tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

xhci: Fix reset-device and configure-endpoint commands

We have been having problems with the USB-IF Gold Tree tests when plugging
and unplugging devices from the tree. I have seen that the reset-device
and configure-endpoint commands, which are invoked from
xhci_discover_or_reset_device() and xhci_configure_endpoint(), will sometimes
time out.

After much debugging, I determined that the commands themselves do not actually
time out, but rather their completion events do not get delivered to the right
place.

This happens when the command ring has just wrapped around, and it's enqueue
pointer is left pointing to the link TRB. xhci_discover_or_reset_device() and
xhci_configure_endpoint() use the enqueue pointer directly as their command
TRB pointer, without checking whether it's pointing to the link TRB.

When the completion event arrives, if the command TRB is pointing to the link
TRB, the check against the command ring dequeue pointer in
handle_cmd_in_cmd_wait_list() fails, so the completion inside the command does
not get signaled.

The patch below fixes the timeout problem for me.

This should be queued for the 2.6.35 and 2.6.36 stable trees.

Signed-off-by: Paul Zimmerman <paulz@synopsys.com>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Cc: stable@kernel.org

authored by

Paul Zimmerman and committed by
Sarah Sharp 7a3783ef 02e2c51b

+18
+18
drivers/usb/host/xhci.c
··· 1549 1549 cmd_completion = command->completion; 1550 1550 cmd_status = &command->status; 1551 1551 command->command_trb = xhci->cmd_ring->enqueue; 1552 + 1553 + /* Enqueue pointer can be left pointing to the link TRB, 1554 + * we must handle that 1555 + */ 1556 + if ((command->command_trb->link.control & TRB_TYPE_BITMASK) 1557 + == TRB_TYPE(TRB_LINK)) 1558 + command->command_trb = 1559 + xhci->cmd_ring->enq_seg->next->trbs; 1560 + 1552 1561 list_add_tail(&command->cmd_list, &virt_dev->cmd_list); 1553 1562 } else { 1554 1563 in_ctx = virt_dev->in_ctx; ··· 2281 2272 /* Attempt to submit the Reset Device command to the command ring */ 2282 2273 spin_lock_irqsave(&xhci->lock, flags); 2283 2274 reset_device_cmd->command_trb = xhci->cmd_ring->enqueue; 2275 + 2276 + /* Enqueue pointer can be left pointing to the link TRB, 2277 + * we must handle that 2278 + */ 2279 + if ((reset_device_cmd->command_trb->link.control & TRB_TYPE_BITMASK) 2280 + == TRB_TYPE(TRB_LINK)) 2281 + reset_device_cmd->command_trb = 2282 + xhci->cmd_ring->enq_seg->next->trbs; 2283 + 2284 2284 list_add_tail(&reset_device_cmd->cmd_list, &virt_dev->cmd_list); 2285 2285 ret = xhci_queue_reset_device(xhci, slot_id); 2286 2286 if (ret) {