From: Ferry Toth <fntoth@gmail.com>
To: linux-usb@vger.kernel.org
Cc: "felipe.balbi-VuQAYsv1563Yd54FQh9/CA-XMD5yJDbdMReXY1tMh2IBg-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org"
<felipe.balbi-VuQAYsv1563Yd54FQh9/CA-XMD5yJDbdMReXY1tMh2IBg-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>,
Heikki Krogerus
<heikki.krogerus-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>,
Andy Shevchenko
<andriy.shevchenko-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
Subject: Re: BUG with linux 5.9.0 with dwc3 in gadget mode
Date: Wed, 21 Oct 2020 22:42:21 +0200 [thread overview]
Message-ID: <2cc783ac-6b71-190b-49fc-9e2bceeacd4b@gmail.com> (raw)
In-Reply-To: <aad327a8-95bc-40ec-abf7-ad216a02fad0@synopsys.com>
Op 21-10-2020 om 21:50 schreef Thinh Nguyen:
> Ferry Toth wrote:
>> Op 21-10-2020 om 00:58 schreef Thinh Nguyen:
>>> Thinh Nguyen wrote:
>>>> Hi,
>>>>
>>>> Ferry Toth wrote:
>>>>> Op 20-10-2020 om 14:32 schreef Felipe Balbi:
>>>>>> Hi,
>>>>>>
>>>>>> Ferry Toth <fntoth@gmail.com> writes:
>>>>>>
>>>>>> 8< snip
>>>>>>
>>>>>>>>> [ 12.657416] CR2: 0000000100000000
>>>>>>>>> [ 12.660729] ---[ end trace 9b92dea6da33c71e ]---
>>>>>>>> It this something you can reproduce on your end? Ferry, can you get
>>>>>>>> dwc3
>>>>>>>> trace logs when this happens? ftrace_dump_on_oops may help here.
>>>>>>> I will do that tonight. Is flipping on ftrace_dump_on_oops
>>>>>>> sufficient or
>>>>>>> do I need to do more?
>>>>>> you'd have to enable dwc3 trace events first ;-)
>>>>>>
>>>>>>> BTW after posting this I found in host mode dwc3 is not working
>>>>>>> properly
>>>>>>> either. No oops, but no driver get loaded on device plug in.
>>>>>> okay
>>>>>>
>>>>> Ehem, you maybe only me to enable /dwc3/dwc3_ep_dequeue/enable:
>>>>>
>>>>> root@edison:/boot# uname -a
>>>>> Linux edison 5.9.0-edison-acpi-standard #1 SMP Mon Oct 19 20:17:04 UTC
>>>>> 2020 x86_64 x86_64 x86_64 GNU/Linux
>>>>> root@edison:/boot# echo 1 >
>>>>> /sys/kernel/debug/tracing/events/dwc3/dwc3_ep_dequeue/enable
>>>>> root@edison:/boot# echo 1 > /proc/sys/kernel/ftrace_dump_on_oops
>>>>> root@edison:/boot#
>>>>> root@edison:/boot# [ 2608.585323] BUG: kernel NULL pointer
>>>>> dereference, address: 0000000000000000
>>>>> [ 2608.592288] #PF: supervisor read access in kernel mode
>>>>> [ 2608.597419] #PF: error_code(0x0000) - not-present page
>>>>> [ 2608.602549] PGD 0 P4D 0
>>>>> [ 2608.605090] Oops: 0000 [#1] SMP PTI
>>>>> [ 2608.608580] CPU: 1 PID: 733 Comm: irq/15-dwc3 Not tainted
>>>>> 5.9.0-edison-acpi-standard #1
>>>>> [ 2608.616571] Hardware name: Intel Corporation Merrifield/BODEGA BAY,
>>>>> BIOS 542 2015.01.21:18.19.48
>>>>> [ 2608.625356] RIP: 0010:dwc3_gadget_ep_dequeue+0x41/0x1c0
>>>>> [ 2608.630580] Code: e9 51 01 00 00 4c 8d a3 30 01 00 00 4c 89 e7 e8
>>>>> 15 e6 42 00 49 8b 4e 48 49 89 c5 49 8d 46 48 48 8d 51 a0 48 39 c8 75
>>>>> 0f eb 2e <48> 8b 4a 60 48 8d 51 a0 48 39 c8 74 21 48 39 d5 75 ee 45 31
>>>>> f6 4c
>>>>> [ 2608.649320] RSP: 0018:ffffa838002a7c40 EFLAGS: 00010087
>>>>> [ 2608.654543] RAX: ffff9a5f4609c048 RBX: ffff9a5f46f48028 RCX:
>>>>> 0000000000000000
>>>>> [ 2608.661666] RDX: ffffffffffffffa0 RSI: 0000000000000008 RDI:
>>>>> ffff9a5f46f48158
>>>>> [ 2608.668790] RBP: ffff9a5f7bd09b40 R08: 00000000000002d8 R09:
>>>>> ffff9a5f7dd6a000
>>>>> [ 2608.675913] R10: ffffa838002a7d90 R11: ffff9a5f46f48300 R12:
>>>>> ffff9a5f46f48158
>>>>> [ 2608.683039] R13: 0000000000000046 R14: ffff9a5f4609c000 R15:
>>>>> ffff9a5f7ad77e00
>>>>> [ 2608.690165] FS: 0000000000000000(0000) GS:ffff9a5f7e300000(0000)
>>>>> knlGS:0000000000000000
>>>>> [ 2608.698244] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>>> [ 2608.703980] CR2: 0000000000000000 CR3: 000000003780a000 CR4:
>>>>> 00000000001006e0
>>>>> [ 2608.711102] Call Trace:
>>>>> [ 2608.713561] usb_ep_dequeue+0x19/0x80
>>>>> [ 2608.717234] u_audio_stop_capture+0x54/0x9a [u_audio]
>>>>> [ 2608.722289] afunc_set_alt+0x73/0x80 [usb_f_uac2]
>>>> I took a look at how the audio function is handling switching alternate
>>>> setting and dequeuing endpoints, and I think I found the issue.
