usb-serial-mos7720-fix-parport-use-after-free-on-probe-errors.patch
usb-serial-mos7720-fix-parallel-probe.patch
usb-xhci-mem-use-passed-in-gfp-flags-instead-of-gfp_kernel.patch
+xhci-use-delayed_work-instead-of-timer-for-command-timeout.patch
+xhci-fix-race-related-to-abort-operation.patch
+usb-dwc3-pci-add-intel-gemini-lake-pci-id.patch
+usb-musb-fix-trying-to-free-already-free-irq-4.patch
+usb-hub-move-hub_port_disable-to-fix-warning-if-pm-is-disabled.patch
+usb-musb-blackfin-add-bfin_fifo_offset-in-bfin_ops.patch
--- /dev/null
+From 8f8983a5683623b62b339d159573f95a1fce44f3 Mon Sep 17 00:00:00 2001
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Fri, 1 Apr 2016 17:13:12 +0300
+Subject: usb: dwc3: pci: add Intel Gemini Lake PCI ID
+
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+
+commit 8f8983a5683623b62b339d159573f95a1fce44f3 upstream.
+
+Intel Gemini Lake SoC has the same DWC3 than Broxton. Add
+the new ID to the supported Devices.
+
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/dwc3-pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -37,6 +37,7 @@
+ #define PCI_DEVICE_ID_INTEL_BXT 0x0aaa
+ #define PCI_DEVICE_ID_INTEL_APL 0x5aaa
+ #define PCI_DEVICE_ID_INTEL_KBP 0xa2b0
++#define PCI_DEVICE_ID_INTEL_GLK 0x31aa
+
+ static const struct acpi_gpio_params reset_gpios = { 0, 0, false };
+ static const struct acpi_gpio_params cs_gpios = { 1, 0, false };
+@@ -216,6 +217,7 @@ static const struct pci_device_id dwc3_p
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT), },
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_APL), },
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_KBP), },
++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_GLK), },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_NL_USB), },
+ { } /* Terminating Entry */
+ };
--- /dev/null
+From 3bc02bce908c7250781376052248f5cd60a4e3d4 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Wed, 14 Dec 2016 15:37:30 +0100
+Subject: usb: hub: Move hub_port_disable() to fix warning if PM is disabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+commit 3bc02bce908c7250781376052248f5cd60a4e3d4 upstream.
+
+If CONFIG_PM=n:
+
+ drivers/usb/core/hub.c:107: warning: ‘hub_usb3_port_prepare_disable’ declared inline after being called
+ drivers/usb/core/hub.c:107: warning: previous declaration of ‘hub_usb3_port_prepare_disable’ was here
+
+To fix this, move hub_port_disable() after
+hub_usb3_port_prepare_disable(), and adjust forward declarations.
+
+Fixes: 37be66767e3cae4f ("usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 59 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 29 insertions(+), 30 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -101,8 +101,7 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rws
+
+ static void hub_release(struct kref *kref);
+ static int usb_reset_and_verify_device(struct usb_device *udev);
+-static void hub_usb3_port_prepare_disable(struct usb_hub *hub,
+- struct usb_port *port_dev);
++static int hub_port_disable(struct usb_hub *hub, int port1, int set_state);
+
+ static inline char *portspeed(struct usb_hub *hub, int portstatus)
+ {
+@@ -885,34 +884,6 @@ static int hub_set_port_link_state(struc
+ }
+
+ /*
+- * USB-3 does not have a similar link state as USB-2 that will avoid negotiating
+- * a connection with a plugged-in cable but will signal the host when the cable
+- * is unplugged. Disable remote wake and set link state to U3 for USB-3 devices
+- */
+-static int hub_port_disable(struct usb_hub *hub, int port1, int set_state)
+-{
+- struct usb_port *port_dev = hub->ports[port1 - 1];
+- struct usb_device *hdev = hub->hdev;
+- int ret = 0;
+-
+- if (!hub->error) {
+- if (hub_is_superspeed(hub->hdev)) {
+- hub_usb3_port_prepare_disable(hub, port_dev);
+- ret = hub_set_port_link_state(hub, port_dev->portnum,
+- USB_SS_PORT_LS_U3);
+- } else {
+- ret = usb_clear_port_feature(hdev, port1,
+- USB_PORT_FEAT_ENABLE);
+- }
+- }
+- if (port_dev->child && set_state)
+- usb_set_device_state(port_dev->child, USB_STATE_NOTATTACHED);
+- if (ret && ret != -ENODEV)
+- dev_err(&port_dev->dev, "cannot disable (err = %d)\n", ret);
+- return ret;
+-}
+-
+-/*
+ * Disable a port and mark a logical connect-change event, so that some
+ * time later hub_wq will disconnect() any existing usb_device on the port
+ * and will re-enumerate if there actually is a device attached.
