Message ID | 20230912041910.726442-1-arakesh@google.com |
---|---|
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9ecd:0:b0:3f2:4152:657d with SMTP id t13csp190646vqx; Mon, 11 Sep 2023 22:38:16 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFJN71NhGuPtvrS6pE5SD6Y0psZAVqihA4IZ15E0dJg7QoxVYH9nOZi97VhfGHIuIGHkvrt X-Received: by 2002:a05:6a21:7742:b0:14c:9b51:f1fc with SMTP id bc2-20020a056a21774200b0014c9b51f1fcmr9510946pzc.61.1694497096499; Mon, 11 Sep 2023 22:38:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694497096; cv=none; d=google.com; s=arc-20160816; b=qxLMskEI62wzKkPnEUWaeUWgU4aifZCgCf0lUiM764B90BxrWNPMAa5PJsp93VOeHH s9FoaWZa+FDdgX/APKTG64RNrRhKf3MZss5vBnRb6npkQQCOX+ik5OabdHVrOhzXV7oK FqrvlrY6Uzg89WbwqPIH6NSQYKnBVmoNv4E0EfkgE8qYT67VEfFxFwabWhiEjLhnVqtH xBgwGxTqiCUyZIVeQZaRhbzDkxpSna12/SEg3Dio73VFMBJDCxNXT18IUyFNLi/WElai 5Ys1Z35XVSlGCDR2TRiz6d3U4Db+qJ6JcsempE1xpNjbperZZUXtAWTacedhXL2bCOKl vjzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date :dkim-signature; bh=8bQIDDMeJOvnkHBSHpviPM53nQLzWxLl8V8lczrc7P4=; fh=QvX9MTmnaAE6jfh4r/Rtm06n4Sfej0NUOiMyXoms1KM=; b=dJlNWXAelYrEAo6XfOQDukR4eDv7e5ISgPk6QkZ5MABF7v7QxkUXVN5cm69FF6/0pf XY2XOGF9Bjz7RseUd4RQW4i8GzIH7iwPO51fd0gDT2zwIbFkfKEEF0xk4daC0bauNi2h HCrNgg4hR1O9eDAX39PcUrhXNRfUCARE5QvlJIKLn9vRuOqkR1+QhBcbapgnr2AXP+uy N+MKo8gtYimjUItZU7ei17zEfH51Sw9WcnAkMZtAaVKeXYsjKwqJmz0HsGrMzcQsl+hP vAXakvLB4C3yRlLswrDZ0Sym8SkTTh293J8BE/a9Oh1Mbilvlxm4+MnnVX/IucWz3w7q /Q6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=vcnTIcnQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32]) by mx.google.com with ESMTPS id c5-20020a170902d48500b001b8698149fbsi7357069plg.477.2023.09.11.22.38.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Sep 2023 22:38:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=vcnTIcnQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 1789980CCD0F; Mon, 11 Sep 2023 21:50:54 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231847AbjILETi (ORCPT <rfc822;ruipengqi7@gmail.com> + 40 others); Tue, 12 Sep 2023 00:19:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52628 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231672AbjILETf (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Tue, 12 Sep 2023 00:19:35 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C53CD1BE for <linux-kernel@vger.kernel.org>; Mon, 11 Sep 2023 21:19:30 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id 3f1490d57ef6-d78452de9cbso4816975276.2 for <linux-kernel@vger.kernel.org>; Mon, 11 Sep 2023 21:19:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1694492369; x=1695097169; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=8bQIDDMeJOvnkHBSHpviPM53nQLzWxLl8V8lczrc7P4=; b=vcnTIcnQs09CNgXh4Yr6/iN9kRK7a4j413YEvYescMwBWS9B3hAvMO+CFtRe4v+9l2 z7WqqwAV+bvOU96/UrJUHerBWEEGwU4BpFON14UL1cpNe48hpa9I/0wVa+VKamDTpqW7 M8dAakBs4mbXcSniTkb+WzxqfH6jMVMRzui2umdP2I27/CGN9LWM80eY1wSRkPXo507N YxlTv2J+jMS6XbSMBDv/aESh9Ch6PAqC8RBhBT/IxHPDvDk7AiEMzZLspa+KSQI4aPSx G+rkcJgANtRBeCu4mYPSP2vmXo3xnK4Q5MIxnsYFUpSRZQsqMEF3er9vK1XtbXECEhbx