[PATCH 5.4 029/177] xhci: fix USB3 device initiated resume race with roothub autosuspend

From: Greg Kroah-Hartman
Date: Mon Dec 16 2019 - 13:15:42 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.4 030/177] xhci: Increase STS_HALT timeout in xhci_suspend()"
Previous message: Greg Kroah-Hartman: "[PATCH 5.4 028/177] xhci: Fix memory leak in xhci_add_in_port()"
In reply to: Greg Kroah-Hartman: "[PATCH 5.4 028/177] xhci: Fix memory leak in xhci_add_in_port()"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.4 030/177] xhci: Increase STS_HALT timeout in xhci_suspend()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mathias Nyman <mathias.nyman@xxxxxxxxxxxxxxx>

commit 057d476fff778f1d3b9f861fdb5437ea1a3cfc99 upstream.

A race in xhci USB3 remote wake handling may force device back to suspend
after it initiated resume siganaling, causing a missed resume event or warm
reset of device.

When a USB3 link completes resume signaling and goes to enabled (UO)
state a interrupt is issued and the interrupt handler will clear the
bus_state->port_remote_wakeup resume flag, allowing bus suspend.

If the USB3 roothub thread just finished reading port status before
the interrupt, finding ports still in suspended (U3) state, but hasn't
yet started suspending the hub, then the xhci interrupt handler will clear
the flag that prevented roothub suspend and allow bus to suspend, forcing
all port links back to suspended (U3) state.

Example case:
usb_runtime_suspend() # because all ports still show suspended U3
usb_suspend_both()
hub_suspend(); # successful as hub->wakeup_bits not set yet
==> INTERRUPT
xhci_irq()
handle_port_status()
clear bus_state->port_remote_wakeup
usb_wakeup_notification()
sets hub->wakeup_bits;
kick_hub_wq()
<== END INTERRUPT
hcd_bus_suspend()
xhci_bus_suspend() # success as port_remote_wakeup bits cleared

Fix this by increasing roothub usage count during port resume to prevent
roothub autosuspend, and by making sure bus_state->port_remote_wakeup
flag is only cleared after resume completion is visible, i.e.
after xhci roothub returned U0 or other non-U3 link state link on a
get port status request.

Issue rootcaused by Chiasheng Lee

Cc: <stable@xxxxxxxxxxxxxxx>
Cc: Lee, Hou-hsun <hou-hsun.lee@xxxxxxxxx>
Reported-by: Lee, Chiasheng <chiasheng.lee@xxxxxxxxx>
Signed-off-by: Mathias Nyman <mathias.nyman@xxxxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20191211142007.8847-3-mathias.nyman@xxxxxxxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/usb/host/xhci-hub.c | 10 ++++++++++
drivers/usb/host/xhci-ring.c | 3 +--
2 files changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -920,11 +920,13 @@ static void xhci_get_usb3_port_status(st
{
struct xhci_bus_state *bus_state;
struct xhci_hcd *xhci;
+ struct usb_hcd *hcd;
u32 link_state;
u32 portnum;

bus_state = &port->rhub->bus_state;
xhci = hcd_to_xhci(port->rhub->hcd);
+ hcd = port->rhub->hcd;
link_state = portsc & PORT_PLS_MASK;
portnum = port->hcd_portnum;

@@ -952,6 +954,14 @@ static void xhci_get_usb3_port_status(st
bus_state->suspended_ports &= ~(1 << portnum);
}

+ /* remote wake resume signaling complete */
+ if (bus_state->port_remote_wakeup & (1 << portnum) &&
+ link_state != XDEV_RESUME &&
+ link_state != XDEV_RECOVERY) {
+ bus_state->port_remote_wakeup &= ~(1 << portnum);
+ usb_hcd_end_port_resume(&hcd->self, portnum);
+ }
+
xhci_hub_report_usb3_link_state(xhci, status, portsc);
xhci_del_comp_mod_timer(xhci, portsc, portnum);
}
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1624,7 +1624,6 @@ static void handle_port_status(struct xh
slot_id = xhci_find_slot_id_by_port(hcd, xhci, hcd_portnum + 1);
if (slot_id && xhci->devs[slot_id])
xhci->devs[slot_id]->flags |= VDEV_PORT_ERROR;
- bus_state->port_remote_wakeup &= ~(1 << hcd_portnum);
}

if ((portsc & PORT_PLC) && (portsc & PORT_PLS_MASK) == XDEV_RESUME) {
@@ -1644,6 +1643,7 @@ static void handle_port_status(struct xh
*/
bus_state->port_remote_wakeup |= 1 << hcd_portnum;
xhci_test_and_clear_bit(xhci, port, PORT_PLC);
+ usb_hcd_start_port_resume(&hcd->self, hcd_portnum);
xhci_set_link_state(xhci, port, XDEV_U0);
/* Need to wait until the next link state change
* indicates the device is actually in U0.
@@ -1684,7 +1684,6 @@ static void handle_port_status(struct xh
if (slot_id && xhci->devs[slot_id])
xhci_ring_device(xhci, slot_id);
if (bus_state->port_remote_wakeup & (1 << hcd_portnum)) {
- bus_state->port_remote_wakeup &= ~(1 << hcd_portnum);
xhci_test_and_clear_bit(xhci, port, PORT_PLC);
usb_wakeup_notification(hcd->self.root_hub,
hcd_portnum + 1);

Next message: Greg Kroah-Hartman: "[PATCH 5.4 030/177] xhci: Increase STS_HALT timeout in xhci_suspend()"
Previous message: Greg Kroah-Hartman: "[PATCH 5.4 028/177] xhci: Fix memory leak in xhci_add_in_port()"
In reply to: Greg Kroah-Hartman: "[PATCH 5.4 028/177] xhci: Fix memory leak in xhci_add_in_port()"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.4 030/177] xhci: Increase STS_HALT timeout in xhci_suspend()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]