>>>>
>>>> Here's a snippet of the free_ep() code in u_audio.c:
>>>>
>>>> static inline void free_ep(struct uac_rtd_params *prm, struct usb_ep
>>>> *ep)
>>>> {
>>>> .....
>>>> for (i = 0; i < params->req_number; i++) {
>>>> if (prm->ureq[i].req) {
>>>> usb_ep_dequeue(ep, prm->ureq[i].req);
>>>> usb_ep_free_request(ep, prm->ureq[i].req);
>>>> prm->ureq[i].req = NULL;
>>>> }
>>>> }
>>>> ....
>>>>
>>>>
>>>> usb_ep_dequeue() can be asynchronous. The dwc3 still has ownership of
>>>> the request until it gives back the request. Freeing the request
>>>> immediately here will cause a problem.
>>>
>>> To confirm my suspicion, can you try this and see if you still get oops?
>>>
>>> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
>>> index eec8e9a9e3ed..b66eb24ec070 100644
>>> --- a/drivers/usb/dwc3/gadget.c
>>> +++ b/drivers/usb/dwc3/gadget.c
>>> @@ -2031,6 +2031,7 @@ static int dwc3_gadget_ep_dequeue(struct usb_ep
>>> *ep,
>>> list_for_each_entry_safe(r, t,
>>> &dep->started_list, list)
>>> dwc3_gadget_move_cancelled_request(r);
>>> +
>>> dwc3_gadget_ep_cleanup_cancelled_requests(dep);
>>> goto out;
>>> }
>>> }
>>>
>>>
>>> This will make usb_ep_dequeue() synchronous. (Note that this is not
>>> tested).
>>
>> Unfortunately, it doesn't work. The trace changes to:
>> root@edison:~# [ 104.418264] BUG: kernel NULL pointer dereference,
>> address: 0000000000000000
>> [ 104.425227] #PF: supervisor instruction fetch in kernel mode
>> [ 104.430877] #PF: error_code(0x0010) - not-present page
>> [ 104.436007] PGD 0 P4D 0
>> [ 104.438547] Oops: 0010 [#1] SMP PTI
>> [ 104.442039] CPU: 1 PID: 605 Comm: irq/15-dwc3 Not tainted
>> 5.9.0-edison-acpi-standard #1
>> [ 104.450027] Hardware name: Intel Corporation Merrifield/BODEGA BAY,
>> BIOS 542 2015.01.21:18.19.48
>> [ 104.458802] RIP: 0010:0x0
>> [ 104.461425] Code: Bad RIP value.
>> [ 104.464649] RSP: 0018:ffffae584034fbf8 EFLAGS: 00010046
>> [ 104.469870] RAX: 0000000000000000 RBX: ffff8c198608a028 RCX:
>> ffff8c19bb87fa00
>> [ 104.476993] RDX: 00000000ffffff94 RSI: ffff8c19bafa54e0 RDI:
>> ffff8c198609ee00
>> [ 104.484118] RBP: ffff8c19bafa54e0 R08: 0000000000000046 R09:
>> 0000000000000238
>> [ 104.491241] R10: 000000000000002c R11: ffff8c19bcf62490 R12:
>> ffff8c198609ee00
>> [ 104.498366] R13: ffff8c198608a028 R14: 0000000000000002 R15:
>> ffff8c19bb8ff000
>> [ 104.505493] FS: 0000000000000000(0000) GS:ffff8c19be300000(0000)
>> knlGS:0000000000000000
>> [ 104.513572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [ 104.519309] CR2: ffffffffffffffd6 CR3: 000000002e80a000 CR4:
>> 00000000001006e0
>> [ 104.526432] Call Trace:
>> [ 104.528892] dwc3_gadget_giveback+0xbf/0x120
>> [ 104.533169] __dwc3_gadget_ep_disable+0xc5/0x250
>> [ 104.537789] dwc3_gadget_ep_disable+0x3d/0xd0
>> [ 104.542149] usb_ep_disable+0x1d/0x80
>> [ 104.545823] u_audio_stop_capture+0x87/0x9a [u_audio]
>> [ 104.550880] afunc_set_alt+0x73/0x80 [usb_f_uac2]
>> [ 104.555594] composite_setup+0x20f/0x1b20 [libcomposite]
>> [ 104.560912] ? configfs_composite_setup+0x6b/0x90 [libcomposite]
>> [ 104.566921] configfs_composite_setup+0x6b/0x90 [libcomposite]
>> [ 104.572752] dwc3_ep0_delegate_req+0x24/0x40
>> [ 104.577022] dwc3_ep0_interrupt+0x40a/0x9d8
>> [ 104.581205] dwc3_thread_interrupt+0x880/0xf70
>>
>
> Oops, looks like I can't make it synchronous this way. Can you try
> Jack's change to the u_audio.c instead?
