Re: Bug 60810 - Kernel oops with controller XHCI while wait usb packet

[Mathias Nyman <mathias.nyman@xxxxxxxxxxxxxxx>]

On 09/04/2013 05:13 PM, Giovanni wrote:
> > On 08/29/2013 07:46 AM, Giovanni wrote:
> > > https://bugzilla.kernel.org/show_bug.cgi?id=60810
> > >
> > >                Bug ID: 60810
> > >               Summary: Kernel oops with controller XHCI while wait usb packet
> >
> > Hi
> >
> > I'm looking into the NULL pointer issue after timed out address device
> > commands as well, but I'm not able to reproduce it.
> >
> > Could you apply the attached patch, turn on xHCI debugging and send me
> > the log after it fails again?
>
> Hi Mathias,
>
> this is the log https://bugzilla.kernel.org/attachment.cgi?id=107415 with your patch.
>
> Thank you
> Giovanni
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-usb" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Hi Giovanni

This was very helpful.
Looks like when an address command times out, the xHCI command ring is 
first aborted and then stopped. An event with stop bit set on a empty 
command ring will point to the next "future" command which does not yet 
exists. xHCI driver still tries to handle this event -> Oops

Can you try out this new patch and see if it solves this issue?

Thanks
- Mathias

>From 2d709a37d20fabeb2e024a847812326f272f7002 Mon Sep 17 00:00:00 2001
From: Mathias Nyman <mathias.nyman@xxxxxxxxxxxxxxx>
Date: Wed, 4 Sep 2013 17:57:30 +0300
Subject: [PATCH] xhci: Fix oops on timed out commands

When a command times out the command ring is first aborted
and then stopped. If the command ring is empty when the ring is
stopped the stop event points point to the next future command on
the command ring which is not yet set. xhci will try to handle this event
which might oops.

Don't handle events on stopped cmd ring if ring is empty

Signed-off-by: Mathias Nyman <mathias.nyman@xxxxxxxxxxxxxxx>
---
 drivers/usb/host/xhci-ring.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index cc3bfc5..6ccbb25 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1390,6 +1390,9 @@ static void handle_cmd_completion(struct xhci_hcd *xhci,
 			inc_deq(xhci, xhci->cmd_ring);
 			return;
 		}
+		/* Don't try to handle nonexistent event on empty ring */
+		if (xhci->cmd_ring->dequeue == xhci->cmd_ring->enqueue)
+			return;
 	}
 
 	switch (le32_to_cpu(xhci->cmd_ring->dequeue->generic.field[3])
-- 
1.7.4.1