USB: EHCI: fix two new bugs related to Clear-TT-Buffer

commit 7a0f0d951273eee889c2441846842348ebc00a2a upstream.

This patch (as1273) fixes two(!) bugs introduced by the new
Clear-TT-Buffer implementation in ehci-hcd.

	It is now possible for an idle QH to have some URBs on its
	queue -- this will happen if a Clear-TT-Buffer is pending for
	the QH's endpoint.  Consequently we should not issue a warning
	when someone tries to unlink an URB from an idle QH; instead
	we should process the request immediately.

	The refcounts for QHs could get messed up, because
	submit_async() would increment the refcount when calling
	qh_link_async() and qh_link_async() would then refuse to link
	the QH into the schedule if a Clear-TT-Buffer was pending.
	Instead we should increment the refcount only when the QH
	actually is added to the schedule.  The current code tries to
	be clever by leaving the refcount alone if an unlink is
	immediately followed by a relink; the patch changes this to an
	unconditional decrement and increment (although they occur in
	the opposite order).

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: David Brownell <david-b@pacbell.net>
Tested-by: Manuel Lauss <manuel.lauss@gmail.com>
Tested-by: Matthijs Kooijman <matthijs@stdin.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
index abeea7bddb16003323ab62652d5ee77de77fa01a..d75b8cf5582155e31efd375ec8ccb10797d7dc4b 100644 (file)
--- a/drivers/usb/host/ehci-hcd.c
+++ b/drivers/usb/host/ehci-hcd.c
@@ -903,7 +903,8 @@ static int ehci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
                        /* already started */
                        break;
                case QH_STATE_IDLE:
-                       WARN_ON(1);
+                       /* QH might be waiting for a Clear-TT-Buffer */
+                       qh_completions(ehci, qh);
                        break;
                }
                break;

diff --git a/drivers/usb/host/ehci-q.c b/drivers/usb/host/ehci-q.c
index e3d2b627bfb33cc41021c6872807816b91d29f82..a39f2c61273ebc775ac4638faf77989e44e97a72 100644 (file)
--- a/drivers/usb/host/ehci-q.c
+++ b/drivers/usb/host/ehci-q.c
@@ -938,6 +938,7 @@ static void qh_link_async (struct ehci_hcd *ehci, struct ehci_qh *qh)
        head->qh_next.qh = qh;
        head->hw_next = dma;
 
+       qh_get(qh);
        qh->xacterrs = QH_XACTERR_MAX;
        qh->qh_state = QH_STATE_LINKED;
        /* qtd completions reported later by interrupt */
@@ -1078,7 +1079,7 @@ submit_async (
         * the HC and TT handle it when the TT has a buffer ready.
         */
        if (likely (qh->qh_state == QH_STATE_IDLE))
-               qh_link_async (ehci, qh_get (qh));
+               qh_link_async(ehci, qh);
  done:
        spin_unlock_irqrestore (&ehci->lock, flags);
        if (unlikely (qh == NULL))
@@ -1113,8 +1114,6 @@ static void end_unlink_async (struct ehci_hcd *ehci)
                        && HC_IS_RUNNING (ehci_to_hcd(ehci)->state))
                qh_link_async (ehci, qh);
        else {
-               qh_put (qh);            // refcount from async list
-
                /* it's not free to turn the async schedule on/off; leave it
                 * active but idle for a while once it empties.
                 */
@@ -1122,6 +1121,7 @@ static void end_unlink_async (struct ehci_hcd *ehci)
                                && ehci->async->qh_next.qh == NULL)
                        timer_action (ehci, TIMER_ASYNC_OFF);
        }
+       qh_put(qh);                     /* refcount from async list */
 
        if (next) {
                ehci->reclaim = NULL;