tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

USB: xhci: Stall handling bug fixes.

Correct the xHCI code to handle stalls on USB endpoints. We need to move
the endpoint ring's dequeue pointer past the stalled transfer, or the HW
will try to restart the transfer the next time the doorbell is rung.

Don't attempt to clear a halt on an endpoint if we haven't seen a stalled
transfer for it. The USB core will attempt to clear a halt on all
endpoints when it selects a new configuration.

Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

authored by

Sarah Sharp and committed by
Greg Kroah-Hartman c92bcfa7 d115b048

+120 -49
+24
drivers/usb/host/xhci-hcd.c
··· 1089 1089 unsigned int ep_index; 1090 1090 unsigned long flags; 1091 1091 int ret; 1092 + struct xhci_dequeue_state deq_state; 1093 + struct xhci_ring *ep_ring; 1092 1094 1093 1095 xhci = hcd_to_xhci(hcd); 1094 1096 udev = (struct usb_device *) ep->hcpriv; ··· 1100 1098 if (!ep->hcpriv) 1101 1099 return; 1102 1100 ep_index = xhci_get_endpoint_index(&ep->desc); 1101 + ep_ring = xhci->devs[udev->slot_id]->ep_rings[ep_index]; 1102 + if (!ep_ring->stopped_td) { 1103 + xhci_dbg(xhci, "Endpoint 0x%x not halted, refusing to reset.\n", 1104 + ep->desc.bEndpointAddress); 1105 + return; 1106 + } 1103 1107 1104 1108 xhci_dbg(xhci, "Queueing reset endpoint command\n"); 1105 1109 spin_lock_irqsave(&xhci->lock, flags); 1106 1110 ret = xhci_queue_reset_ep(xhci, udev->slot_id, ep_index); 1111 + /* 1112 + * Can't change the ring dequeue pointer until it's transitioned to the 1113 + * stopped state, which is only upon a successful reset endpoint 1114 + * command. Better hope that last command worked! 1115 + */ 1107 1116 if (!ret) { 1117 + xhci_dbg(xhci, "Cleaning up stalled endpoint ring\n"); 1118 + /* We need to move the HW's dequeue pointer past this TD, 1119 + * or it will attempt to resend it on the next doorbell ring. 1120 + */ 1121 + xhci_find_new_dequeue_state(xhci, udev->slot_id, 1122 + ep_index, ep_ring->stopped_td, &deq_state); 1123 + xhci_dbg(xhci, "Queueing new dequeue state\n"); 1124 + xhci_queue_new_dequeue_state(xhci, ep_ring, 1125 + udev->slot_id, 1126 + ep_index, &deq_state); 1127 + kfree(ep_ring->stopped_td); 1108 1128 xhci_ring_cmd_db(xhci); 1109 1129 } 1110 1130 spin_unlock_irqrestore(&xhci->lock, flags);
+84 -49
drivers/usb/host/xhci-ring.c
··· 335 335 return cur_seg; 336 336 } 337 337 338 - struct dequeue_state { 339 - struct xhci_segment *new_deq_seg; 340 - union xhci_trb *new_deq_ptr; 341 - int new_cycle_state; 342 - }; 343 - 344 338 /* 345 339 * Move the xHC's endpoint ring dequeue pointer past cur_td. 346 340 * Record the new state of the xHC's endpoint ring dequeue segment, ··· 349 355 * - Finally we move the dequeue state one TRB further, toggling the cycle bit 350 356 * if we've moved it past a link TRB with the toggle cycle bit set. 351 357 */ 352 - static void find_new_dequeue_state(struct xhci_hcd *xhci, 358 + void xhci_find_new_dequeue_state(struct xhci_hcd *xhci, 353 359 unsigned int slot_id, unsigned int ep_index, 354 - struct xhci_td *cur_td, struct dequeue_state *state) 360 + struct xhci_td *cur_td, struct xhci_dequeue_state *state) 355 361 { 356 362 struct xhci_virt_device *dev = xhci->devs[slot_id]; 357 363 struct xhci_ring *ep_ring = dev->ep_rings[ep_index]; 358 364 struct xhci_generic_trb *trb; 359 365 struct xhci_ep_ctx *ep_ctx; 366 + dma_addr_t addr; 360 367 361 368 state->new_cycle_state = 0; 369 + xhci_dbg(xhci, "Finding segment containing stopped TRB.