Re: [PATCH] xhci: guard accesses to ep_state in xhci_endpoint_reset()

From: Jonathan Bell
Date: Wed Sep 01 2021 - 14:52:24 EST

Next message: F.A. SULAIMAN: "Re: [PATCH] staging: rtl8723bs: fix memory leak error"
Previous message: Alex Deucher: "Re: [git pull] drm for 5.15-rc1"
In reply to: Phil Elwell: "Re: [PATCH] xhci: guard accesses to ep_state in xhci_endpoint_reset()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 1 Sept 2021 at 14:15, Phil Elwell <phil@xxxxxxxxxxxxxxx> wrote:
>
> Hi Mathias,
>
> On 01/09/2021 10:21, Mathias Nyman wrote:
> > On 31.8.2021 19.02, Phil Elwell wrote:
> >> From: Jonathan Bell <jonathan@xxxxxxxxxxxxxxx>
> >>
> >> See https://github.com/raspberrypi/linux/issues/3981
> >
> > Thanks, so in a nutshell the issue looks something like:
> >
> > [827586.220071] xhci_hcd 0000:01:00.0: WARN Cannot submit Set TR Deq Ptr
> > [827586.220087] xhci_hcd 0000:01:00.0: A Set TR Deq Ptr command is pending.
> > [827723.160680] INFO: task usb-storage:93 blocked for more than 122 seconds.
> >
> > The blocked task is probably because xhci driver failed to give back the
> > URB after failing to submit a "Set TR Deq Ptr" command. This part should
> > be fixed in:
> > https://lore.kernel.org/r/20210820123503.2605901-4-mathias.nyman@xxxxxxxxxxxxxxx
> > which is currently in usb-next, and should be in 5.15-rc1 and future 5.12+ stable.
> >
> >>
> >> Two read-modify-write cycles on ep->ep_state are not guarded by
> >> xhci->lock. Fix these.
> >>
> >
> > This is probably one cause for the "Warn Cannot submit Set TR Deq Ptr A Set TR
> > Deq Ptr command is pending" message.
> > Another possibility is that with UAS and streams we have several transfer rings
> > per endpoint, meaning that if two TDs on separate stream rings on the same
> > endpoint both stall, or are cancelled we could see this message.
> >
> > The SET_DEQ_PENDING flag in ep->ep_state should probably be per ring, not per
> > endpoint. Then we also need a "rings_with_pending_set_deq" counter per endpoint
> > to keep track when all set_tr_deq commands complete, and we can restart the endpoint
>
> Jonathan, the author of the patch, may give some detailed feedback on these
> statements when he has a moment - "Well, sort of... it's complicated" was the
> summary.

The bug in this case was apparent only on usb-storage devices, so no streams.
The testcase in the linked github issue repeatedly invoked smartctl on
a device that didn't
support that particular ATA command so stalled the endpoint.

The unguarded read-modify-write raced with the completion of the Set
TR Deq command
being executed by the controller, and the SET_DEQ_PENDING flag would
get overwritten
with an invalid '1'.

I've not investigated how the xhci driver responds to stalls on stream
endpoints in detail
as I've not seen any user reports of uas active and this error message
appearing, but in
a wider context, getting a stall on a streaming endpoint on a Pi 4
seems to be generally
fatal until the device receives a reset and I've not determined which
of the HCD, controller,
or device is stuck.

Thanks
Jonathan

Next message: F.A. SULAIMAN: "Re: [PATCH] staging: rtl8723bs: fix memory leak error"
Previous message: Alex Deucher: "Re: [git pull] drm for 5.15-rc1"
In reply to: Phil Elwell: "Re: [PATCH] xhci: guard accesses to ep_state in xhci_endpoint_reset()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]