aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJean Tourrilhes <jt@hpl.hp.com>2006-02-20 01:28:25 -0500
committerDavid S. Miller <davem@davemloft.net>2006-02-20 01:28:25 -0500
commit669d32a293a348e692c365ddac2b23f3b907fcf1 (patch)
tree3ff874623fd3200bf4dc2ca23b39e589a1b6fbf1
parentbc6e14b6f0b06fe93d809d22e257ddd275feeda9 (diff)
[IRDA]: irda-usb bug fixes
This patch fixes 2 bugs in the USB-IrDA code. The first one is a buffer overrun in the RX path. We are now using IRDA_SKB_MAX_MTU when initializing the Rx URB. The second one is a potential stack recursion when unplugging the USB dongle. It seems that first we get the Rx URB with a generic error code, and after a while the Rx URB comes again with a "disconnect" error code. Since we are resubmitting the Rx URB immediately after receiving the first error one, we might enter an endless loop. When getting an error Rx URB, the patch defers the Rx URB resubmitting so that it gives us a chance to catch the disconnect one, in case the dongle has juts been unplugged. Tested against 2.6.16-rc2. Patch from Jean Tourrilhes Signed-off-by: Jean Tourrilhes <jt@hpl.hp.com> Signed-off-by: Samuel Ortiz <samuel.ortiz@nokia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/net/irda/irda-usb.c90
-rw-r--r--drivers/net/irda/irda-usb.h7
2 files changed, 79 insertions, 18 deletions
diff --git a/drivers/net/irda/irda-usb.c b/drivers/net/irda/irda-usb.c
index fa176ffb4ad5..8936058a3cce 100644
--- a/drivers/net/irda/irda-usb.c
+++ b/drivers/net/irda/irda-usb.c
@@ -108,6 +108,7 @@ static void irda_usb_close(struct irda_usb_cb *self);
108static void speed_bulk_callback(struct urb *urb, struct pt_regs *regs); 108static void speed_bulk_callback(struct urb *urb, struct pt_regs *regs);
109static void write_bulk_callback(struct urb *urb, struct pt_regs *regs); 109static void write_bulk_callback(struct urb *urb, struct pt_regs *regs);
110static void irda_usb_receive(struct urb *urb, struct pt_regs *regs); 110static void irda_usb_receive(struct urb *urb, struct pt_regs *regs);
111static void irda_usb_rx_defer_expired(unsigned long data);
111static int irda_usb_net_open(struct net_device *dev); 112static int irda_usb_net_open(struct net_device *dev);
112static int irda_usb_net_close(struct net_device *dev); 113static int irda_usb_net_close(struct net_device *dev);
113static int irda_usb_net_ioctl(struct net_device *dev, struct ifreq *rq, int cmd); 114static int irda_usb_net_ioctl(struct net_device *dev, struct ifreq *rq, int cmd);
@@ -677,6 +678,12 @@ static void irda_usb_net_timeout(struct net_device *netdev)
677 * on the interrupt pipe and hang the Rx URB only when an interrupt is 678 * on the interrupt pipe and hang the Rx URB only when an interrupt is
678 * received. 679 * received.
679 * Jean II 680 * Jean II
681 *
682 * Note : don't read the above as what we are currently doing, but as
683 * something we could do with KC dongle. Also don't forget that the
684 * interrupt pipe is not part of the original standard, so this would
685 * need to be optional...
