From patchwork Fri Dec 2 11:21:31 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "\(Exiting\) Baolin Wang" X-Patchwork-Id: 86275 Delivered-To: patch@linaro.org Received: by 10.140.20.101 with SMTP id 92csp205656qgi; Fri, 2 Dec 2016 03:22:03 -0800 (PST) X-Received: by 10.98.7.83 with SMTP id b80mr44061196pfd.79.1480677723162; Fri, 02 Dec 2016 03:22:03 -0800 (PST) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 62si4693417ply.256.2016.12.02.03.22.02; Fri, 02 Dec 2016 03:22:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1760334AbcLBLWA (ORCPT + 25 others); Fri, 2 Dec 2016 06:22:00 -0500 Received: from mail-pg0-f46.google.com ([74.125.83.46]:35650 "EHLO mail-pg0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752144AbcLBLV5 (ORCPT ); Fri, 2 Dec 2016 06:21:57 -0500 Received: by mail-pg0-f46.google.com with SMTP id p66so106699805pga.2 for ; Fri, 02 Dec 2016 03:21:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=TLkrorbnvWB8DzGQWuEhTsP7a2w02DLqyr83KoxyRQU=; b=elw1NG5hNvXeMdDxKdVf3eqYTMD6oH/FppxCYQcqSa1Wif9rN7ZOx1NjCB4Z21xbuF 7X9fI2ix2XNRl5Wn+W3I66S+nEoV9YnVPvwgGBJihBHVRgBEGAUeE6aMt1JULkN0vHNq N6gg55ANNrMLIRtkeiODiOWrnvX/A6UN0g/3k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=TLkrorbnvWB8DzGQWuEhTsP7a2w02DLqyr83KoxyRQU=; b=mMoY/ekKuQuPRCT/r0BNCFnwdbWWG4dopA7SlMKgC7HOoc3RsajBpZgPvy8pRitgch ZQOHnFzqz6LHG1/ZmoNOP20q55t2P/2Hl0zOOGaopngEnN7lxS7HX2AzY3VZ5M/X3ZP+ pMG2V9nWHE+GFulLGujanfdKJOVysVsdk3340Mo35BwgR2POSnSnzIcgteN7oh24+dSt evX5hRg2jcj48hQKOoW6ia3xxaWYky1pKvNFaWDwKqEeDf701jM0QS842rvClHIiB8eY R09Kf0TTHsACF4XPmGdxhFjzvRPwYA8gilBwx1BYH/rJAcS4tO69AXLrn3kf5V/WOQYb k/cA== X-Gm-Message-State: AKaTC00ymVRPtBJ86rnzIqxDkVT/uxiYqTqZCt2poJFTzi0JMrL61QETnSlDgUD1OHo3PvYF X-Received: by 10.99.170.79 with SMTP id x15mr78191423pgo.14.1480677717132; Fri, 02 Dec 2016 03:21:57 -0800 (PST) Received: from baolinwangubtpc.spreadtrum.com ([175.111.195.49]) by smtp.gmail.com with ESMTPSA id t20sm7060595pfk.48.2016.12.02.03.21.54 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 02 Dec 2016 03:21:56 -0800 (PST) From: Baolin Wang To: mathias.nyman@intel.com, gregkh@linuxfoundation.org Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, broonie@kernel.org, baolin.wang@linaro.org Subject: [PATCH] usb: host: xhci: Handle the right timeout command Date: Fri, 2 Dec 2016 19:21:31 +0800 Message-Id: <3981341555a44bcbb1a339b8f980fd95a67b4b69.1480677144.git.baolin.wang@linaro.org> X-Mailer: git-send-email 1.7.9.5 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If a command event is found on the event ring during an interrupt, we need to stop the command timer with del_timer(). Since del_timer() can fail if the timer is running and waiting on the xHCI lock, then it maybe get the wrong timeout command in xhci_handle_command_timeout() if host fetched a new command and updated the xhci->current_cmd in handle_cmd_completion(). For this situation, we need a way to signal to the command timer that everything is fine and it should exit. We should introduce a counter (xhci->current_cmd_pending) for the number of pending commands. If we need to cancel the command timer and del_timer() succeeds, we decrement the number of pending commands. If del_timer() fails, we leave the number of pending commands alone. For handling timeout command, in