Skip to content

Commit 7d8021c

Browse files
AlanSterngregkh
AlanStern
authored and
gregkh
committed
USB: OHCI: Fix race between ED unlink and URB submission
This patch fixes a bug introduced by commit 977dcfd ("USB: OHCI: don't lose track of EDs when a controller dies"). The commit changed ed_state from ED_UNLINK to ED_IDLE too early, before finish_urb() had been called. The user-visible consequence is that the driver occasionally crashes or locks up when an URB is submitted while another URB for the same endpoint is being unlinked. This patch moves the ED state change later, to the right place. The drawback is that now we may unnecessarily execute some instructions multiple times when a controller dies. Since controllers dying is an exceptional occurrence, a little wasted time won't matter. Signed-off-by: Alan Stern <[email protected]> Reported-by: Heiko Przybyl <[email protected]> Tested-by: Heiko Przybyl <[email protected]> Fixes: 977dcfd CC: <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
1 parent 2d2a316 commit 7d8021c

File tree

1 file changed

+1
-6
lines changed

1 file changed

+1
-6
lines changed

drivers/usb/host/ohci-q.c

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -981,10 +981,6 @@ static void finish_unlinks(struct ohci_hcd *ohci)
981981
int completed, modified;
982982
__hc32 *prev;
983983

984-
/* Is this ED already invisible to the hardware? */
985-
if (ed->state == ED_IDLE)
986-
goto ed_idle;
987-
988984
/* only take off EDs that the HC isn't using, accounting for
989985
* frame counter wraps and EDs with partially retired TDs
990986
*/
@@ -1012,12 +1008,10 @@ static void finish_unlinks(struct ohci_hcd *ohci)
10121008
}
10131009

10141010
/* ED's now officially unlinked, hc doesn't see */
1015-
ed->state = ED_IDLE;
10161011
ed->hwHeadP &= ~cpu_to_hc32(ohci, ED_H);
10171012
ed->hwNextED = 0;
10181013
wmb();
10191014
ed->hwINFO &= ~cpu_to_hc32(ohci, ED_SKIP | ED_DEQUEUE);
1020-
ed_idle:
10211015

10221016
/* reentrancy: if we drop the schedule lock, someone might
10231017
* have modified this list. normally it's just prepending
@@ -1088,6 +1082,7 @@ static void finish_unlinks(struct ohci_hcd *ohci)
10881082
if (list_empty(&ed->td_list)) {
10891083
*last = ed->ed_next;
10901084
ed->ed_next = NULL;
1085+
ed->state = ED_IDLE;
10911086
list_del(&ed->in_use_list);
10921087
} else if (ohci->rh_state == OHCI_RH_RUNNING) {
10931088
*last = ed->ed_next;

0 commit comments

Comments
 (0)