\n"); 362 370 state->new_deq_seg = find_trb_seg(cur_td->start_seg, 363 371 ep_ring->stopped_trb, 364 372 &state->new_cycle_state); 365 373 if (!state->new_deq_seg) 366 374 BUG(); 367 375 /* Dig out the cycle state saved by the xHC during the stop ep cmd */ 376 + xhci_dbg(xhci, "Finding endpoint context\n"); 368 377 ep_ctx = xhci_get_ep_ctx(xhci, dev->out_ctx, ep_index); 369 378 state->new_cycle_state = 0x1 & ep_ctx->deq; 370 379 371 380 state->new_deq_ptr = cur_td->last_trb; 381 + xhci_dbg(xhci, "Finding segment containing last TRB in TD.\n"); 372 382 state->new_deq_seg = find_trb_seg(state->new_deq_seg, 373 383 state->new_deq_ptr, 374 384 &state->new_cycle_state); ··· 386 388 next_trb(xhci, ep_ring, &state->new_deq_seg, &state->new_deq_ptr); 387 389 388 390 /* Don't update the ring cycle state for the producer (us). */ 391 + xhci_dbg(xhci, "New dequeue segment = %p (virtual)\n", 392 + state->new_deq_seg); 393 + addr = xhci_trb_virt_to_dma(state->new_deq_seg, state->new_deq_ptr); 394 + xhci_dbg(xhci, "New dequeue pointer = 0x%llx (DMA)\n", 395 + (unsigned long long) addr); 396 + xhci_dbg(xhci, "Setting dequeue pointer in internal ring state.\n"); 389 397 ep_ring->dequeue = state->new_deq_ptr; 390 398 ep_ring->deq_seg = state->new_deq_seg; 391 399 } ··· 441 437 unsigned int ep_index, struct xhci_segment *deq_seg, 442 438 union xhci_trb *deq_ptr, u32 cycle_state); 443 439 440 + void xhci_queue_new_dequeue_state(struct xhci_hcd *xhci, 441 + struct xhci_ring *ep_ring, unsigned int slot_id, 442 + unsigned int ep_index, struct xhci_dequeue_state *deq_state) 443 + { 444 + xhci_dbg(xhci, "Set TR Deq Ptr cmd, new deq seg = %p (0x%llx dma), " 445 + "new deq ptr = %p (0x%llx dma), new cycle = %u\n", 446 + deq_state->new_deq_seg, 447 + (unsigned long long)deq_state->new_deq_seg->dma, 448 + deq_state->new_deq_ptr, 449 + (unsigned long long)xhci_trb_virt_to_dma(deq_state->new_deq_seg, deq_state->new_deq_ptr), 450 + deq_state->new_cycle_state); 451 + queue_set_tr_deq(xhci, slot_id, ep_index, 452 + deq_state->new_deq_seg, 453 + deq_state->new_deq_ptr, 454 + (u32) deq_state->new_cycle_state); 455 + /* Stop the TD queueing code from ringing the doorbell until 456 + * this command completes. The HC won't set the dequeue pointer 457 + * if the ring is running, and ringing the doorbell starts the 458 + * ring running. 459 + */ 460 + ep_ring->state |= SET_DEQ_PENDING; 461 + xhci_ring_cmd_db(xhci); 462 + } 463 + 444 464 /* 445 465 * When we get a command completion for a Stop Endpoint Command, we need to 446 466 * unlink any cancelled TDs from the ring. There are two ways to do that: ··· 485 457 struct xhci_td *cur_td = 0; 486 458 struct xhci_td *last_unlinked_td; 487 459 488 - struct dequeue_state deq_state; 460 + struct xhci_dequeue_state deq_state; 489 461 #ifdef CONFIG_USB_HCD_STAT 490 462 ktime_t stop_time = ktime_get(); 491 463 #endif ··· 513 485 * move the xHC endpoint ring dequeue pointer past this TD. 514 486 */ 515 487 if (cur_td == ep_ring->stopped_td) 516 - find_new_dequeue_state(xhci, slot_id, ep_index, cur_td, 488 + xhci_find_new_dequeue_state(xhci, slot_id, ep_index, cur_td, 517 489 &deq_state); 518 490 else 519 491 td_to_noop(xhci, ep_ring, cur_td); ··· 529 501 530 