686 * Jean II
680 */ 687 */
681 688
682/*------------------------------------------------------------------*/ 689/*------------------------------------------------------------------*/
@@ -704,10 +711,8 @@ static void irda_usb_submit(struct irda_usb_cb *self, struct sk_buff *skb, struc
704 /* Reinitialize URB */ 711 /* Reinitialize URB */
705 usb_fill_bulk_urb(urb, self->usbdev, 712 usb_fill_bulk_urb(urb, self->usbdev,
706 usb_rcvbulkpipe(self->usbdev, self->bulk_in_ep), 713 usb_rcvbulkpipe(self->usbdev, self->bulk_in_ep),
707 skb->data, skb->truesize, 714 skb->data, IRDA_SKB_MAX_MTU,
708 irda_usb_receive, skb); 715 irda_usb_receive, skb);
709 /* Note : unlink *must* be synchronous because of the code in
710 * irda_usb_net_close() -> free the skb - Jean II */
711 urb->status = 0; 716 urb->status = 0;
712 717
713 /* Can be called from irda_usb_receive (irq handler) -> GFP_ATOMIC */ 718 /* Can be called from irda_usb_receive (irq handler) -> GFP_ATOMIC */
@@ -734,6 +739,7 @@ static void irda_usb_receive(struct urb *urb, struct pt_regs *regs)
734 struct irda_skb_cb *cb; 739 struct irda_skb_cb *cb;
735 struct sk_buff *newskb; 740 struct sk_buff *newskb;
736 struct sk_buff *dataskb; 741 struct sk_buff *dataskb;
742 struct urb *next_urb;
737 int docopy; 743 int docopy;
738 744
739 IRDA_DEBUG(2, "%s(), len=%d\n", __FUNCTION__, urb->actual_length); 745 IRDA_DEBUG(2, "%s(), len=%d\n", __FUNCTION__, urb->actual_length);
@@ -755,20 +761,37 @@ static void irda_usb_receive(struct urb *urb, struct pt_regs *regs)
755 if (urb->status != 0) { 761 if (urb->status != 0) {
756 switch (urb->status) { 762 switch (urb->status) {
757 case -EILSEQ: 763 case -EILSEQ:
758 self->stats.rx_errors++;
759 self->stats.rx_crc_errors++; 764 self->stats.rx_crc_errors++;
760 break; 765 /* Also precursor to a hot-unplug on UHCI. */
766 /* Fallthrough... */
761 case -ECONNRESET: /* -104 */ 767 case -ECONNRESET: /* -104 */
762 IRDA_DEBUG(0, "%s(), Connection Reset (-104), transfer_flags 0x%04X \n", __FUNCTION__, urb->transfer_flags); 768 /* Random error, if I remember correctly */
763 /* uhci_cleanup_unlink() is going to kill the Rx 769 /* uhci_cleanup_unlink() is going to kill the Rx
764 * URB just after we return. No problem, at this 770 * URB just after we return. No problem, at this
765 * point the URB will be idle ;-) - Jean II */ 771 * point the URB will be idle ;-) - Jean II */
766 break; 772 case -ESHUTDOWN: /* -108 */
773 /* That's usually a hot-unplug. Submit will fail... */
774 case -ETIMEDOUT: /* -110 */
775 /* Usually precursor to a hot-unplug on OHCI. */
767 default: 776 default:
768 IRDA_DEBUG(0, "%s(), RX status %d,transfer_flags 0x%04X \n", __FUNCTION__, urb->status, urb->transfer_flags); 777 self->stats.rx_errors++;
778 IRDA_DEBUG(0, "%s(), RX status %d, transfer_flags 0x%04X \n", __FUNCTION__, urb->status, urb->transfer_flags);
769 break; 779 break;
770 } 780 }
771 goto done; 781 /* If we received an error, we don't want to resubmit the
782 * Rx URB straight away but to give the USB layer a little
783 * bit of breathing room.
784 * We are in the USB thread context, therefore there is a
785 * danger of recursion (new URB we submit fails, we come
786 * back here).
787 * With recent USB stack (2.6.15+), I'm seeing that on
788 * hot unplug of the dongle...
789 * Lowest effective timer is 10ms...
790 * Jean II */
791 self->rx_defer_timer.function = &irda_usb_rx_defer_expired;
792 self->rx_defer_timer.data = (unsigned long) urb;
793 mod_timer(&self->rx_defer_timer, jiffies + (10 * HZ / 1000));
794 return;
772 } 795 }
773 796
774 /* Check for empty frames */ 797 /* Check for empty frames */
@@ -845,13 +868,45 @@ done:
845 * idle slot.... 868 * idle slot....