+@@ -4086,6 +4057,34 @@ static int hub_handle_remote_wakeup(stru
+
+ #endif /* CONFIG_PM */
+
++/*
++ * USB-3 does not have a similar link state as USB-2 that will avoid negotiating
++ * a connection with a plugged-in cable but will signal the host when the cable
++ * is unplugged. Disable remote wake and set link state to U3 for USB-3 devices
++ */
++static int hub_port_disable(struct usb_hub *hub, int port1, int set_state)
++{
++ struct usb_port *port_dev = hub->ports[port1 - 1];
++ struct usb_device *hdev = hub->hdev;
++ int ret = 0;
++
++ if (!hub->error) {
++ if (hub_is_superspeed(hub->hdev)) {
++ hub_usb3_port_prepare_disable(hub, port_dev);
++ ret = hub_set_port_link_state(hub, port_dev->portnum,
++ USB_SS_PORT_LS_U3);
++ } else {
++ ret = usb_clear_port_feature(hdev, port1,
++ USB_PORT_FEAT_ENABLE);
++ }
++ }
++ if (port_dev->child && set_state)
++ usb_set_device_state(port_dev->child, USB_STATE_NOTATTACHED);
++ if (ret && ret != -ENODEV)
++ dev_err(&port_dev->dev, "cannot disable (err = %d)\n", ret);
++ return ret;
++}
++
+
+ /* USB 2.0 spec, 7.1.7.3 / fig 7-29:
+ *
--- /dev/null
+From 5563bb5743cb09bde0d0f4660a5e5b19c26903bf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lefaure?= <jeremy.lefaure@lse.epita.fr>
+Date: Tue, 3 Jan 2017 18:13:52 -0600
+Subject: usb: musb: blackfin: add bfin_fifo_offset in bfin_ops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+
+commit 5563bb5743cb09bde0d0f4660a5e5b19c26903bf upstream.
+
+The function bfin_fifo_offset is defined but not used:
+
+drivers/usb/musb/blackfin.c:36:12: warning: ‘bfin_fifo_offset’ defined
+but not used [-Wunused-function]
+ static u32 bfin_fifo_offset(u8 epnum)
+ ^~~~~~~~~~~~~~~~
+
+Adding bfin_fifo_offset to bfin_ops fixes this warning and allows musb
+core to call this function instead of default_fifo_offset.
+
+Fixes: cc92f6818f6e ("usb: musb: Populate new IO functions for blackfin")
+Signed-off-by: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/blackfin.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/musb/blackfin.c
++++ b/drivers/usb/musb/blackfin.c
+@@ -469,6 +469,7 @@ static const struct musb_platform_ops bf
+ .init = bfin_musb_init,
+ .exit = bfin_musb_exit,
+
++ .fifo_offset = bfin_fifo_offset,
+ .readb = bfin_readb,
+ .writeb = bfin_writeb,
+ .readw = bfin_readw,
--- /dev/null
+From 8c300fe282fa254ea730c92cb0983e2642dc1fff Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Tue, 3 Jan 2017 18:13:48 -0600
+Subject: usb: musb: Fix trying to free already-free IRQ 4
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit 8c300fe282fa254ea730c92cb0983e2642dc1fff upstream.
