring failed to restart, or host removed. Bail out */
        if (second_timeout || xhci->xhc_state & XHCI_STATE_REMOVING) {
-                spin_unlock_irqrestore(&xhci->lock, flags);
                xhci_dbg(xhci, "command timed out twice, ring start fail?\n");
                xhci_cleanup_command_queue(xhci);
-                return;
+                goto time_out_completed;
        }
        /* command timeout on stopped ring, ring can't be aborted */
        xhci_dbg(xhci, "Command timeout on stopped ring\n");
        xhci_handle_stopped_cmd_ring(xhci, xhci->current_cmd);
+time_out_completed:
        spin_unlock_irqrestore(&xhci->lock, flags);
        return;
 }
author	Lu Baolu <baolu.lu@linux.intel.com>	2017-01-03 11:28:49 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-01-03 11:37:32 -0500
commit	4dea70778c0f48b4385c7720c363ec8d37a401b4 (patch)
tree	0686ab962da1dfddbbd61f9cd20e5414421a0fb2
parent	a5a1b9514154437aa1ed35c291191f82fd3e941a (diff)

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 935193c6bf23..2f453e442ac7 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c
@@ -1287,29 +1287,34 @@ void xhci_handle_command_timeout(unsigned long data)
1287	hw_ring_state = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);	1287	hw_ring_state = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
1288	if ((xhci->cmd_ring_state & CMD_RING_STATE_RUNNING) &&	1288	if ((xhci->cmd_ring_state & CMD_RING_STATE_RUNNING) &&
1289	(hw_ring_state & CMD_RING_RUNNING)) {	1289	(hw_ring_state & CMD_RING_RUNNING)) {
1290	spin_unlock_irqrestore(&xhci->lock, flags);
1291	xhci_dbg(xhci, "Command timeout\n");	1290	xhci_dbg(xhci, "Command timeout\n");
1292	ret = xhci_abort_cmd_ring(xhci);	1291	ret = xhci_abort_cmd_ring(xhci);
1293	if (unlikely(ret == -ESHUTDOWN)) {	1292	if (unlikely(ret == -ESHUTDOWN)) {
1294	xhci_err(xhci, "Abort command ring failed\n");	1293	xhci_err(xhci, "Abort command ring failed\n");
1295	xhci_cleanup_command_queue(xhci);	1294	xhci_cleanup_command_queue(xhci);
		1295	spin_unlock_irqrestore(&xhci->lock, flags);
1296	usb_hc_died(xhci_to_hcd(xhci)->primary_hcd);	1296	usb_hc_died(xhci_to_hcd(xhci)->primary_hcd);
1297	xhci_dbg(xhci, "xHCI host controller is dead.\n");	1297	xhci_dbg(xhci, "xHCI host controller is dead.\n");
		1298
		1299	return;
1298	}	1300	}
1299	return;	1301
		1302	goto time_out_completed;
1300	}	1303	}
1301		1304
1302	/* command ring failed to restart, or host removed. Bail out */	1305	/* command ring failed to restart, or host removed. Bail out */
1303	if (second_timeout \|\| xhci->xhc_state & XHCI_STATE_REMOVING) {	1306	if (second_timeout \|\| xhci->xhc_state & XHCI_STATE_REMOVING) {
1304	spin_unlock_irqrestore(&xhci->lock, flags);
1305	xhci_dbg(xhci, "command timed out twice, ring start fail?\n");	1307	xhci_dbg(xhci, "command timed out twice, ring start fail?\n");
1306	xhci_cleanup_command_queue(xhci);	1308	xhci_cleanup_command_queue(xhci);
1307	return;	1309
		1310	goto time_out_completed;
1308	}	1311	}
1309		1312
1310	/* command timeout on stopped ring, ring can't be aborted */	1313	/* command timeout on stopped ring, ring can't be aborted */
1311	xhci_dbg(xhci, "Command timeout on stopped ring\n");	1314	xhci_dbg(xhci, "Command timeout on stopped ring\n");
1312	xhci_handle_stopped_cmd_ring(xhci, xhci->current_cmd);	1315	xhci_handle_stopped_cmd_ring(xhci, xhci->current_cmd);
		1316
		1317	time_out_completed:
1313	spin_unlock_irqrestore(&xhci->lock, flags);	1318	spin_unlock_irqrestore(&xhci->lock, flags);
1314	return;	1319	return;
1315	}	1320	}