From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mga03.intel.com ([134.134.136.65]:15534 "EHLO mga03.intel.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752353AbbHLKvv (ORCPT <rfc822;stable@vger.kernel.org>);
	Wed, 12 Aug 2015 06:51:51 -0400
Message-ID: <55CB2626.3060000@linux.intel.com>
Date: Wed, 12 Aug 2015 13:55:34 +0300
From: Mathias Nyman <mathias.nyman@linux.intel.com>
MIME-Version: 1.0
To: Oliver Neukum <oneukum@suse.com>, gregkh@linuxfoundation.org
CC: linux-usb@vger.kernel.org, Gavin Shan <gwshan@linux.vnet.ibm.com>,
	stable@vger.kernel.org
Subject: Re: [PATCH 2/2] drivers/usb: Delete XHCI command timer if necessary
References: <1438607269-8977-1-git-send-email-mathias.nyman@linux.intel.com>	 <1438607269-8977-3-git-send-email-mathias.nyman@linux.intel.com> <1439280938.6524.2.camel@suse.com>
In-Reply-To: <1439280938.6524.2.camel@suse.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On 11.08.2015 11:15, Oliver Neukum wrote:
> On Mon, 2015-08-03 at 16:07 +0300, Mathias Nyman wrote:
>> From: Gavin Shan <gwshan@linux.vnet.ibm.com>
>>
>> When xhci_mem_cleanup() is called, it's possible that the command
>> timer isn't initialized and scheduled. For those cases, to delete
>> the command timer causes soft-lockup as below stack dump shows.
>>
>> The patch avoids deleting the command timer if it's not scheduled
>> with the help of timer_pending().
> 
> Are you sure this is safe? timer_pending() will not show you that
> the timer function is running. It looks like you introduced a race
> between timeout and cleanup.
> 

Looking at it in more detail you're right.

Fortunately this can only happen in cases where xhci is already hosed
(no command response for 5 seconds), and we are at the same time
anyway about to remove xhci.

Doesn't this mean that all cases with
if (timer_pending(&timer))
	del_timer_sync(&timer)

is just basically the same as a plain del_timer(&timer)?

Anyways, turns out that the error path in xhci initialization code can end up calling
del_timer_sync() before timer is initialized. This should be fixed by re-arranging
some code in xhci initialization instead.

Greg, should this be reverted in rc7?
I think that the possible side effect of this patch is still lesser the original
issue.     

Thanks for spotting this

-Mathias