+
+When unloading omap2430, we can get the following splat:
+
+WARNING: CPU: 1 PID: 295 at kernel/irq/manage.c:1478 __free_irq+0xa8/0x2c8
+Trying to free already-free IRQ 4
+...
+[<c01a8b78>] (free_irq) from [<bf0aea84>]
+(musbhs_dma_controller_destroy+0x28/0xb0 [musb_hdrc])
+[<bf0aea84>] (musbhs_dma_controller_destroy [musb_hdrc]) from
+[<bf09f88c>] (musb_remove+0xf0/0x12c [musb_hdrc])
+[<bf09f88c>] (musb_remove [musb_hdrc]) from [<c056a384>]
+(platform_drv_remove+0x24/0x3c)
+...
+
+This is because the irq number in use is 260 nowadays, and the dma
+controller is using u8 instead of int.
+
+Fixes: 6995eb68aab7 ("USB: musb: enable low level DMA operation for Blackfin")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+[b-liu@ti.com: added Fixes tag]
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/musbhsdma.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/musb/musbhsdma.h
++++ b/drivers/usb/musb/musbhsdma.h
+@@ -157,5 +157,5 @@ struct musb_dma_controller {
+ void __iomem *base;
+ u8 channel_count;
+ u8 used_channels;
+- u8 irq;
++ int irq;
+ };
--- /dev/null
+From 1c111b6c3844a142e03bcfc2fa17bfbdea08e9dc Mon Sep 17 00:00:00 2001
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Date: Tue, 3 Jan 2017 18:28:51 +0200
+Subject: xhci: Fix race related to abort operation
+
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+
+commit 1c111b6c3844a142e03bcfc2fa17bfbdea08e9dc upstream.
+
+Current abort operation has race.
+
+ xhci_handle_command_timeout()
+ xhci_abort_cmd_ring()
+ xhci_write_64(CMD_RING_ABORT)
+ xhci_handshake(5s)
+ do {
+ check CMD_RING_RUNNING
+ udelay(1)
+ ...
+ COMP_CMD_ABORT event
+ COMP_CMD_STOP event
+ xhci_handle_stopped_cmd_ring()
+ restart cmd_ring
+ CMD_RING_RUNNING become 1 again
+ } while ()
+ return -ETIMEDOUT
+ xhci_write_64(CMD_RING_ABORT)
+ /* can abort random command */
+
+To do abort operation correctly, we have to wait both of COMP_CMD_STOP
+event and negation of CMD_RING_RUNNING.
+
+But like above, while timeout handler is waiting negation of
+CMD_RING_RUNNING, event handler can restart cmd_ring. So timeout
+handler never be notice negation of CMD_RING_RUNNING, and retry of
+CMD_RING_ABORT can abort random command (BTW, I guess retry of
+CMD_RING_ABORT was workaround of this race).
+
+To fix this race, this moves xhci_handle_stopped_cmd_ring() to
+xhci_abort_cmd_ring(). And timeout handler waits COMP_CMD_STOP event.
+
+At this point, timeout handler is owner of cmd_ring, and safely
+restart cmd_ring by using xhci_handle_stopped_cmd_ring().
