From: Macpaul Lin <macpaul.lin@mediatek.com>
To: Catalin Marinas <catalin.marinas@arm.com>
Cc: Matthias Brugger <matthias.bgg@gmail.com>,
Shen Jing <jingx.shen@intel.com>, Sasha Levin <sashal@kernel.org>,
John Stultz <john.stultz@linaro.org>,
Andrzej Pietrasiewicz <andrzej.p@collabora.com>,
Vincent Pelletier <plr.vincent@gmail.com>,
Jerry Zhang <zhangjerry@google.com>, <linux-usb@vger.kernel.org>,
<linux-kernel@vger.kernel.org>,
<linux-arm-kernel@lists.infradead.org>,
<linux-mediatek@lists.infradead.org>,
Mediatek WSD Upstream <wsd_upstream@mediatek.com>,
CC Hwang <cc.hwang@mediatek.com>,
Loda Chou <loda.chou@mediatek.com>,
Al Viro <viro@zeniv.linux.org.uk>, <stable@vger.kernel.org>,
<andreyknvl@google.com>, Peter Chen <peter.chen@nxp.com>,
Miles Chen <miles.chen@mediatek.com>
Subject: Re: [PATCH v4] usb: gadget: f_fs: try to fix AIO issue under ARM 64 bit TAGGED mode
Date: Thu, 27 Feb 2020 18:28:25 +0800 [thread overview]
Message-ID: <1582799305.12083.12.camel@mtkswgap22> (raw)
In-Reply-To: <20200227095521.GA3281767@arrakis.emea.arm.com>
On Thu, 2020-02-27 at 09:55 +0000, Catalin Marinas wrote:
> On Wed, Feb 26, 2020 at 08:01:52PM +0800, Macpaul Lin wrote:
> > This issue was found when adbd trying to open functionfs with AIO mode.
> > Usually, we need to set "setprop sys.usb.ffs.aio_compat 0" to enable
> > adbd with AIO mode on Android.
> >
> > When adbd is opening functionfs, it will try to read 24 bytes at the
> > first read I/O control. If this reading has been failed, adbd will
> > try to send FUNCTIONFS_CLEAR_HALT to functionfs. When adbd is in AIO
> > mode, functionfs will be acted with asyncronized I/O path. After the
> > successful read transfer has been completed by gadget hardware, the
> > following series of functions will be called.
> > ffs_epfile_async_io_complete() -> ffs_user_copy_worker() ->
> > copy_to_iter() -> _copy_to_iter() -> copyout() ->
> > iterate_and_advance() -> iterate_iovec()
> >
> > Adding debug trace to these functions, it has been found that in
> > copyout(), access_ok() will check if the user space address is valid
> > to write. However if CONFIG_ARM64_TAGGED_ADDR_ABI is enabled, adbd
> > always passes user space address start with "0x3C" to gadget's AIO
> > blocks. This tagged address will cause access_ok() check always fail.
> > Which causes later calculation in iterate_iovec() turn zero.
> > Copyout() won't copy data to user space since the length to be copied
> > "v.iov_len" will be zero. Finally leads ffs_copy_to_iter() always return
> > -EFAULT, causes adbd cannot open functionfs and send
> > FUNCTIONFS_CLEAR_HALT.
> >
> > Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
> > Cc: Peter Chen <peter.chen@nxp.com>
> > Cc: Catalin Marinas <catalin.marinas@arm.com>
> > Cc: Miles Chen <miles.chen@mediatek.com>
> > ---
> > Changes for v4:
> > - Abandon solution v3 by adding "TIF_TAGGED_ADDR" flag to gadget driver.
> > According to Catalin's suggestion, change the solution by untagging
> > user space address passed by AIO in gadget driver.
>
> Well, this was suggested in case you have a strong reason not to do the
> untagging in adbd. As I said, tagged pointers in user space were
> supported long before we introduced CONFIG_ARM64_TAGGED_ADDR_ABI. How
> did adb cope with such tagged pointers before? It was not supposed to
> pass them to the kernel.