846 * Jean II */ 869 * Jean II */
847 /* Note : with this scheme, we could submit the idle URB before 870 /* Note : with this scheme, we could submit the idle URB before
848 * processing the Rx URB. Another time... Jean II */ 871 * processing the Rx URB. I don't think it would buy us anything as
872 * we are running in the USB thread context. Jean II */
873 next_urb = self->idle_rx_urb;
849 874
850 /* Submit the idle URB to replace the URB we've just received */
851 irda_usb_submit(self, skb, self->idle_rx_urb);
852 /* Recycle Rx URB : Now, the idle URB is the present one */ 875 /* Recycle Rx URB : Now, the idle URB is the present one */
853 urb->context = NULL; 876 urb->context = NULL;
854 self->idle_rx_urb = urb; 877 self->idle_rx_urb = urb;
878
879 /* Submit the idle URB to replace the URB we've just received.
880 * Do it last to avoid race conditions... Jean II */
881 irda_usb_submit(self, skb, next_urb);
882}
883
884/*------------------------------------------------------------------*/
885/*
886 * In case of errors, we want the USB layer to have time to recover.
887 * Now, it is time to resubmit ouur Rx URB...
888 */
889static void irda_usb_rx_defer_expired(unsigned long data)
890{
891 struct urb *urb = (struct urb *) data;
892 struct sk_buff *skb = (struct sk_buff *) urb->context;
893 struct irda_usb_cb *self;
894 struct irda_skb_cb *cb;
895 struct urb *next_urb;
896
897 IRDA_DEBUG(2, "%s()\n", __FUNCTION__);
898
899 /* Find ourselves */
900 cb = (struct irda_skb_cb *) skb->cb;
901 IRDA_ASSERT(cb != NULL, return;);
902 self = (struct irda_usb_cb *) cb->context;
903 IRDA_ASSERT(self != NULL, return;);
904
905 /* Same stuff as when Rx is done, see above... */
906 next_urb = self->idle_rx_urb;
907 urb->context = NULL;
908 self->idle_rx_urb = urb;
909 irda_usb_submit(self, skb, next_urb);
855} 910}
856 911
857/*------------------------------------------------------------------*/ 912/*------------------------------------------------------------------*/
@@ -990,6 +1045,9 @@ static int irda_usb_net_close(struct net_device *netdev)
990 /* Stop network Tx queue */ 1045 /* Stop network Tx queue */
991 netif_stop_queue(netdev); 1046 netif_stop_queue(netdev);
992 1047
1048 /* Kill defered Rx URB */
1049 del_timer(&self->rx_defer_timer);
1050
993 /* Deallocate all the Rx path buffers (URBs and skb) */ 1051 /* Deallocate all the Rx path buffers (URBs and skb) */
994 for (i = 0; i < IU_MAX_RX_URBS; i++) { 1052 for (i = 0; i < IU_MAX_RX_URBS; i++) {
995 struct urb *urb = self->rx_urb[i]; 1053 struct urb *urb = self->rx_urb[i];
@@ -1365,6 +1423,7 @@ static int irda_usb_probe(struct usb_interface *intf,
1365 self = net->priv; 1423 self = net->priv;
1366 self->netdev = net; 1424 self->netdev = net;
1367 spin_lock_init(&self->lock); 1425 spin_lock_init(&self->lock);
1426 init_timer(&self->rx_defer_timer);
1368 1427
1369 /* Create all of the needed urbs */ 1428 /* Create all of the needed urbs */
1370 for (i = 0; i < IU_MAX_RX_URBS; i++) { 1429 for (i = 0; i < IU_MAX_RX_URBS; i++) {
@@ -1498,6 +1557,9 @@ static void irda_usb_disconnect(struct usb_interface *intf)
1498 * This will stop/desactivate the Tx path. - Jean II */ 1557 * This will stop/desactivate the Tx path. - Jean II */
1499 self->present = 0; 1558 self->present = 0;
1500 1559
1560 /* Kill defered Rx URB */
1561 del_timer(&self->rx_defer_timer);
1562
1501 /* We need to have irq enabled to unlink the URBs. That's OK, 1563 /* We need to have irq enabled to unlink the URBs. That's OK,
1502 * at this point the Tx path is gone - Jean II */ 1564 * at this point the Tx path is gone - Jean II */
1503 spin_unlock_irqrestore(&self->lock, flags); 1565 spin_unlock_irqrestore(&self->lock, flags);
@@ -1507,11 +1569,11 @@ static void irda_usb_disconnect(struct usb_interface *intf)
1507 /* Accept no more transmissions */ 1569 /* Accept no more transmissions */
1508 /*netif_device_detach(self->netdev);*/ 1570 /*netif_device_detach(self->netdev);*/
1509 netif_stop_queue(self->netdev); 1571 netif_stop_queue(self->netdev);
1510 /* Stop all the receive URBs */ 1572 /* Stop all the receive URBs. Must be synchronous. */
1511 for (i = 0; i < IU_MAX_RX_URBS; i++) 1573 for (i = 0; i < IU_MAX_RX_URBS; i++)
1512 usb_kill_urb(self->rx_urb[i]); 1574 usb_kill_urb(self->rx_urb[i]);
1513 /* Cancel Tx and speed URB. 1575 /* Cancel Tx and speed URB.
