USB: ohci - record data toggle after unlink
David Brownell [Sat, 14 Jun 2008 06:59:54 +0000 (23:59 -0700)]
This patch fixes a problem with OHCI where canceling bulk or
interrupt URBs may lose track of the right data toggle.  This
seems to be a longstanding bug, possibly dating back to the
Linux 2.4 kernel, which stayed hidden because

 (a) about half the time the data toggle bit was correct;
 (b) canceling such URBs is unusual; and
 (c) the few drivers which cancel these URBs either
      [1] do it only as part of shutting down, or
      [2] have fault recovery logic, which recovers.

For those transfer types, the toggle is normally written back
into the ED when each TD is retired.  But canceling bypasses
the mechanism used to retire TDs ... so on average, half the
time the toggle bit will be invalid after cancelation.

The fix is simple:  the toggle state of any canceled TDs are
propagated back to the ED in the finish_unlinks function.

(Issue found by leonidv11@gmail.com ...)

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Cc: Leonid <leonidv11@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

drivers/usb/host/ohci-q.c

index 9c9f3b5..9b54740 100644 (file)
@@ -952,6 +952,7 @@ rescan_this:
                        struct urb      *urb;
                        urb_priv_t      *urb_priv;
                        __hc32          savebits;
+                       u32             tdINFO;
 
                        td = list_entry (entry, struct td, td_list);
                        urb = td->urb;
@@ -966,6 +967,17 @@ rescan_this:
                        savebits = *prev & ~cpu_to_hc32 (ohci, TD_MASK);
                        *prev = td->hwNextTD | savebits;
 
+                       /* If this was unlinked, the TD may not have been
+                        * retired ... so manually save the data toggle.
+                        * The controller ignores the value we save for
+                        * control and ISO endpoints.
+                        */
+                       tdINFO = hc32_to_cpup(ohci, &td->hwINFO);
+                       if ((tdINFO & TD_T) == TD_T_DATA0)
+                               ed->hwHeadP &= ~cpu_to_hc32(ohci, ED_C);
+                       else if ((tdINFO & TD_T) == TD_T_DATA1)
+                               ed->hwHeadP |= cpu_to_hc32(ohci, ED_C);
+
                        /* HC may have partly processed this TD */
                        td_done (ohci, urb, td);
                        urb_priv->td_cnt++;