xhci_handle_command_timeout() we will check the counter after decrementing it, if the counter (xhci->current_cmd_pending) is 0, which means xhci->current_cmd is the right timeout command. If the counter (xhci->current_cmd_pending) is greater than 0, which means current timeout command has been handled by host and host has fetched new command as xhci->current_cmd, then just return and wait for new current command. Signed-off-by: Baolin Wang --- This patch is based on Lu Baolu's new fix patch: usb: xhci: fix possible wild pointer --- drivers/usb/host/xhci-ring.c | 26 +++++++++++++++++++++++++- drivers/usb/host/xhci.h | 1 + 2 files changed, 26 insertions(+), 1 deletion(-) -- 1.7.9.5 diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 62dd1c7..a62904e 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1253,6 +1253,7 @@ static void xhci_handle_stopped_cmd_ring(struct xhci_hcd *xhci, if ((xhci->cmd_ring->dequeue != xhci->cmd_ring->enqueue) && !(xhci->xhc_state & XHCI_STATE_DYING)) { xhci->current_cmd = cur_cmd; + xhci->current_cmd_pending++; mod_timer(&xhci->cmd_timer, jiffies + XHCI_CMD_DEFAULT_TIMEOUT); xhci_ring_cmd_db(xhci); } @@ -1274,6 +1275,21 @@ void xhci_handle_command_timeout(unsigned long data) return; } + xhci->current_cmd_pending--; + /* + * If the current_cmd_pending is 0, which means current command is + * timeout. + * + * If the current_cmd_pending is greater than 0, which means current + * timeout command has been handled by host and host has fetched new + * command as xhci->current_cmd, then just return and wait for new + * current command. + */ + if (xhci->current_cmd_pending > 0) { + spin_unlock_irqrestore(&xhci->lock, flags); + return; + } + if (xhci->current_cmd->status == COMP_CMD_ABORT) second_timeout = true; xhci->current_cmd->status = COMP_CMD_ABORT; @@ -1336,7 +1352,13 @@ static void handle_cmd_completion(struct xhci_hcd *xhci, cmd = list_entry(xhci->cmd_list.next, struct xhci_command, cmd_list); - del_timer(&xhci->cmd_timer); + /* + * If the command timer is running on another CPU, we don't decrement + * current_cmd_pending, since we didn't successfully stop the command + * timer. + */ + if (del_timer(&xhci->cmd_timer)) + xhci->current_cmd_pending--; trace_xhci_cmd_completion(cmd_trb, (struct xhci_generic_trb *) event); @@ -1424,6 +1446,7 @@ static void handle_cmd_completion(struct xhci_hcd *xhci, if (cmd->cmd_list.next != &xhci->cmd_list) { xhci->current_cmd = list_entry(cmd->cmd_list.next, struct xhci_command, cmd_list); + xhci->current_cmd_pending++; mod_timer(&xhci->cmd_timer, jiffies + XHCI_CMD_DEFAULT_TIMEOUT); } else if (xhci->current_cmd == cmd) { xhci->current_cmd = NULL; @@ -3924,6 +3947,7 @@ static int queue_command(struct xhci_hcd *xhci, struct xhci_command *cmd, if (xhci->cmd_list.next == &cmd->cmd_list && !timer_pending(&xhci->cmd_timer)) { xhci->current_cmd = cmd; + xhci->current_cmd_pending++; mod_timer(&xhci->cmd_timer, jiffies + XHCI_CMD_DEFAULT_TIMEOUT); } diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index 9dbaacf..5d81257 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1567,6 +1567,7 @@ struct xhci_hcd { unsigned int cmd_ring_reserved_trbs; struct timer_list cmd_timer; struct xhci_command *current_cmd; + u32 current_cmd_pending; struct xhci_ring *event_ring; struct xhci_erst erst; /* Scratchpad */