+
+[FWIW, as bonus, this way would be easily extend to add CMD_RING_PAUSE
+operation]
+
+[locks edited as patch is rebased on other locking fixes -Mathias]
+Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-mem.c | 1
+ drivers/usb/host/xhci-ring.c | 169 ++++++++++++++++++++++---------------------
+ drivers/usb/host/xhci.h | 1
+ 3 files changed, 91 insertions(+), 80 deletions(-)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -2397,6 +2397,7 @@ int xhci_mem_init(struct xhci_hcd *xhci,
+
+ /* init command timeout work */
+ INIT_DELAYED_WORK(&xhci->cmd_timer, xhci_handle_command_timeout);
++ init_completion(&xhci->cmd_ring_stop_completion);
+
+ page_size = readl(&xhci->op_regs->page_size);
+ xhci_dbg_trace(xhci, trace_xhci_dbg_init,
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -285,23 +285,71 @@ static bool xhci_mod_cmd_timer(struct xh
+ return mod_delayed_work(system_wq, &xhci->cmd_timer, delay);
+ }
+
+-static int xhci_abort_cmd_ring(struct xhci_hcd *xhci)
++static struct xhci_command *xhci_next_queued_cmd(struct xhci_hcd *xhci)
++{
++ return list_first_entry_or_null(&xhci->cmd_list, struct xhci_command,
++ cmd_list);
++}
++
++/*
++ * Turn all commands on command ring with status set to "aborted" to no-op trbs.
++ * If there are other commands waiting then restart the ring and kick the timer.
++ * This must be called with command ring stopped and xhci->lock held.
++ */
++static void xhci_handle_stopped_cmd_ring(struct xhci_hcd *xhci,
++ struct xhci_command *cur_cmd)
++{
++ struct xhci_command *i_cmd;
++ u32 cycle_state;
++
++ /* Turn all aborted commands in list to no-ops, then restart */
++ list_for_each_entry(i_cmd, &xhci->cmd_list, cmd_list) {
++
++ if (i_cmd->status != COMP_CMD_ABORT)
++ continue;
++
++ i_cmd->status = COMP_CMD_STOP;
++
++ xhci_dbg(xhci, "Turn aborted command %p to no-op\n",
++ i_cmd->command_trb);
++ /* get cycle state from the original cmd trb */
++ cycle_state = le32_to_cpu(
++ i_cmd->command_trb->generic.field[3]) & TRB_CYCLE;
++ /* modify the command trb to no-op command */
++ i_cmd->command_trb->generic.field[0] = 0;
++ i_cmd->command_trb->generic.field[1] = 0;
++ i_cmd->command_trb->generic.field[2] = 0;
++ i_cmd->command_trb->generic.field[3] = cpu_to_le32(
++ TRB_TYPE(TRB_CMD_NOOP) | cycle_state);
++
++ /*
++ * caller waiting for completion is called when command
++ * completion event is received for these no-op commands
++ */
++ }
++
++ xhci->cmd_ring_state = CMD_RING_STATE_RUNNING;
++
++ /* ring command ring doorbell to restart the command ring */
++ if ((xhci->cmd_ring->dequeue != xhci->cmd_ring->enqueue) &&
++ !(xhci->xhc_state & XHCI_STATE_DYING)) {
++ xhci->current_cmd = cur_cmd;
++ xhci_mod_cmd_timer(xhci, XHCI_CMD_DEFAULT_TIMEOUT);
++ xhci_ring_cmd_db(xhci);
++ }
++}
++
++/* Must be called with xhci->lock held, releases and aquires lock back */
++static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags)
+ {
+ u64 temp_64;
+ int ret;
+
+ xhci_dbg(xhci, "Abort command ring\n");
+
+- temp_64 = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
+- xhci->cmd_ring_state = CMD_RING_STATE_ABORTED;
++ reinit_completion(&xhci->cmd_ring_stop_completion);