1514 * Toggle flags to make sure it's synchronous. */ 1576 * Make sure it's synchronous to avoid races. */
1515 usb_kill_urb(self->tx_urb); 1577 usb_kill_urb(self->tx_urb);
1516 usb_kill_urb(self->speed_urb); 1578 usb_kill_urb(self->speed_urb);
1517 } 1579 }
diff --git a/drivers/net/irda/irda-usb.h b/drivers/net/irda/irda-usb.h
index bd8f66542322..4026af42dd47 100644
--- a/drivers/net/irda/irda-usb.h
+++ b/drivers/net/irda/irda-usb.h
@@ -136,8 +136,6 @@ struct irda_usb_cb {
136 __u16 bulk_out_mtu; /* Max Tx packet size in bytes */ 136 __u16 bulk_out_mtu; /* Max Tx packet size in bytes */
137 __u8 bulk_int_ep; /* Interrupt Endpoint assignments */ 137 __u8 bulk_int_ep; /* Interrupt Endpoint assignments */
138 138
139 wait_queue_head_t wait_q; /* for timeouts */
140
141 struct urb *rx_urb[IU_MAX_RX_URBS]; /* URBs used to receive data frames */ 139 struct urb *rx_urb[IU_MAX_RX_URBS]; /* URBs used to receive data frames */
142 struct urb *idle_rx_urb; /* Pointer to idle URB in Rx path */ 140 struct urb *idle_rx_urb; /* Pointer to idle URB in Rx path */
143 struct urb *tx_urb; /* URB used to send data frames */ 141 struct urb *tx_urb; /* URB used to send data frames */
@@ -147,17 +145,18 @@ struct irda_usb_cb {
147 struct net_device_stats stats; 145 struct net_device_stats stats;
148 struct irlap_cb *irlap; /* The link layer we are binded to */ 146 struct irlap_cb *irlap; /* The link layer we are binded to */
149 struct qos_info qos; 147 struct qos_info qos;
150 hashbin_t *tx_list; /* Queued transmit skb's */
151 char *speed_buff; /* Buffer for speed changes */ 148 char *speed_buff; /* Buffer for speed changes */
152 149
153 struct timeval stamp; 150 struct timeval stamp;
154 struct timeval now; 151 struct timeval now;
155 152
156 spinlock_t lock; /* For serializing operations */ 153 spinlock_t lock; /* For serializing Tx operations */
157 154
158 __u16 xbofs; /* Current xbofs setting */ 155 __u16 xbofs; /* Current xbofs setting */
159 __s16 new_xbofs; /* xbofs we need to set */ 156 __s16 new_xbofs; /* xbofs we need to set */
160 __u32 speed; /* Current speed */ 157 __u32 speed; /* Current speed */
161 __s32 new_speed; /* speed we need to set */ 158 __s32 new_speed; /* speed we need to set */
159
160 struct timer_list rx_defer_timer; /* Wait for Rx error to clear */
162}; 161};
163 162