502 /* If necessary, queue a Set Transfer Ring Dequeue Pointer command */ 531 503 if (deq_state.new_deq_ptr && deq_state.new_deq_seg) { 532 - xhci_dbg(xhci, "Set TR Deq Ptr cmd, new deq seg = %p (0x%llx dma), " 533 - "new deq ptr = %p (0x%llx dma), new cycle = %u\n", 534 - deq_state.new_deq_seg, 535 - (unsigned long long)deq_state.new_deq_seg->dma, 536 - deq_state.new_deq_ptr, 537 - (unsigned long long)xhci_trb_virt_to_dma(deq_state.new_deq_seg, deq_state.new_deq_ptr), 538 - deq_state.new_cycle_state); 539 - queue_set_tr_deq(xhci, slot_id, ep_index, 540 - deq_state.new_deq_seg, 541 - deq_state.new_deq_ptr, 542 - (u32) deq_state.new_cycle_state); 543 - /* Stop the TD queueing code from ringing the doorbell until 544 - * this command completes. The HC won't set the dequeue pointer 545 - * if the ring is running, and ringing the doorbell starts the 546 - * ring running. 547 - */ 548 - ep_ring->state |= SET_DEQ_PENDING; 549 - xhci_ring_cmd_db(xhci); 504 + xhci_queue_new_dequeue_state(xhci, ep_ring, 505 + slot_id, ep_index, &deq_state); 550 506 } else { 551 507 /* Otherwise just ring the doorbell to restart the ring */ 552 508 ring_ep_doorbell(xhci, slot_id, ep_index); ··· 941 929 if (event_trb != ep_ring->dequeue) { 942 930 /* The event was for the status stage */ 943 931 if (event_trb == td->last_trb) { 944 - /* Did we already see a short data stage? */ 945 - if (td->urb->actual_length != 0) 946 - status = -EREMOTEIO; 947 - else 932 + if (td->urb->actual_length != 0) { 933 + /* Don't overwrite a previously set error code */ 934 + if (status == -EINPROGRESS || status == 0) 935 + /* Did we already see a short data stage? */ 936 + status = -EREMOTEIO; 937 + } else { 948 938 td->urb->actual_length = 949 939 td->urb->transfer_buffer_length; 940 + } 950 941 } else { 951 942 /* Maybe the event was for the data stage? */ 952 943 if (GET_COMP_CODE(event->transfer_len) != COMP_STOP_INVAL) { ··· 1007 992 TRB_LEN(event->transfer_len)); 1008 993 td->urb->actual_length = 0; 1009 994 } 1010 - if (td->urb->transfer_flags & URB_SHORT_NOT_OK) 1011 - status = -EREMOTEIO; 1012 - else 1013 - status = 0; 995 + /* Don't overwrite a previously set error code */ 996 + if (status == -EINPROGRESS) { 997 + if (td->urb->transfer_flags & URB_SHORT_NOT_OK) 998 + status = -EREMOTEIO; 999 + else 1000 + status = 0; 1001 + } 1014 1002 } else { 1015 1003 td->urb->actual_length = td->urb->transfer_buffer_length; 1016 1004 /* Ignore a short packet completion if the 1017 1005 * untransferred length was zero. 1018 1006 */ 1019 - status = 0; 1007 + if (status == -EREMOTEIO) 1008 + status = 0; 1020 1009 } 1021 1010 } else { 1022 1011 /* Slow path - walk the list, starting from the dequeue ··· 1047 1028 TRB_LEN(event->transfer_len); 1048 1029 } 1049 1030 } 1050 - /* The Endpoint Stop Command completion will take care of 1051 - * any stopped TDs. A stopped TD may be restarted, so don't update the 1052 - * ring dequeue pointer or take this TD off any lists yet. 1053 - */ 1054 1031 if (GET_COMP_CODE(event->transfer_len) == COMP_STOP_INVAL || 1055 1032 GET_COMP_CODE(event->transfer_len) == COMP_STOP) { 1033 + /* The Endpoint Stop Command completion will take care of any 1034 + * stopped TDs. A stopped TD may be restarted, so don't update 1035 + * the ring dequeue pointer or take this TD off any lists yet. 1036 + */ 1056 1037 ep_ring->stopped_td = td; 1057 1038 ep_ring->stopped_trb = event_trb; 1058 1039 } else { 1059 - /* Update ring dequeue pointer */ 1060 - while (ep_ring->dequeue != td->last_trb) 1040 + if (GET_COMP_CODE(event->transfer_len) == COMP_STALL) { 1041 + /* The transfer is completed from the driver's 1042 + * perspective, but we need to issue a set dequeue 1043 + * command for this stalled endpoint to move the dequeue 1044 + * pointer past the TD. We can't do that here because 1045 + * the halt condition must be cleared first. 