+
+- /*
+- * Writing the CMD_RING_ABORT bit should cause a cmd completion event,
+- * however on some host hw the CMD_RING_RUNNING bit is correctly cleared
+- * but the completion event in never sent. Use the cmd timeout timer to
+- * handle those cases. Use twice the time to cover the bit polling retry
+- */
+- xhci_mod_cmd_timer(xhci, 2 * XHCI_CMD_DEFAULT_TIMEOUT);
++ temp_64 = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
+ xhci_write_64(xhci, temp_64 | CMD_RING_ABORT,
+ &xhci->op_regs->cmd_ring);
+
+@@ -321,16 +369,30 @@ static int xhci_abort_cmd_ring(struct xh
+ udelay(1000);
+ ret = xhci_handshake(&xhci->op_regs->cmd_ring,
+ CMD_RING_RUNNING, 0, 3 * 1000 * 1000);
+- if (ret == 0)
+- return 0;
+-
+- xhci_err(xhci, "Stopped the command ring failed, "
+- "maybe the host is dead\n");
+- cancel_delayed_work(&xhci->cmd_timer);
+- xhci->xhc_state |= XHCI_STATE_DYING;
+- xhci_quiesce(xhci);
+- xhci_halt(xhci);
+- return -ESHUTDOWN;
++ if (ret < 0) {
++ xhci_err(xhci, "Stopped the command ring failed, "
++ "maybe the host is dead\n");
++ xhci->xhc_state |= XHCI_STATE_DYING;
++ xhci_quiesce(xhci);
++ xhci_halt(xhci);
++ return -ESHUTDOWN;
++ }
++ }
++ /*
++ * Writing the CMD_RING_ABORT bit should cause a cmd completion event,
++ * however on some host hw the CMD_RING_RUNNING bit is correctly cleared
++ * but the completion event in never sent. Wait 2 secs (arbitrary
++ * number) to handle those cases after negation of CMD_RING_RUNNING.
++ */
++ spin_unlock_irqrestore(&xhci->lock, flags);
++ ret = wait_for_completion_timeout(&xhci->cmd_ring_stop_completion,
++ msecs_to_jiffies(2000));
++ spin_lock_irqsave(&xhci->lock, flags);
++ if (!ret) {
++ xhci_dbg(xhci, "No stop event for abort, ring start fail?\n");
++ xhci_cleanup_command_queue(xhci);
++ } else {
++ xhci_handle_stopped_cmd_ring(xhci, xhci_next_queued_cmd(xhci));
+ }
+
+ return 0;
+@@ -1213,64 +1275,12 @@ void xhci_cleanup_command_queue(struct x
+ xhci_complete_del_and_free_cmd(cur_cmd, COMP_CMD_ABORT);
+ }
+
+-/*
+- * Turn all commands on command ring with status set to "aborted" to no-op trbs.
+- * If there are other commands waiting then restart the ring and kick the timer.
+- * This must be called with command ring stopped and xhci->lock held.
+- */
+-static void xhci_handle_stopped_cmd_ring(struct xhci_hcd *xhci,
+- struct xhci_command *cur_cmd)
+-{
+- struct xhci_command *i_cmd, *tmp_cmd;
+- u32 cycle_state;
+-
+- /* Turn all aborted commands in list to no-ops, then restart */
+- list_for_each_entry_safe(i_cmd, tmp_cmd, &xhci->cmd_list,
+- cmd_list) {
+-
+- if (i_cmd->status != COMP_CMD_ABORT)
+- continue;
+-
+- i_cmd->status = COMP_CMD_STOP;
+-
+- xhci_dbg(xhci, "Turn aborted command %p to no-op\n",
+- i_cmd->command_trb);
+- /* get cycle state from the original cmd trb */
+- cycle_state = le32_to_cpu(
+- i_cmd->command_trb->generic.field[3]) & TRB_CYCLE;
+- /* modify the command trb to no-op command */
+- i_cmd->command_trb->generic.field[0] = 0;
+- i_cmd->command_trb->generic.field[1] = 0;
+- i_cmd->command_trb->generic.field[2] = 0;
+- i_cmd->command_trb->generic.field[3] = cpu_to_le32(
