aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/usb
diff options
context:
space:
mode:
authorAlan Stern <stern@rowland.harvard.edu>2010-11-16 10:57:37 -0500
committerGreg Kroah-Hartman <gregkh@suse.de>2010-11-16 16:36:41 -0500
commit02e2c51ba3e80acde600721ea784c3ef84da5ea1 (patch)
tree3f6d3b45e7902084ea30debe4b5ebcf9d488a5e3 /drivers/usb
parentb48809518631880207796b4aab0fc39c2f036754 (diff)
USB: EHCI: fix obscure race in ehci_endpoint_disable
This patch (as1435) fixes an obscure and unlikely race in ehci-hcd. When an async URB is unlinked, the corresponding QH is removed from the async list. If the QH's endpoint is then disabled while the URB is being given back, ehci_endpoint_disable() won't find the QH on the async list, causing it to believe that the QH has been lost. This will lead to a memory leak at best and quite possibly to an oops. The solution is to trust usbcore not to lose track of endpoints. If the QH isn't on the async list then it doesn't need to be taken off the list, but the driver should still wait for the QH to become IDLE before disabling it. In theory this fixes Bugzilla #20182. In fact the race is so rare that it's not possible to tell whether the bug is still present. However, adding delays and making other changes to force the race seems to show that the patch works. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Stefan Richter <stefanr@s5r6.in-berlin.de> CC: David Brownell <david-b@pacbell.net> CC: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/usb')
-rw-r--r--drivers/usb/host/ehci-hcd.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
index 502a7e6fef42..e9062806d4a2 100644
--- a/drivers/usb/host/ehci-hcd.c
+++ b/drivers/usb/host/ehci-hcd.c
@@ -1063,10 +1063,11 @@ rescan:
1063 tmp && tmp != qh; 1063 tmp && tmp != qh;
1064 tmp = tmp->qh_next.qh) 1064 tmp = tmp->qh_next.qh)
1065 continue; 1065 continue;
1066 /* periodic qh self-unlinks on empty */ 1066 /* periodic qh self-unlinks on empty, and a COMPLETING qh
1067 if (!tmp) 1067 * may already be unlinked.
1068 goto nogood; 1068 */
1069 unlink_async (ehci, qh); 1069 if (tmp)
1070 unlink_async(ehci, qh);
1070 /* FALL THROUGH */ 1071 /* FALL THROUGH */
1071 case QH_STATE_UNLINK: /* wait for hw to finish? */ 1072 case QH_STATE_UNLINK: /* wait for hw to finish? */
1072 case QH_STATE_UNLINK_WAIT: 1073 case QH_STATE_UNLINK_WAIT:
@@ -1083,7 +1084,6 @@ idle_timeout:
1083 } 1084 }
1084 /* else FALL THROUGH */ 1085 /* else FALL THROUGH */
1085 default: 1086 default:
1086nogood:
1087 /* caller was supposed to have unlinked any requests; 1087 /* caller was supposed to have unlinked any requests;
1088 * that's not our job. just leak this memory. 1088 * that's not our job. just leak this memory.
1089 */ 1089 */