p3XA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694492369; x=1695097169; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=8bQIDDMeJOvnkHBSHpviPM53nQLzWxLl8V8lczrc7P4=; b=Xx/jcACaN5RYSZDOrTXYlhxfxMhgkFVGcR4fSjsvCA0MVvkZBqKR2SsqO3wkXWZtc+ wmuuGycSzrdwfxKWtk6NiOSHtA5PW53VXFnGemkHwjJ4bB4mVbG/bAafLJ9UmOXsUMEc Gi/MKRJ4Hh02P1B/xl4micJppTEghdM8DSddqMDMB5BRrc7hL9kIVzQY7p3+SE/50mTp kf116DeucEuLMKVkHuY5aFmY9j1PRc48cEFywHPfGw1pbxi4+48TAPHMciWP1jLORdjq iO6CmtqvngeUVRCE849vU/2gYYRaB+i5cQd3fiKk0KjpVe/WNK4DNxJlrh9GoiRzNdZj 0GVg== X-Gm-Message-State: AOJu0YwZxtW63G6DrmoxNmMTpDkjd4pccX2BeuHni6Hy6VqxTowj68Hs t/Ey3iHnou0yr9mLvI6IOIzJbbR8uJUQ X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a5b:1cb:0:b0:d77:ff06:b58b with SMTP id f11-20020a5b01cb000000b00d77ff06b58bmr258526ybp.10.1694492369636; Mon, 11 Sep 2023 21:19:29 -0700 (PDT) Date: Mon, 11 Sep 2023 21:19:08 -0700 Mime-Version: 1.0 X-Mailer: git-send-email 2.42.0.283.g2d96d420d3-goog Message-ID: <20230912041910.726442-1-arakesh@google.com> Subject: [PATCH v1 0/2] usb: gadget: uvc: stability fixes when stopping streams From: Avichal Rakesh <arakesh@google.com> To: Laurent Pinchart <laurent.pinchart@ideasonboard.com>, Daniel Scally <dan.scally@ideasonboard.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Michael Grzeschik <m.grzeschik@pengutronix.de> Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Avichal Rakesh <arakesh@google.com> Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Mon, 11 Sep 2023 21:50:54 -0700 (PDT) X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1776808987254092157 X-GMAIL-MSGID: 1776808987254092157 |
Series |
usb: gadget: uvc: stability fixes when stopping streams
|
|
Message
Avichal Rakesh
Sept. 12, 2023, 4:19 a.m. UTC
We have been seeing two main bugs when stopping stream: 1. attempting to queue usb_requests on a disabled usb endpoint, and 2. use-after-free problems for inflight requests Avichal Rakesh (2): usb: gadget: uvc: prevent use of disabled endpoint usb: gadget: uvc: prevent de-allocating inflight usb_requests drivers/usb/gadget/function/f_uvc.c | 11 ++++---- drivers/usb/gadget/function/f_uvc.h | 2 +- drivers/usb/gadget/function/uvc.h | 5 +++- drivers/usb/gadget/function/uvc_v4l2.c | 21 ++++++++++++--- drivers/usb/gadget/function/uvc_video.c | 34 +++++++++++++++++++++++-- 5 files changed, 60 insertions(+), 13 deletions(-) -- 2.42.0.283.g2d96d420d3-goog
Comments
On Mon, Sep 11, 2023 at 9:19 PM Avichal Rakesh <arakesh@google.com> wrote: > > We have been seeing two main bugs when stopping stream: > 1. attempting to queue usb_requests on a disabled usb endpoint, and > 2. use-after-free problems for inflight requests > > Avichal Rakesh (2): > usb: gadget: uvc: prevent use of disabled endpoint > usb: gadget: uvc: prevent de-allocating inflight usb_requests > > drivers/usb/gadget/function/f_uvc.c | 11 ++++---- > drivers/usb/gadget/function/f_uvc.h | 2 +- > drivers/usb/gadget/function/uvc.h | 5 +++- > drivers/usb/gadget/function/uvc_v4l2.c | 21 ++++++++++++--- > drivers/usb/gadget/function/uvc_video.c | 34 +++++++++++++++++++++++-- > 5 files changed, 60 insertions(+), 13 deletions(-) > Bumping this thread up. Laurent, Dan, and Michael could you take a look? Thank you! - Avi.
