From: Sriharsha Allenki <sallenki@codeaurora.org>
To: Felipe Balbi <balbi@kernel.org>
Cc: "linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
Manu Gautam <mgautam@codeaurora.org>,
Jack Pham <jackp@codeaurora.org>
Subject: Re: Fwd: [DWC3][Gadget] Question regarding the unmapping of request as part of queue failure
Date: Wed, 1 Apr 2020 18:56:13 +0530 [thread overview]
Message-ID: <f76b1964-ee15-8076-2575-4f533fc53244@codeaurora.org> (raw)
In-Reply-To: <87369skhdm.fsf@kernel.org>
Hi,
On 3/28/2020 2:04 PM, Felipe Balbi wrote:
> Hi,
>
> Sriharsha Allenki <sallenki@codeaurora.org> writes:
>> I was looking at the code flow for ep_queue and came across the
>> following piece of code.
>>
>> __dwc3_gadget_kick_transfer {
>>
>> dwc3_prepare_trbs(dep);
>> req = next_request(&dep->started_list);
>> if (!req) {
>> dep->flags |= DWC3_EP_PENDING_REQUEST;
>> return 0;
>> }
>> }
>>
>> As part of dwc3_prepare_trbs(dep), we get a request from the pending_list
>> and queue to the tail of the started_list. But here we get the head of
>> the started_list, now if there is any failure in issuing UPDATE_TRANSFER
>> to the core, we unmap this request using "dwc3_gadget_del_and_unmap_request".
>>
>> But if this kick_transfer was part of the ep_queue and we have failed
>> to issue update transfer, instead of unmapping the request we are trying
>> to queue, we will be unmapping a different request (first in the started_list)
>> which the core could have already started processing. I believe we should unmap
>> the request we are trying to queue but not any other.
> no, we have to start requests in order and dequeue them in order as
> well. There's no way to verify that the request is already processed by
> the HW, other than checking HWO bit which is set during
> dwc3_prepare_trbs(). This is a HW-SW race condition that we can't really
> fix.
>
> It is minimized, however, by the fact that, at least for non-isoc
> endpoints, we use No Status Update Transfer commands, which means the
> command can't fail.
Thanks Felipe for the reply. I see that this is a trick race condition
between HW-SW, I have seen one occurrence where ep_queue from f_fs has
failed (at kick_transfer).And since Asynchronous IO has been enabled,
the request was freed leading to thecorruption of started_list because
the list_del and unmap was happened on the requestat the head, but the
request freed by the f_fs is at the tail of the started_list. This
caused a use after free issue.
Please let me know your comments.
Thanks and Regards,
Sriharsha
next prev parent reply other threads:[~2020-04-01 13:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <0105a5cd-936e-fb08-77bf-c2f1dbf0aeed@codeaurora.org>
2020-03-26 6:10 ` Fwd: [DWC3][Gadget] Question regarding the unmapping of request as part of queue failure Sriharsha Allenki
2020-03-28 8:34 ` Felipe Balbi
2020-04-01 13:26 ` Sriharsha Allenki [this message]
2020-04-02 9:53 ` Felipe Balbi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f76b1964-ee15-8076-2575-4f533fc53244@codeaurora.org \
--to=sallenki@codeaurora.org \
--cc=balbi@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=jackp@codeaurora.org \
--cc=linux-usb@vger.kernel.org \
--cc=mgautam@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.