linux-usb.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Lars-Peter Clausen <lars@metafoo.de>
To: Michael Grzeschik <mgr@pengutronix.de>
Cc: alexandru.Ardelean@analog.com, linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org, balbi@kernel.org,
	gregkh@linuxfoundation.org, bigeasy@linutronix.de,
	m.olbrich@pengutronix.de, kernel@pengutronix.de
Subject: Re: [PATCH] usb: dwc3: gadget: don't dequeue requests on already disabled endpoints
Date: Fri, 27 Mar 2020 11:55:41 +0100	[thread overview]
Message-ID: <c2bbd132-c482-21c4-232d-2786021759cf@metafoo.de> (raw)
In-Reply-To: <20200327104352.GF27849@pengutronix.de>

On 3/27/20 11:43 AM, Michael Grzeschik wrote:
> On Fri, Mar 27, 2020 at 10:14:10AM +0100, Lars-Peter Clausen wrote:
>> On 3/27/20 9:43 AM, Michael Grzeschik wrote:
>>> dwc3_gadget_ep_disable gets called before the last request gets
>>> dequeued.
>>>
>>> In __dwc3_gadget_ep_disable all started, pending and cancelled
>>> lists for this endpoint will call dwc3_gadget_giveback in
>>> dwc3_remove_requests.
>>>
>>> After that no list containing the afterwards dequed request,
>>> therefor it is not necessary to run the dequeue routine.
>>>
>>> Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
>>> ---
>>> @Lars-Peter Clausen:
>>>
>>> This patch addresses the case that not queued requests get dequeued.
>>> The only case that this happens seems on disabling the gadget.
>>
>> I don't believe it does. Calling usb_ep_dequeue() is not limited to be
>> called after the endpoint has been disabled. It is part of the API and can
>> be called at any time. E.g. with function_fs you can abort a queued transfer
>> from userspace at any time.
> OK, can you give me an Userspace example how to simply trigger the
> issue. I tried to figure your mentioned function stack but it would
> be much easier if it could be reproduced.
>
> The patch on the other hand can stand on itself, as it then
> fixes another code path that is much more common.

Hi,

I don't have a standalone example. But the issue occurs if you submit a 
request when using function_fs through the AIO API and then call 
io_cancel() to abort it. At the same time there must be traffic on the 
USB bus so that the URB has a chance to complete.

This is a race condition between the IRQ handler running on one CPU and 
the usb_ep_dequeue() running on another CPU. As such it might take a 
while of stress testing before it is triggered. The more CPUs your 
system has the higher the chance of trigger the issue.

You can find the code which triggers the issue below.

Submission of the request:

https://github.com/analogdevicesinc/libiio/blob/master/iiod/ops.c#L139-L156

Canceling it:

https://github.com/analogdevicesinc/libiio/blob/master/iiod/ops.c#L193


  reply	other threads:[~2020-03-27 10:55 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-06 14:45 [PATCH] usb: dwc3: gadget: Handle dequeuing of non queued URB gracefully Alexandru Ardelean
2019-11-12 14:41 ` Michael Olbrich
2020-01-16 11:12   ` Ardelean, Alexandru
2020-01-16 13:05     ` Felipe Balbi
2020-01-16 13:24 ` [PATCH][RESEND] " Alexandru Ardelean
2020-01-30 12:02   ` Felipe Balbi
2020-03-10 13:22     ` Ardelean, Alexandru
2020-03-10 13:45       ` Lars-Peter Clausen
2020-03-10 14:07         ` Lars-Peter Clausen
2020-03-27  8:43           ` [PATCH] usb: dwc3: gadget: don't dequeue requests on already disabled endpoints Michael Grzeschik
2020-03-27  8:53             ` Sergei Shtylyov
2020-03-27 11:15               ` Andy Shevchenko
2020-03-27  9:14             ` Lars-Peter Clausen
2020-03-27 10:43               ` Michael Grzeschik
2020-03-27 10:55                 ` Lars-Peter Clausen [this message]
2020-03-28  8:27             ` Felipe Balbi
2020-03-29 19:02               ` Michael Grzeschik
2020-03-30  7:18                 ` Felipe Balbi
2020-03-30  8:25                   ` Michael Grzeschik
2020-03-30 10:06                     ` Felipe Balbi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c2bbd132-c482-21c4-232d-2786021759cf@metafoo.de \
    --to=lars@metafoo.de \
    --cc=alexandru.Ardelean@analog.com \
    --cc=balbi@kernel.org \
    --cc=bigeasy@linutronix.de \
    --cc=gregkh@linuxfoundation.org \
    --cc=kernel@pengutronix.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=m.olbrich@pengutronix.de \
    --cc=mgr@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).