Hi Avichal On Thu, Sep 14, 2023 at 04:05:36PM -0700, Avichal Rakesh wrote: >On Mon, Sep 11, 2023 at 9:19 PM Avichal Rakesh <arakesh@google.com> wrote: >> >> We have been seeing two main bugs when stopping stream: >> 1. attempting to queue usb_requests on a disabled usb endpoint, and >> 2. use-after-free problems for inflight requests >> >> Avichal Rakesh (2): >> usb: gadget: uvc: prevent use of disabled endpoint >> usb: gadget: uvc: prevent de-allocating inflight usb_requests >> >> drivers/usb/gadget/function/f_uvc.c | 11 ++++---- >> drivers/usb/gadget/function/f_uvc.h | 2 +- >> drivers/usb/gadget/function/uvc.h | 5 +++- >> drivers/usb/gadget/function/uvc_v4l2.c | 21 ++++++++++++--- >> drivers/usb/gadget/function/uvc_video.c | 34 +++++++++++++++++++++++-- >> 5 files changed, 60 insertions(+), 13 deletions(-) >> > >Bumping this thread up. Laurent, Dan, and Michael could you take a look? I tested the patches against my setup and it did not help. In fact I saw two different issues when calling the streamoff event. One issue was a stalled pipeline after the streamoff from the host came in. The streaming application did not handle any events anymore. The second issue was when the streamoff event is triggered sometimes the following trace is shown, even with your patches applied. [ 104.202689] Unable to handle kernel paging request at virtual address 005bf43a692a5fd5 [ 104.235122] Mem abort info: [ 104.238257] ESR = 0x0000000096000004 [ 104.242449] EC = 0x25: DABT (current EL), IL = 32 bits [ 104.248391] SET = 0, FnV = 0 [ 104.251803] EA = 0, S1PTW = 0 [ 104.255313] FSC = 0x04: level 0 translation fault [ 104.260765] Data abort info: [ 104.263982] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 104.270114] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 104.275760] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 104.281698] [005bf43a692a5fd5] address between user and kernel address ranges [ 104.290042] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 104.297060] Dumping ftrace buffer: [ 104.300869] (ftrace buffer empty) [ 104.304862] Modules linked in: st1232 hantro_vpu v4l2_vp9 v4l2_h264 uio_pdrv_genirq fuse [last unloaded: rockchip_vpu(C)] [ 104.312080] panfrost fde60000.gpu: Panfrost Dump: BO has no sgt, cannot dump [ 104.317137] CPU: 0 PID: 465 Comm: irq/46-dwc3 Tainted: G C 6.5.0-20230831-2+ #5 [ 104.317144] Hardware name: WolfVision PF5 (DT) [ 104.317148] pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 104.317154] pc : __list_del_entry_valid+0x48/0xe8 [ 104.352728] lr : dwc3_gadget_giveback+0x3c/0x1b0 [ 104.357893] sp : ffffffc08381bc60 [ 104.361593] x29: ffffffc08381bc60 x28: ffffff80047d4000 x27: ffffff80047de440 [ 104.369576] x26: 0000000000000000 x25: ffffffc08135b2d0 x24: ffffffc08381bd00 [ 104.377559] x23: 00000000ffffff98 x22: ffffff8004204880 x21: ffffff80047d4000 [ 104.385541] x20: ffffff800718dea0 x19: ffffff800718dea0 x18: 0000000000000000 [ 104.393523] x17: 7461747320687469 x16: 7720646574656c70 x15: 6d6f632074736575 [ 104.401504] x14: 716572205356203a x13: 2e3430312d207375 x12: 7461747320687469 [ 104.409486] x11: ffffffc0815c98f0 x10: 0000000000000000 x9 : ffffffc0808f4fa0 [ 104.417468] x8 : ffffffc082415000 x7 : ffffffc0808f4e2c x6 : ffffffc0823d0928 [ 104.425450] x5 : 0000000000000282 x4 : 0000000000000201 x3 : d85bf43a692a5fcd [ 104.433431] x2 : ffffff80047d4048 x1 : ffffff800718dea0 x0 : dead000000000122 [ 104.441413] Call trace: [ 104.444142] __list_del_entry_valid+0x48/0xe8 [ 104.449013] dwc3_gadget_giveback+0x3c/0x1b0 [ 104.453786] dwc3_gadget_ep_cleanup_cancelled_requests+0xe0/0x170 [ 104.460599] dwc3_process_event_buf+0x2a8/0xbb0 [ 104.465662] dwc3_thread_interrupt+0x4c/0x90 [ 104.470435] irq_thread_fn+0x34/0xb8 [ 104.474431] irq_thread+0x1a0/0x290 [ 104.478327] kthread+0x10c/0x120 [ 104.481933] ret_from_fork+0x10/0x20 The error path triggering these list errors are usually in the dwc3 driver handling the cancelled or completed list. Regards, Michael
