aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/usb
diff options
context:
space:
mode:
authorPavankumar Kondeti <pkondeti@codeaurora.org>2012-09-07 01:53:28 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2012-09-10 19:01:37 -0400
commit3d037774b42ed677f699b1dce7d548d55f4e4c2b (patch)
tree61a78695b8c846114038cd8b66a7e92e939d4423 /drivers/usb
parent6a44886899ef8cc396e230e492e6a56a883889f3 (diff)
EHCI: Update qTD next pointer in QH overlay region during unlink
There is a possibility of QH overlay region having reference to a stale qTD pointer during unlink. Consider an endpoint having two pending qTD before unlink process begins. The endpoint's QH queue looks like this. qTD1 --> qTD2 --> Dummy To unlink qTD2, QH is removed from asynchronous list and Asynchronous Advance Doorbell is programmed. The qTD1's next qTD pointer is set to qTD2'2 next qTD pointer and qTD2 is retired upon controller's doorbell interrupt. If QH's current qTD pointer points to qTD1, transfer overlay region still have reference to qTD2. But qtD2 is just unlinked and freed. This may cause EHCI system error. Fix this by updating qTD next pointer in QH overlay region with the qTD next pointer of the current qTD. Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org> Acked-by: Alan Stern <stern@rowland.harvard.edu> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb')
-rw-r--r--drivers/usb/host/ehci-q.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/drivers/usb/host/ehci-q.c b/drivers/usb/host/ehci-q.c
index 9bc39ca460c8..4b66374bdc8e 100644
--- a/drivers/usb/host/ehci-q.c
+++ b/drivers/usb/host/ehci-q.c
@@ -128,9 +128,17 @@ qh_refresh (struct ehci_hcd *ehci, struct ehci_qh *qh)
128 else { 128 else {
129 qtd = list_entry (qh->qtd_list.next, 129 qtd = list_entry (qh->qtd_list.next,
130 struct ehci_qtd, qtd_list); 130 struct ehci_qtd, qtd_list);
131 /* first qtd may already be partially processed */ 131 /*
132 if (cpu_to_hc32(ehci, qtd->qtd_dma) == qh->hw->hw_current) 132 * first qtd may already be partially processed.
133 * If we come here during unlink, the QH overlay region
134 * might have reference to the just unlinked qtd. The
135 * qtd is updated in qh_completions(). Update the QH
136 * overlay here.
137 */
138 if (cpu_to_hc32(ehci, qtd->qtd_dma) == qh->hw->hw_current) {
139 qh->hw->hw_qtd_next = qtd->hw_next;
133 qtd = NULL; 140 qtd = NULL;
141 }
134 } 142 }
135 143
136 if (qtd) 144 if (qtd)