Thank for your explanation. Since adbd was developed by Google and we
can only suggest (like, file an issue) to them. Here provides a
temporary solution for other developer to solve there needs in a short
period. Yes, I understood not supposed to pass those tagged pointers to
kernel and will also explain this to Google adbd owners.
> > diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
> > index ce1d023..192935f 100644
> > --- a/drivers/usb/gadget/function/f_fs.c
> > +++ b/drivers/usb/gadget/function/f_fs.c
> > @@ -715,7 +715,20 @@ static void ffs_epfile_io_complete(struct usb_ep *_ep, struct usb_request *req)
> >
> > static ssize_t ffs_copy_to_iter(void *data, int data_len, struct iov_iter *iter)
> > {
> > - ssize_t ret = copy_to_iter(data, data_len, iter);
> > + ssize_t ret;
> > +
> > +#if defined(CONFIG_ARM64)
> > + /*
> > + * Replace tagged address passed by user space application before
> > + * copying.
> > + */
> > + if (IS_ENABLED(CONFIG_ARM64_TAGGED_ADDR_ABI) &&
> > + (iter->type == ITER_IOVEC)) {
> > + *(unsigned long *)&iter->iov->iov_base =
> > + (unsigned long)untagged_addr(iter->iov->iov_base);
> > + }
> > +#endif
> > + ret = copy_to_iter(data, data_len, iter);
>
> Here you should probably drop all the #ifdefs and IS_ENABLED checks
> since untagged_addr() is defined globally as a no-op (and overridden by
> arm64 and sparc).
>
> Please don't send another patch until we understand (a) whether this is
> a user-space problem to fix or (b) if we fix it in the kernel, is this
> the only/right place? If we settle for the in-kernel untagging, do we
> explicitly untag the addresses in such kernel threads or we default to
> TIF_TAGGED_ADDR for all kernel threads, in case they ever call use_mm()
> (or we could even hook something in use_mm() to set this TIF flag
> temporarily).
>
> Looking for feedback from the Android folk and a better analysis of the
> possible solution.
>
If we have any further update about this user space issue, I'll update
the solution to this thread for other developers who need to solve this
issue.
Thanks!
Macpaul Lin
next prev parent reply other threads:[~2020-02-27 10:28 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1582472947-22471-1-git-send-email-macpaul.lin@mediatek.com>
2020-02-25 10:41 ` [PATCH v3] usb: gadget: f_fs: try to fix AIO issue under ARM 64 bit TAGGED mode Macpaul Lin
2020-02-25 11:07 ` Miles Chen
2020-02-25 11:52 ` Catalin Marinas
2020-02-26 12:01 ` [PATCH v4] " Macpaul Lin
2020-02-27 9:55 ` Catalin Marinas
2020-02-27 10:28 ` Macpaul Lin [this message]
2020-02-28 16:48 ` Catalin Marinas
2020-03-01 3:20 ` Macpaul Lin
2020-03-02 16:19 ` Catalin Marinas
[not found] ` <CAFKCwrj-0aQN_cUxf8=h7AbfS_rLEwxqePZN2kGHZxgWi2=ncw@mail.gmail.com>
2020-03-04 2:42 ` Macpaul Lin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1582799305.12083.12.camel@mtkswgap22 \
--to=macpaul.lin@mediatek.com \
--cc=andreyknvl@google.com \
--cc=andrzej.p@collabora.com \
--cc=catalin.marinas@arm.com \
--cc=cc.hwang@mediatek.com \
--cc=jingx.shen@intel.com \
--cc=john.stultz@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-usb@vger.kernel.org \
--cc=loda.chou@mediatek.com \
--cc=matthias.bgg@gmail.com \
--cc=miles.chen@mediatek.com \
--cc=peter.chen@nxp.com \
--cc=plr.vincent@gmail.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wsd_upstream@mediatek.com \
--cc=zhangjerry@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox