| Message ID | 699a342b618611be834b06d9d64abae7d01486cd.1666661013.git.Thinh.Nguyen@synopsys.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | usb: dwc3: gadget: Fix isoc interrupt check | expand |
On Mon, Oct 24, 2022 at 06:27:57PM -0700, Thinh Nguyen wrote: > When servicing a transfer completion event, the dwc3 driver will reclaim > TRBs of started requests up to the request associated with the interrupt > event. Currently we don't check for interrupt due to missed isoc, and > the driver may attempt to reclaim TRBs beyond the associated event. This > causes invalid memory access when the hardware still owns the TRB. If > there's a missed isoc TRB with IMI (interrupt on missed isoc), make sure > to stop servicing further. > > Note that only the last TRB of chained TRBs has its status updated with > missed isoc. > > Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") > Cc: stable@vger.kernel.org > Reported-by: Jeff Vanhoof <jdv1029@gmail.com> > Reported-by: Dan Vacura <w36195@motorola.com> > Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> > --- > Changes in v2: > - No need to check for CHN=0 since only the last TRB has its status > updated to missed isoc > > drivers/usb/dwc3/gadget.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c > index dd8ecbe61bec..230b3c660054 100644 > --- a/drivers/usb/dwc3/gadget.c > +++ b/drivers/usb/dwc3/gadget.c > @@ -3248,6 +3248,10 @@ static int dwc3_gadget_ep_reclaim_completed_trb(struct dwc3_ep *dep, > if (event->status & DEPEVT_STATUS_SHORT && !chain) > return 1; > > + if ((trb->ctrl & DWC3_TRB_CTRL_ISP_IMI) && > + DWC3_TRB_SIZE_TRBSTS(trb->size) == DWC3_TRBSTS_MISSED_ISOC) > + return 1; > + > if ((trb->ctrl & DWC3_TRB_CTRL_IOC) || > (trb->ctrl & DWC3_TRB_CTRL_LST)) > return 1; > -- > 2.28.0 > Testing shows that the changes appear to work to prevent the arm-smmu panic I was seeing after missed isoc errors. Also, changes to reclaim trbs only up to the associated interrupt event make sense. Reviewed-by: Jeff Vanhoof <jdv1029@gmail.com> Tested-by: Jeff Vanhoof <jdv1029@gmail.com> Regards, Jeff
Hi Thinh, On Mon, Oct 24, 2022 at 11:45:48PM -0500, Jeff Vanhoof wrote: > On Mon, Oct 24, 2022 at 06:27:57PM -0700, Thinh Nguyen wrote: > > When servicing a transfer completion event, the dwc3 driver will reclaim > > TRBs of started requests up to the request associated with the interrupt > > event. Currently we don't check for interrupt due to missed isoc, and > > the driver may attempt to reclaim TRBs beyond the associated event. This > > causes invalid memory access when the hardware still owns the TRB. If > > there's a missed isoc TRB with IMI (interrupt on missed isoc), make sure > > to stop servicing further. > > > > Note that only the last TRB of chained TRBs has its status updated with > > missed isoc. > > > > Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") > > Cc: stable@vger.kernel.org > > Reported-by: Jeff Vanhoof <jdv1029@gmail.com> > > Reported-by: Dan Vacura <w36195@motorola.com> > > Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> > > --- > > Changes in v2: > > - No need to check for CHN=0 since only the last TRB has its status > > updated to missed isoc > > > > drivers/usb/dwc3/gadget.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c > > index dd8ecbe61bec..230b3c660054 100644 > > --- a/drivers/usb/dwc3/gadget.c > > +++ b/drivers/usb/dwc3/gadget.c > > @@ -3248,6 +3248,10 @@ static int dwc3_gadget_ep_reclaim_completed_trb(struct dwc3_ep *dep, > > if (event->status & DEPEVT_STATUS_SHORT && !chain) > > return 1; > > > > + if ((trb->ctrl & DWC3_TRB_CTRL_ISP_IMI) && > > + DWC3_TRB_SIZE_TRBSTS(trb->size) == DWC3_TRBSTS_MISSED_ISOC) > > + return 1; > > + > > if ((trb->ctrl & DWC3_TRB_CTRL_IOC) || > > (trb->ctrl & DWC3_TRB_CTRL_LST)) > > return 1; > > -- > > 2.28.0 > > > > Testing shows that the changes appear to work to prevent the arm-smmu panic I > was seeing after missed isoc errors. Also, changes to reclaim trbs only up to > the associated interrupt event make sense. > > Reviewed-by: Jeff Vanhoof <jdv1029@gmail.com> > Tested-by: Jeff Vanhoof <jdv1029@gmail.com> > > Regards, > Jeff > I just followed up with Dan and he mentioned that he was still seeing the arm-smmu panic on his baseline. I will work with him this afternoon to better understand what may be going on there. Let's hold off on merging these changes in until we figure out what is going on. He and I are testing off of different baselines (5.10 vs 5.15), different USB speeds (USB 3 vs 2), and are using different hardware, so I don't know yet why we are seeing a difference here. Regards, Jeff
