[RFC PATCH v3 5/6] xhci-ring: Fix crash when issuing "usb reset"
    Jason Wessel 
    jason.wessel at windriver.com
       
    Wed Jul  1 05:02:38 CEST 2020
    
    
  
If a "usb reset" is issued when the poll_pend state is set the
abort_td() function will hit one of the BUG() statements in abort_td()
or the BUG() statement at the end of xhci_wait_for_event().
The controller has been reset, so the rest of the cleanup should be
skipped and poll_pend flag should be cleared.
Signed-off-by: Jason Wessel <jason.wessel at windriver.com>
---
 drivers/usb/host/xhci-ring.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 1c00f2d496..ed0dea9fca 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -483,6 +483,8 @@ union xhci_trb *xhci_wait_for_event(struct xhci_ctrl *ctrl, trb_type expected,
 	if (expected == TRB_TRANSFER)
 		return NULL;
 
+	if (poll_pend)
+		return NULL;
 	printf("XHCI timeout on event type %d... cannot recover.\n", expected);
 	BUG();
 }
@@ -505,11 +507,16 @@ static void abort_td(struct usb_device *udev, int ep_index)
 	xhci_queue_command(ctrl, NULL, udev->slot_id, ep_index, TRB_STOP_RING);
 
 	event = xhci_wait_for_event(ctrl, TRB_TRANSFER, false);
-	field = le32_to_cpu(event->trans_event.flags);
-	BUG_ON(TRB_TO_SLOT_ID(field) != udev->slot_id);
-	BUG_ON(TRB_TO_EP_INDEX(field) != ep_index);
-	BUG_ON(GET_COMP_CODE(le32_to_cpu(event->trans_event.transfer_len
-		!= COMP_STOP)));
+	if (event) {
+		field = le32_to_cpu(event->trans_event.flags);
+		BUG_ON(TRB_TO_SLOT_ID(field) != udev->slot_id);
+		BUG_ON(TRB_TO_EP_INDEX(field) != ep_index);
+		BUG_ON(GET_COMP_CODE(le32_to_cpu(event->trans_event.transfer_len
+						 != COMP_STOP)));
+	} else {
+		debug("XHCI abort timeout\n");
+		return;
+	}
 	xhci_acknowledge_event(ctrl);
 
 	event = xhci_wait_for_event(ctrl, TRB_COMPLETION, false);
-- 
2.17.1
    
    
More information about the U-Boot
mailing list