[PATCH V2] usb: dwc3: gadget: trb_dequeue is not updated properly

From: fei . yang
Date: Wed Jul 17 2019 - 16:53:20 EST

Next message: Thomas Gleixner: "Re: regression with napi/softirq ?"
Previous message: Joel Fernandes: "Re: [PATCH RFC v1] pidfd: fix a race in setting exit_state for pidfd polling"
Next in thread: Felipe Balbi: "Re: [PATCH V2] usb: dwc3: gadget: trb_dequeue is not updated properly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Fei Yang <fei.yang@xxxxxxxxx>

If scatter-gather operation is allowed, a large USB request would be split
into multiple TRBs. These TRBs are chained up by setting DWC3_TRB_CTRL_CHN
bit except the last one which has DWC3_TRB_CTRL_IOC bit set instead.
Since only the last TRB has IOC set, dwc3_gadget_ep_reclaim_completed_trb()
would be called only once for the whole USB request, thus all the TRBs need
to be reclaimed within this single call. However that is not what the current
code does.

This patch addresses the issue by checking each TRB in function
dwc3_gadget_ep_reclaim_trb_sg() and reclaiming the chained ones right there.
Only the last TRB gets passed to dwc3_gadget_ep_reclaim_completed_trb(). This
would guarantee all TRBs are reclaimed and trb_dequeue/num_trbs are updated
properly.

Signed-off-by: Fei Yang <fei.yang@xxxxxxxxx>
Cc: stable <stable@xxxxxxxxxxxxxxx>
---

V2: Better solution is to reclaim chained TRBs in dwc3_gadget_ep_reclaim_trb_sg()
and leave the last TRB to the dwc3_gadget_ep_reclaim_completed_trb().

---

drivers/usb/dwc3/gadget.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 173f532..c0662c2 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2404,7 +2404,7 @@ static int dwc3_gadget_ep_reclaim_trb_sg(struct dwc3_ep *dep,
struct dwc3_request *req, const struct dwc3_event_depevt *event,
int status)
{
- struct dwc3_trb *trb = &dep->trb_pool[dep->trb_dequeue];
+ struct dwc3_trb *trb;
struct scatterlist *sg = req->sg;
struct scatterlist *s;
unsigned int pending = req->num_pending_sgs;
@@ -2419,7 +2419,15 @@ static int dwc3_gadget_ep_reclaim_trb_sg(struct dwc3_ep *dep,

req->sg = sg_next(s);
req->num_pending_sgs--;
+ if (!(trb->ctrl & DWC3_TRB_CTRL_IOC)) {
+ /* reclaim the TRB without calling
+ * dwc3_gadget_ep_reclaim_completed_trb */
+ dwc3_ep_inc_deq(dep);
+ req->num_trbs--;
+ continue;
+ }

+ /* Only the last TRB in the sg list would reach here */
ret = dwc3_gadget_ep_reclaim_completed_trb(dep, req,
trb, event, status, true);
if (ret)
--
2.7.4

Next message: Thomas Gleixner: "Re: regression with napi/softirq ?"
Previous message: Joel Fernandes: "Re: [PATCH RFC v1] pidfd: fix a race in setting exit_state for pidfd polling"
Next in thread: Felipe Balbi: "Re: [PATCH V2] usb: dwc3: gadget: trb_dequeue is not updated properly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]