+- TRB_TYPE(TRB_CMD_NOOP) | cycle_state);
+-
+- /*
+- * caller waiting for completion is called when command
+- * completion event is received for these no-op commands
+- */
+- }
+-
+- xhci->cmd_ring_state = CMD_RING_STATE_RUNNING;
+-
+- /* ring command ring doorbell to restart the command ring */
+- if ((xhci->cmd_ring->dequeue != xhci->cmd_ring->enqueue) &&
+- !(xhci->xhc_state & XHCI_STATE_DYING)) {
+- xhci->current_cmd = cur_cmd;
+- xhci_mod_cmd_timer(xhci, XHCI_CMD_DEFAULT_TIMEOUT);
+- xhci_ring_cmd_db(xhci);
+- }
+- return;
+-}
+-
+-
+ void xhci_handle_command_timeout(struct work_struct *work)
+ {
+ struct xhci_hcd *xhci;
+ int ret;
+ unsigned long flags;
+ u64 hw_ring_state;
+- bool second_timeout = false;
+
+ xhci = container_of(to_delayed_work(work), struct xhci_hcd, cmd_timer);
+
+@@ -1284,18 +1294,17 @@ void xhci_handle_command_timeout(struct
+ spin_unlock_irqrestore(&xhci->lock, flags);
+ return;
+ }
+-
+ /* mark this command to be cancelled */
+- if (xhci->current_cmd->status == COMP_CMD_ABORT)
+- second_timeout = true;
+ xhci->current_cmd->status = COMP_CMD_ABORT;
+
+ /* Make sure command ring is running before aborting it */
+ hw_ring_state = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
+ if ((xhci->cmd_ring_state & CMD_RING_STATE_RUNNING) &&
+ (hw_ring_state & CMD_RING_RUNNING)) {
++ /* Prevent new doorbell, and start command abort */
++ xhci->cmd_ring_state = CMD_RING_STATE_ABORTED;
+ xhci_dbg(xhci, "Command timeout\n");
+- ret = xhci_abort_cmd_ring(xhci);
++ ret = xhci_abort_cmd_ring(xhci, flags);
+ if (unlikely(ret == -ESHUTDOWN)) {
+ xhci_err(xhci, "Abort command ring failed\n");
+ xhci_cleanup_command_queue(xhci);
+@@ -1309,9 +1318,9 @@ void xhci_handle_command_timeout(struct
+ goto time_out_completed;
+ }
+
+- /* command ring failed to restart, or host removed. Bail out */
+- if (second_timeout || xhci->xhc_state & XHCI_STATE_REMOVING) {
+- xhci_dbg(xhci, "command timed out twice, ring start fail?\n");
++ /* host removed. Bail out */
++ if (xhci->xhc_state & XHCI_STATE_REMOVING) {
++ xhci_dbg(xhci, "host removed, ring start fail?\n");
+ xhci_cleanup_command_queue(xhci);
+
+ goto time_out_completed;
+@@ -1362,7 +1371,7 @@ static void handle_cmd_completion(struct
+
+ /* If CMD ring stopped we own the trbs between enqueue and dequeue */
+ if (cmd_comp_code == COMP_CMD_STOP) {
+- xhci_handle_stopped_cmd_ring(xhci, cmd);
++ complete_all(&xhci->cmd_ring_stop_completion);
+ return;
+ }
+
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1553,6 +1553,7 @@ struct xhci_hcd {
+ struct list_head cmd_list;
+ unsigned int cmd_ring_reserved_trbs;
+ struct delayed_work cmd_timer;
++ struct completion cmd_ring_stop_completion;
+ struct xhci_command *current_cmd;
+ struct xhci_ring *event_ring;
+ struct xhci_erst erst;
--- /dev/null
+From cb4d5ce588c5ff68e0fdd30370a0e6bc2c0a736b Mon Sep 17 00:00:00 2001
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Date: Tue, 3 Jan 2017 18:28:50 +0200
+Subject: xhci: Use delayed_work instead of timer for command timeout
+
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+
+commit cb4d5ce588c5ff68e0fdd30370a0e6bc2c0a736b upstream.
