From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
To: Alan Stern <stern@rowland.harvard.edu>, Felipe Balbi <balbi@kernel.org>
Cc: "linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
Michal Nazarewicz <mina86@mina86.com>
Subject: f_mass_storage configuration races (Was: Virtual hub, resets etc...)
Date: Thu, 04 Jul 2019 18:02:48 +1000 [thread overview]
Message-ID: <f6d0ca0d258fa69fdcd46c04b908ff4ff9205181.camel@kernel.crashing.org> (raw)
In-Reply-To: <617c4ba96b9664377c24444e8b82ffa75a8a5357.camel@kernel.crashing.org>
Sooo...
I think I found what's going on with some of the issues triggering
things like
usb_composite_setup_continue: Unexpected call
Or possibly
gadget: common->fsg is NULL in fsg_setup at 489
But I mostly tracked down the former.
Fundamentally, it boils down to the storage going through multiple
attempts at FSG_STATE_CONFIG_CHANGE too quickly. In my case:
- The hub port gets reset, this eventually calls fsg_disable
- In the middle of handle_exception, we get a fsg_set_alt(), after
common->state is set back to FSG_STATE_NORMAL and before we get to
call do_set_interface (or inside it).
What happens is that not only new_fsg is indeterminate and possibly
racy (maybe not a huge deal per-se), but we end up in that
interesting situation where the handle_exception caused by fsg_disable
ends up applying "new_fsg" *and* calling usb_composite_setup_continue
because it sees new_fsg being set by fsg_set_alt.
But *then*, fsg_set_alt() also queues up a new exception. So we come
back a second time around. We call do_set_interface() again, which
resets everything for no reason, re-established the fsg and ... we call
usb_composite_setup_continue() again, this time completely at the wrong
time since there's nothing to continue.
I think the right fix is to replace that racy exception crap with a
little queue so we remove those races.
In the meantime however, I think the simpler patch that I'll send as
a reply to this works around it, provided the host doesn't do multiple
set_alt too quickly. The latter could be handled by setting new_fsg
with the lock used for the state, and reading it from that same lock.
But I haven't observed that problem in practice.
With this patch, I can now unplug & replug on my host solidly, this
wasn't the case before.
Cheers,
Ben.
next prev parent reply other threads:[~2019-07-04 8:03 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-04 5:52 Virtual hub, resets etc Benjamin Herrenschmidt
2019-07-04 8:02 ` Benjamin Herrenschmidt [this message]
2019-07-04 8:04 ` [PATCH] usb: gadget: mass_storage: Fix races between fsg_disable and fsg_set_alt Benjamin Herrenschmidt
2019-07-04 16:13 ` Virtual hub, resets etc Alan Stern
2019-07-04 21:44 ` Benjamin Herrenschmidt
2019-07-04 21:58 ` Benjamin Herrenschmidt
2019-07-05 1:37 ` Alan Stern
2019-07-05 2:15 ` Benjamin Herrenschmidt
2019-07-05 14:20 ` Alan Stern
2019-07-05 22:06 ` Benjamin Herrenschmidt
2019-07-05 1:34 ` Alan Stern
2019-07-05 2:08 ` Benjamin Herrenschmidt
2019-07-05 14:08 ` Alan Stern
2019-07-05 22:01 ` Benjamin Herrenschmidt
2019-07-06 18:37 ` Alan Stern
2019-07-06 23:44 ` Benjamin Herrenschmidt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f6d0ca0d258fa69fdcd46c04b908ff4ff9205181.camel@kernel.crashing.org \
--to=benh@kernel.crashing.org \
--cc=balbi@kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mina86@mina86.com \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).