Hi Thinh, On Tue, Oct 25, 2022 at 11:42:37AM -0500, Jeff Vanhoof wrote: > Hi Thinh, > > On Mon, Oct 24, 2022 at 11:45:48PM -0500, Jeff Vanhoof wrote: > > On Mon, Oct 24, 2022 at 06:27:57PM -0700, Thinh Nguyen wrote: > > > When servicing a transfer completion event, the dwc3 driver will reclaim > > > TRBs of started requests up to the request associated with the interrupt > > > event. Currently we don't check for interrupt due to missed isoc, and > > > the driver may attempt to reclaim TRBs beyond the associated event. This > > > causes invalid memory access when the hardware still owns the TRB. If > > > there's a missed isoc TRB with IMI (interrupt on missed isoc), make sure > > > to stop servicing further. > > > > > > Note that only the last TRB of chained TRBs has its status updated with > > > missed isoc. > > > > > > Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") > > > Cc: stable@vger.kernel.org > > > Reported-by: Jeff Vanhoof <jdv1029@gmail.com> > > > Reported-by: Dan Vacura <w36195@motorola.com> > > > Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> > > > --- > > > Changes in v2: > > > - No need to check for CHN=0 since only the last TRB has its status > > > updated to missed isoc > > > > > > drivers/usb/dwc3/gadget.c | 4 ++++ > > > 1 file changed, 4 insertions(+) > > > > > > diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c > > > index dd8ecbe61bec..230b3c660054 100644 > > > --- a/drivers/usb/dwc3/gadget.c > > > +++ b/drivers/usb/dwc3/gadget.c > > > @@ -3248,6 +3248,10 @@ static int dwc3_gadget_ep_reclaim_completed_trb(struct dwc3_ep *dep, > > > if (event->status & DEPEVT_STATUS_SHORT && !chain) > > > return 1; > > > > > > + if ((trb->ctrl & DWC3_TRB_CTRL_ISP_IMI) && > > > + DWC3_TRB_SIZE_TRBSTS(trb->size) == DWC3_TRBSTS_MISSED_ISOC) > > > + return 1; > > > + > > > if ((trb->ctrl & DWC3_TRB_CTRL_IOC) || > > > (trb->ctrl & DWC3_TRB_CTRL_LST)) > > > return 1; > > > -- > > > 2.28.0 > > > > > > > Testing shows that the changes appear to work to prevent the arm-smmu panic I > > was seeing after missed isoc errors. Also, changes to reclaim trbs only up to > > the associated interrupt event make sense. > > > > Reviewed-by: Jeff Vanhoof <jdv1029@gmail.com> > > Tested-by: Jeff Vanhoof <jdv1029@gmail.com> > > > > Regards, > > Jeff > > > > I just followed up with Dan and he mentioned that he was still seeing the arm-smmu panic on his baseline. I will work with him this afternoon to better understand what may be going on there. Let's hold off on merging these changes in until we figure out what is going on. He and I are testing off of different baselines (5.10 vs 5.15), different USB speeds (USB 3 vs 2), and are using different hardware, so I don't know yet why we are seeing a difference here. > > Regards, > Jeff > Between the changes for PATCH v2 1/2 & PATCH v2 2/2, are there any extra precautions required for when scatter gather is in use? Should the IMI bit be set only for the last item in the sg list? I suspect something in this area but I have no proof yet. Your thoughts? Thanks, Jeff
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index dd8ecbe61bec..230b3c660054 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -3248,6 +3248,10 @@ static int dwc3_gadget_ep_reclaim_completed_trb(struct dwc3_ep *dep, if (event->status & DEPEVT_STATUS_SHORT && !chain) return 1; + if ((trb->ctrl & DWC3_TRB_CTRL_ISP_IMI) && + DWC3_TRB_SIZE_TRBSTS(trb->size) == DWC3_TRBSTS_MISSED_ISOC) + return 1; + if ((trb->ctrl & DWC3_TRB_CTRL_IOC) || (trb->ctrl & DWC3_TRB_CTRL_LST)) return 1;
When servicing a transfer completion event, the dwc3 driver will reclaim TRBs of started requests up to the request associated with the interrupt event. Currently we don't check for interrupt due to missed isoc, and the driver may attempt to reclaim TRBs beyond the associated event. This causes invalid memory access when the hardware still owns the TRB. If there's a missed isoc TRB with IMI (interrupt on missed isoc), make sure to stop servicing further. Note that only the last TRB of chained TRBs has its status updated with missed isoc. Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") Cc: stable@vger.kernel.org Reported-by: Jeff Vanhoof <jdv1029@gmail.com> Reported-by: Dan Vacura <w36195@motorola.com> Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> --- Changes in v2: - No need to check for CHN=0 since only the last TRB has its status updated to missed isoc drivers/usb/dwc3/gadget.c | 4 ++++ 1 file changed, 4 insertions(+)