From: Sriharsha Allenki <sallenki@codeaurora.org>
To: Felipe Balbi <balbi@kernel.org>
Cc: "linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
Manu Gautam <mgautam@codeaurora.org>,
Jack Pham <jackp@codeaurora.org>
Subject: Re: Fwd: [DWC3][Gadget] Question regarding the unmapping of request as part of queue failure
Date: Wed, 1 Apr 2020 18:56:13 +0530 [thread overview]
Message-ID: <f76b1964-ee15-8076-2575-4f533fc53244@codeaurora.org> (raw)
In-Reply-To: <87369skhdm.fsf@kernel.org>
Hi,
On 3/28/2020 2:04 PM, Felipe Balbi wrote:
> Hi,
>
> Sriharsha Allenki <sallenki@codeaurora.org> writes:
>> I was looking at the code flow for ep_queue and came across the
>> following piece of code.
>>
>> __dwc3_gadget_kick_transfer {
>>
>> dwc3_prepare_trbs(dep);
>> req = next_request(&dep->started_list);
>> if (!req) {
>> dep->flags |= DWC3_EP_PENDING_REQUEST;
>> return 0;
>> }
>> }
>>
>> As part of dwc3_prepare_trbs(dep), we get a request from the pending_list
>> and queue to the tail of the started_list. But here we get the head of
>> the started_list, now if there is any failure in issuing UPDATE_TRANSFER
>> to the core, we unmap this request using "dwc3_gadget_del_and_unmap_request".
>>
>> But if this kick_transfer was part of the ep_queue and we have failed
>> to issue update transfer, instead of unmapping the request we are trying
>> to queue, we will be unmapping a different request (first in the started_list)
>> which the core could have already started processing. I believe we should unmap
>> the request we are trying to queue but not any other.
> no, we have to start requests in order and dequeue them in order as
> well. There's no way to verify that the request is already processed by
> the HW, other than checking HWO bit which is set during
> dwc3_prepare_trbs(). This is a HW-SW race condition that we can't really
> fix.
>
> It is minimized, however, by the fact that, at least for non-isoc
> endpoints, we use No Status Update Transfer commands, which means the
> command can't fail.
Thanks Felipe for the reply. I see that this is a trick race condition
between HW-SW, I have seen one occurrence where ep_queue from f_fs has
failed (at kick_transfer).And since Asynchronous IO has been enabled,
the request was freed leading to thecorruption of started_list because
the list_del and unmap was happened on the requestat the head, but the
request freed by the f_fs is at the tail of the started_list. This
caused a use after free issue.
Please let me know your comments.
Thanks and Regards,
Sriharsha
next prev parent reply other threads:[~2020-04-01 13:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <0105a5cd-936e-fb08-77bf-c2f1dbf0aeed@codeaurora.org>
2020-03-26 6:10 ` Fwd: [DWC3][Gadget] Question regarding the unmapping of request as part of queue failure Sriharsha Allenki
2020-03-28 8:34 ` Felipe Balbi
2020-04-01 13:26 ` Sriharsha Allenki [this message]
2020-04-02 9:53 ` Felipe Balbi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f76b1964-ee15-8076-2575-4f533fc53244@codeaurora.org \
--to=sallenki@codeaurora.org \
--cc=balbi@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=jackp@codeaurora.org \
--cc=linux-usb@vger.kernel.org \
--cc=mgautam@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).