Oops indeed goes away with Jack's change, but usb connection goes
up/down continuously, meaning: my host sees usb network and audio device
appearing / disappearing.
mass_storage device does not appear all.
Host:
21-10-2020 22:36 kernel sd 7:0:0:0: [sdd] tag#0 device offline or changed
21-10-2020 22:36 kernel blk_update_request: I/O error, dev sdd, sector 0
op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
21-10-2020 22:36 kernel Buffer I/O error on dev sdd, logical block 0,
async page read
And on edison:
Oct 21 22:37:37 edison kernel: IPv6: ADDRCONF(NETDEV_CHANGE): usb0: link
becomes ready
Oct 21 22:37:37 edison kernel[499]: [ 436.595952] IPv6:
ADDRCONF(NETDEV_CHANGE): usb0: link b>
Oct 21 22:37:37 edison systemd-networkd[521]: usb0: Gained carrier
Oct 21 22:37:38 edison systemd-networkd[521]: usb0: Gained IPv6LL
Oct 21 22:38:07 edison systemd-networkd[521]: usb0: Lost carrier
Oct 21 22:38:07 edison systemd-journald[435]: Forwarding to syslog
missed 4 messages.
> Thanks,
> Thinh
>
next prev parent reply other threads:[~2020-10-21 20:42 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-16 20:21 BUG with linux 5.9.0 with dwc3 in gadget mode Ferry Toth
2020-10-19 5:45 ` Felipe Balbi
2020-10-19 7:14 ` Ferry Toth
2020-10-19 18:49 ` Ferry Toth
2020-10-20 12:35 ` Felipe Balbi
2020-10-20 21:01 ` Ferry Toth
2020-10-19 7:18 ` Ferry Toth
2020-10-20 12:32 ` Felipe Balbi
2020-10-20 19:46 ` Ferry Toth
2020-10-20 20:37 ` Ferry Toth
2020-10-20 22:10 ` Thinh Nguyen
2020-10-20 22:58 ` Thinh Nguyen
2020-10-21 1:47 ` Jack Pham
2020-10-21 1:56 ` Thinh Nguyen
2020-10-21 20:01 ` Ferry Toth
2020-10-22 9:23 ` Andy Shevchenko
2020-10-21 19:45 ` Ferry Toth
2020-10-21 19:50 ` Thinh Nguyen
2020-10-21 20:42 ` Ferry Toth [this message]
2020-10-21 23:32 ` Thinh Nguyen
2020-10-22 13:43 ` Andy Shevchenko
2020-10-27 20:13 ` Ferry Toth
2020-10-27 21:06 ` Jack Pham
2020-10-27 22:07 ` Ferry Toth
2020-10-27 21:16 ` Andy Shevchenko
2020-10-27 21:54 ` Ferry Toth
2020-10-28 9:18 ` Felipe Balbi
2020-11-05 21:29 ` Ferry Toth
2020-11-06 6:38 ` Felipe Balbi
2020-11-06 8:14 ` Ferry Toth
[not found] ` <326aa23e-fabd-f3d6-4778-d036858413a2@gmail.com>
2020-11-06 14:15 ` Felipe Balbi
[not found] ` <e21a5a77-9017-4cbe-a228-85357d660da5@gmail.com>
2020-11-07 8:01 ` Felipe Balbi
2020-11-07 13:37 ` Ferry Toth
2020-11-09 7:00 ` Felipe Balbi
2020-10-27 21:19 ` Andy Shevchenko
2020-10-19 19:46 ` Andy Shevchenko
2020-10-19 20:46 ` Ferry Toth
2020-10-20 13:27 ` Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2cc783ac-6b71-190b-49fc-9e2bceeacd4b@gmail.com \
--to=fntoth@gmail.com \
--cc=andriy.shevchenko-VuQAYsv1563Yd54FQh9/CA@public.gmane.org \
--cc=felipe.balbi-VuQAYsv1563Yd54FQh9/CA-XMD5yJDbdMReXY1tMh2IBg-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org \
--cc=heikki.krogerus-VuQAYsv1563Yd54FQh9/CA@public.gmane.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).