1046 + */ 1047 + ep_ring->stopped_td = td; 1048 + ep_ring->stopped_trb = event_trb; 1049 + } else { 1050 + /* Update ring dequeue pointer */ 1051 + while (ep_ring->dequeue != td->last_trb) 1052 + inc_deq(xhci, ep_ring, false); 1061 1053 inc_deq(xhci, ep_ring, false); 1062 - inc_deq(xhci, ep_ring, false); 1054 + } 1063 1055 1064 1056 /* Clean up the endpoint's TD list */ 1065 1057 urb = td->urb; ··· 1080 1050 list_del(&td->cancelled_td_list); 1081 1051 ep_ring->cancels_pending--; 1082 1052 } 1083 - kfree(td); 1053 + /* Leave the TD around for the reset endpoint function to use */ 1054 + if (GET_COMP_CODE(event->transfer_len) != COMP_STALL) { 1055 + kfree(td); 1056 + } 1084 1057 urb->hcpriv = NULL; 1085 1058 } 1086 1059 cleanup: ··· 1199 1166 */ 1200 1167 xhci_warn(xhci, "WARN urb submitted to disabled ep\n"); 1201 1168 return -ENOENT; 1202 - case EP_STATE_HALTED: 1203 1169 case EP_STATE_ERROR: 1204 - xhci_warn(xhci, "WARN waiting for halt or error on ep " 1205 - "to be cleared\n"); 1170 + xhci_warn(xhci, "WARN waiting for error on ep to be cleared\n"); 1206 1171 /* FIXME event handling code for error needs to clear it */ 1207 1172 /* XXX not sure if this should be -ENOENT or not */ 1208 1173 return -EINVAL; 1174 + case EP_STATE_HALTED: 1175 + xhci_dbg(xhci, "WARN halted endpoint, queueing URB anyway.\n"); 1209 1176 case EP_STATE_STOPPED: 1210 1177 case EP_STATE_RUNNING: 1211 1178 break; ··· 1757 1724 u32 type = TRB_TYPE(TRB_SET_DEQ); 1758 1725 1759 1726 addr = xhci_trb_virt_to_dma(deq_seg, deq_ptr); 1760 - if (addr == 0) 1727 + if (addr == 0) { 1761 1728 xhci_warn(xhci, "WARN Cannot submit Set TR Deq Ptr\n"); 1762 1729 xhci_warn(xhci, "WARN deq seg = %p, deq pt = %p\n", 1763 1730 deq_seg, deq_ptr); 1731 + return 0; 1732 + } 1764 1733 return queue_command(xhci, lower_32_bits(addr) | cycle_state, 1765 1734 upper_32_bits(addr), 0, 1766 1735 trb_slot_id | trb_ep_index | type);
+12
drivers/usb/host/xhci.h
··· 952 952 u32 cycle_state; 953 953 }; 954 954 955 + struct xhci_dequeue_state { 956 + struct xhci_segment *new_deq_seg; 957 + union xhci_trb *new_deq_ptr; 958 + int new_cycle_state; 959 + }; 960 + 955 961 struct xhci_erst_entry { 956 962 /* 64-bit event ring segment address */ 957 963 u64 seg_addr; ··· 1209 1203 u32 slot_id); 1210 1204 int xhci_queue_reset_ep(struct xhci_hcd *xhci, int slot_id, 1211 1205 unsigned int ep_index); 1206 + void xhci_find_new_dequeue_state(struct xhci_hcd *xhci, 1207 + unsigned int slot_id, unsigned int ep_index, 1208 + struct xhci_td *cur_td, struct xhci_dequeue_state *state); 1209 + void xhci_queue_new_dequeue_state(struct xhci_hcd *xhci, 1210 + struct xhci_ring *ep_ring, unsigned int slot_id, 1211 + unsigned int ep_index, struct xhci_dequeue_state *deq_state); 1212 1212 1213 1213 /* xHCI roothub code */ 1214 1214 int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, u16 wIndex,