+
+This is preparation to fix abort operation race (See "xhci: Fix race
+related to abort operation"). To make timeout sleepable, use
+delayed_work instead of timer.
+
+[change a newly added pending timer fix to pending work -Mathias]
+Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-mem.c | 7 +++----
+ drivers/usb/host/xhci-ring.c | 26 ++++++++++++++++----------
+ drivers/usb/host/xhci.h | 4 ++--
+ 3 files changed, 21 insertions(+), 16 deletions(-)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1829,7 +1829,7 @@ void xhci_mem_cleanup(struct xhci_hcd *x
+ int size;
+ int i, j, num_ports;
+
+- del_timer_sync(&xhci->cmd_timer);
++ cancel_delayed_work_sync(&xhci->cmd_timer);
+
+ /* Free the Event Ring Segment Table and the actual Event Ring */
+ size = sizeof(struct xhci_erst_entry)*(xhci->erst.num_entries);
+@@ -2395,9 +2395,8 @@ int xhci_mem_init(struct xhci_hcd *xhci,
+
+ INIT_LIST_HEAD(&xhci->cmd_list);
+
+- /* init command timeout timer */
+- setup_timer(&xhci->cmd_timer, xhci_handle_command_timeout,
+- (unsigned long)xhci);
++ /* init command timeout work */
++ INIT_DELAYED_WORK(&xhci->cmd_timer, xhci_handle_command_timeout);
+
+ page_size = readl(&xhci->op_regs->page_size);
+ xhci_dbg_trace(xhci, trace_xhci_dbg_init,
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -280,6 +280,11 @@ void xhci_ring_cmd_db(struct xhci_hcd *x
+ readl(&xhci->dba->doorbell[0]);
+ }
+
++static bool xhci_mod_cmd_timer(struct xhci_hcd *xhci, unsigned long delay)
++{
++ return mod_delayed_work(system_wq, &xhci->cmd_timer, delay);
++}
++
+ static int xhci_abort_cmd_ring(struct xhci_hcd *xhci)
+ {
+ u64 temp_64;
+@@ -296,7 +301,7 @@ static int xhci_abort_cmd_ring(struct xh
+ * but the completion event in never sent. Use the cmd timeout timer to
+ * handle those cases. Use twice the time to cover the bit polling retry
+ */
+- mod_timer(&xhci->cmd_timer, jiffies + (2 * XHCI_CMD_DEFAULT_TIMEOUT));
++ xhci_mod_cmd_timer(xhci, 2 * XHCI_CMD_DEFAULT_TIMEOUT);
+ xhci_write_64(xhci, temp_64 | CMD_RING_ABORT,
+ &xhci->op_regs->cmd_ring);
+
+@@ -321,7 +326,7 @@ static int xhci_abort_cmd_ring(struct xh
+
+ xhci_err(xhci, "Stopped the command ring failed, "
+ "maybe the host is dead\n");
+- del_timer(&xhci->cmd_timer);
++ cancel_delayed_work(&xhci->cmd_timer);
+ xhci->xhc_state |= XHCI_STATE_DYING;
+ xhci_quiesce(xhci);
+ xhci_halt(xhci);
+@@ -1252,21 +1257,22 @@ static void xhci_handle_stopped_cmd_ring
+ if ((xhci->cmd_ring->dequeue != xhci->cmd_ring->enqueue) &&
+ !(xhci->xhc_state & XHCI_STATE_DYING)) {
+ xhci->current_cmd = cur_cmd;
+- mod_timer(&xhci->cmd_timer, jiffies + XHCI_CMD_DEFAULT_TIMEOUT);
++ xhci_mod_cmd_timer(xhci, XHCI_CMD_DEFAULT_TIMEOUT);
+ xhci_ring_cmd_db(xhci);
+ }
+ return;
+ }
+
+
+-void xhci_handle_command_timeout(unsigned long data)
++void xhci_handle_command_timeout(struct work_struct *work)
+ {
+ struct xhci_hcd *xhci;
+ int ret;
+ unsigned long flags;
+ u64 hw_ring_state;
+ bool second_timeout = false;
+- xhci = (struct xhci_hcd *) data;
++
++ xhci = container_of(to_delayed_work(work), struct xhci_hcd, cmd_timer);
+
+ spin_lock_irqsave(&xhci->lock, flags);
+
+@@ -1274,7 +1280,7 @@ void xhci_handle_command_timeout(unsigne
+ * If timeout work is pending, or current_cmd is NULL, it means we
+ * raced with command completion. Command is handled so just return.
