Re: [PATCH v2] usb: dwc3: gadget: Avoid canceling current request for queuing error
From: Thinh Nguyen
Date: Wed May 05 2021 - 15:06:56 EST
Felipe Balbi wrote:
>
> Hi,
>
> Wesley Cheng <wcheng@xxxxxxxxxxxxxx> writes:
>> On 5/3/2021 7:20 PM, Thinh Nguyen wrote:
>>> Hi,
>>>
>>> Wesley Cheng wrote:
>>>> If an error is received when issuing a start or update transfer
>>>> command, the error handler will stop all active requests (including
>>>> the current USB request), and call dwc3_gadget_giveback() to notify
>>>> function drivers of the requests which have been stopped. Avoid
>>>> having to cancel the current request which is trying to be queued, as
>>>> the function driver will handle the EP queue error accordingly.
>>>> Simply unmap the request as it was done before, and allow previously
>>>> started transfers to be cleaned up.
>>>>
>>
>> Hi Thinh,
>>
>>>
>>> It looks like you're still letting dwc3 stopping and cancelling all the
>>> active requests instead letting the function driver doing the dequeue.
>>>
>>
>> Yeah, main issue isn't due to the function driver doing dequeue, but
>> having cleanup (ie USB request free) if there is an error during
>> usb_ep_queue().
>>
>> The function driver in question at the moment is the f_fs driver in AIO
>> mode. When async IO is enabled in the FFS driver, every time it queues
>> a packet, it will allocate a io_data struct beforehand. If the
>> usb_ep_queue() fails it will free this io_data memory. Problem is that,
>> since the DWC3 gadget calls the completion with -ECONNRESET, the FFS
>> driver will also schedule a work item (within io_data struct) to handle
>> the completion. So you end up with a flow like below
>>
>> allocate io_data (ffs)
>> --> usb_ep_queue()
>> --> __dwc3_gadget_kick_transfer()
>> --> dwc3_send_gadget_ep_cmd(EINVAL)
>> --> dwc3_gadget_ep_cleanup_cancelled_requests()
>> --> dwc3_gadget_giveback(ECONNRESET)
>> ffs completion callback
>> queue work item within io_data
>> --> usb_ep_queue returns EINVAL
>> ffs frees io_data
>> ...
>>
>> work scheduled
>> --> NULL pointer/memory fault as io_data is freed
>
> I have some vague memory of discussing (something like) this with Alan
> Stern long ago and the conclusion was that the gadget driver should
> handle cases such as this. OTOH, we're returning failure during
> usb_ep_queue() which tells me there's something with dwc3 (perhaps not
> exclusively, but that's yet to be shown).
>
> If I understood the whole thing correctly, we want everything except the
> current request (the one that failed START or UPDATE transfer) to go
> through giveback(). This really tells me that we're not handling error
> case in kick_transfer and/or prepare_trbs() correctly.
>
> I also don't want to pass another argument to kick_transfer because it
> should be unnecessary: the current request should *always* be the last
> one in the list. Therefore we should rely on something like
> list_last_entry() followed by list_for_each_entry_safe_reverse() to
> handle this without a special case.
>
> ret = dwc3_send_gadget_ep_cmd();
> if (ret < 0) {
> current = list_last_entry();
>
> unmap(current);
> for_each_trb_in(current) {
> clear_HWO(trb);
> }
>
> list_for_entry_safe_reverse() {
> move_cancelled();
> }
> }
>
Hi Felipe,
This won't work. The queued request may not have left the pending_list
and never started at all (e.g. due to no available TRB). So we can't
simply get the last entry of whichever list without checking which
request is being queued. See my suggestions and response to Alan's comment.
Thanks,
Thinh