Linux-USB Archive on lore.kernel.org
 help / color / Atom feed
From: Mathias Nyman <mathias.nyman@linux.intel.com>
To: Ross Zwisler <zwisler@google.com>
Cc: Andrzej Pietrasiewicz <andrzej.p@collabora.com>,
	"linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
	"kernel@collabora.com" <kernel@collabora.com>
Subject: Re: xhci problem -> general protection fault
Date: Wed, 30 Dec 2020 14:33:29 +0200
Message-ID: <f75d6e13-d1f7-0282-f93d-be4693e82e29@linux.intel.com> (raw)
In-Reply-To: <X9EdVbO08Y8Ohih5@google.com>

On 9.12.2020 20.54, Ross Zwisler wrote:
> On Wed, Dec 09, 2020 at 03:11:14PM +0200, Mathias Nyman wrote:
> <>
>> I was testing with Andrzej's script against a g_zero gadget.
>> I could  trigger many similar issues as those he reported, but not this
>> dequeue issue you see.
>>
>> The rewrite resolved all issues I saw. Script was running without issues
>> over night. (tested against both USB2 and USB3).
>>
>> I haven't tried with two devices simultaneously, I could try that.
>>
>> Could you share more details about the system you have, what xhci
>> controller do you have?
> 
> Sure.  I'm running with the following CPU:
> 
> Intel(R) Xeon(R) Gold 6154 CPU @ 3.00GHz

I was able to reproduce the issue with two USB devices on a different system.

I saw that the new incorrect dequeue pointer sometimes had the higher 32 bits
incorrect while the lower bits were correct.
So this looks like a memory access order issue.

The command TRB is 16 bytes. The xhci driver writes it in four 4 byte chunks.
Even if the driver writes the chunk that sets the cycle bit last, handing the TRB
over to the controller, it appears that the actual write order can be different.
The controller ends up reading a command TRB with updated cycle bit but old bogus
values in the "new dequeue pointer" field.

Adding a write memory barrier before writing the cycle bit solved the issue in my case.

Whole patch series is updated, added write memory barrier, and rebased on 5.10.
It can be found force-updated in the same rewrite_halt_stop_handling branch: 

git://git.kernel.org/pub/scm/linux/kernel/git/mnyman/xhci.git rewrite_halt_stop_handling
https://git.kernel.org/pub/scm/linux/kernel/git/mnyman/xhci.git/log/?h=rewrite_halt_stop_handling

Does this work for you?

-Mathias
  

  reply index

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-17 15:30 Andrzej Pietrasiewicz
2020-09-18 10:50 ` Mathias Nyman
2020-09-18 14:20   ` Andrzej Pietrasiewicz
2020-09-25 13:40     ` Mathias Nyman
2020-09-25 21:05       ` Ross Zwisler
2020-09-28 13:32         ` Andrzej Pietrasiewicz
2020-09-29  7:13           ` Mathias Nyman
2020-10-01 14:13             ` Andrzej Pietrasiewicz
2020-09-28 22:35         ` Mathias Nyman
2020-10-01 16:43           ` zwisler
2020-10-12 19:20             ` Mathias Nyman
2020-10-12 21:53               ` zwisler
2020-10-13  7:49                 ` Mathias Nyman
2020-10-13  8:29                   ` Andrzej Pietrasiewicz
2020-10-13 16:44                     ` zwisler
2020-11-19 16:52                   ` Ross Zwisler
2020-11-23 15:06                     ` Mathias Nyman
2020-12-02 22:59                       ` Ross Zwisler
2020-12-04 18:07                         ` Mathias Nyman
2020-12-08 17:24                           ` Ross Zwisler
2020-12-09 13:11                             ` Mathias Nyman
2020-12-09 18:54                               ` Ross Zwisler
2020-12-30 12:33                                 ` Mathias Nyman [this message]
2021-01-06 18:52                                   ` Ross Zwisler
2021-01-07  8:57                                     ` Mathias Nyman
2021-01-07 16:07                                       ` Ross Zwisler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f75d6e13-d1f7-0282-f93d-be4693e82e29@linux.intel.com \
    --to=mathias.nyman@linux.intel.com \
    --cc=andrzej.p@collabora.com \
    --cc=kernel@collabora.com \
    --cc=linux-usb@vger.kernel.org \
    --cc=zwisler@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-USB Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-usb/0 linux-usb/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-usb linux-usb/ https://lore.kernel.org/linux-usb \
		linux-usb@vger.kernel.org
	public-inbox-index linux-usb

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-usb


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git