+ */
+- if (!xhci->current_cmd || timer_pending(&xhci->cmd_timer)) {
++ if (!xhci->current_cmd || delayed_work_pending(&xhci->cmd_timer)) {
+ spin_unlock_irqrestore(&xhci->lock, flags);
+ return;
+ }
+@@ -1348,7 +1354,7 @@ static void handle_cmd_completion(struct
+
+ cmd = list_entry(xhci->cmd_list.next, struct xhci_command, cmd_list);
+
+- del_timer(&xhci->cmd_timer);
++ cancel_delayed_work(&xhci->cmd_timer);
+
+ trace_xhci_cmd_completion(cmd_trb, (struct xhci_generic_trb *) event);
+
+@@ -1439,7 +1445,7 @@ static void handle_cmd_completion(struct
+ if (cmd->cmd_list.next != &xhci->cmd_list) {
+ xhci->current_cmd = list_entry(cmd->cmd_list.next,
+ struct xhci_command, cmd_list);
+- mod_timer(&xhci->cmd_timer, jiffies + XHCI_CMD_DEFAULT_TIMEOUT);
++ xhci_mod_cmd_timer(xhci, XHCI_CMD_DEFAULT_TIMEOUT);
+ } else if (xhci->current_cmd == cmd) {
+ xhci->current_cmd = NULL;
+ }
+@@ -4074,9 +4080,9 @@ static int queue_command(struct xhci_hcd
+
+ /* if there are no other commands queued we start the timeout timer */
+ if (xhci->cmd_list.next == &cmd->cmd_list &&
+- !timer_pending(&xhci->cmd_timer)) {
++ !delayed_work_pending(&xhci->cmd_timer)) {
+ xhci->current_cmd = cmd;
+- mod_timer(&xhci->cmd_timer, jiffies + XHCI_CMD_DEFAULT_TIMEOUT);
++ xhci_mod_cmd_timer(xhci, XHCI_CMD_DEFAULT_TIMEOUT);
+ }
+
+ queue_trb(xhci, xhci->cmd_ring, false, field1, field2, field3,
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1552,7 +1552,7 @@ struct xhci_hcd {
+ #define CMD_RING_STATE_STOPPED (1 << 2)
+ struct list_head cmd_list;
+ unsigned int cmd_ring_reserved_trbs;
+- struct timer_list cmd_timer;
++ struct delayed_work cmd_timer;
+ struct xhci_command *current_cmd;
+ struct xhci_ring *event_ring;
+ struct xhci_erst erst;
+@@ -1915,7 +1915,7 @@ void xhci_queue_config_ep_quirk(struct x
+ unsigned int slot_id, unsigned int ep_index,
+ struct xhci_dequeue_state *deq_state);
+ void xhci_stop_endpoint_command_watchdog(unsigned long arg);
+-void xhci_handle_command_timeout(unsigned long data);
++void xhci_handle_command_timeout(struct work_struct *work);
+
+ void xhci_ring_ep_doorbell(struct xhci_hcd *xhci, unsigned int slot_id,
+ unsigned int ep_index, unsigned int stream_id);
projects / thirdparty / kernel / stable-queue.git / commitdiff