On 9/15/23 16:16, Michael Grzeschik wrote: > Hi Avichal > > On Thu, Sep 14, 2023 at 04:05:36PM -0700, Avichal Rakesh wrote: >> On Mon, Sep 11, 2023 at 9:19 PM Avichal Rakesh <arakesh@google.com> wrote: >>> >>> We have been seeing two main bugs when stopping stream: >>> 1. attempting to queue usb_requests on a disabled usb endpoint, and >>> 2. use-after-free problems for inflight requests >>> >>> Avichal Rakesh (2): >>> usb: gadget: uvc: prevent use of disabled endpoint >>> usb: gadget: uvc: prevent de-allocating inflight usb_requests >>> >>> drivers/usb/gadget/function/f_uvc.c | 11 ++++---- >>> drivers/usb/gadget/function/f_uvc.h | 2 +- >>> drivers/usb/gadget/function/uvc.h | 5 +++- >>> drivers/usb/gadget/function/uvc_v4l2.c | 21 ++++++++++++--- >>> drivers/usb/gadget/function/uvc_video.c | 34 +++++++++++++++++++++++-- >>> 5 files changed, 60 insertions(+), 13 deletions(-) >>> >> >> Bumping this thread up. Laurent, Dan, and Michael could you take a look? > > I tested the patches against my setup and it did not help. Thank you for testing the patch, I really appreciate your help in testing the patches! > > In fact I saw two different issues when calling the streamoff event. > > One issue was a stalled pipeline after the streamoff from the host came in. > The streaming application did not handle any events anymore. This sounds like uvc_function_setup_continue was never called, so no more control events were queued for the userspace to handle. This is a little bit of a shot in the dark: if you are not using the Laurent's uvc-gadget (https://git.ideasonboard.org/uvc-gadget.git) on the gadget, could you check that your userspace application (on the gadget side) calls VIDIOC_STREAMOFF when handling UVC_EVENT_STREAMOFF? This is similar to how it should called VIDIOC_STREAMON when handling UVC_EVENT_STREAMON. Before my patch, I think UVC gadget driver is functionally fine with userspace application not calling VIDIOC_STREAMOFF. However, my patch prevents the host from making any more control requests until the gadget's userspace application calls VIDIOC_STREAMOFF, which looks like a stalled control ep. > > The second issue was when the streamoff event is triggered sometimes the > following trace is shown, even with your patches applied. > > > [ 104.202689] Unable to handle kernel paging request at virtual address 005bf43a692a5fd5 > [ 104.235122] Mem abort info: > [ 104.238257] ESR = 0x0000000096000004 > [ 104.242449] EC = 0x25: DABT (current EL), IL = 32 bits > [ 104.248391] SET = 0, FnV = 0 > [ 104.251803] EA = 0, S1PTW = 0 > [ 104.255313] FSC = 0x04: level 0 translation fault > [ 104.260765] Data abort info: > [ 104.263982] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 > [ 104.270114] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 > [ 104.275760] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 > [ 104.281698] [005bf43a692a5fd5] address between user and kernel address ranges > [ 104.290042] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP > [ 104.297060] Dumping ftrace buffer: > [ 104.300869] (ftrace buffer empty) > [ 104.304862] Modules linked in: st1232 hantro_vpu v4l2_vp9 v4l2_h264 uio_pdrv_genirq fuse [last unloaded: rockchip_vpu(C)] > [ 104.312080] panfrost fde60000.gpu: Panfrost Dump: BO has no sgt, cannot dump > [ 104.317137] CPU: 0 PID: 465 Comm: irq/46-dwc3 Tainted: G C 6.5.0-20230831-2+ #5 > [ 104.317144] Hardware name: WolfVision PF5 (DT) > [ 104.317148] pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) > [ 104.317154] pc : __list_del_entry_valid+0x48/0xe8 > [ 104.352728] lr : dwc3_gadget_giveback+0x3c/0x1b0 > [ 104.357893] sp : ffffffc08381bc60 > [ 104.361593] x29: ffffffc08381bc60 x28: ffffff80047d4000 x27: ffffff80047de440 > [ 104.369576] x26: 0000000000000000 x25: ffffffc08135b2d0 x24: ffffffc08381bd00 > [ 104.377559] x23: 00000000ffffff98 x22: ffffff8004204880 x21: ffffff80047d4000 > [ 104.385541] x20: ffffff800718dea0 x19: ffffff800718dea0 x18: 0000000000000000 > [ 104.393523] x17: 7461747320687469 x16: 7720646574656c70 x15: 6d6f632074736575 > [ 104.401504] x14: 716572205356203a x13: 2e3430312d207375 x12: 7461747320687469 > [ 104.409486] x11: ffffffc0815c98f0 x10: 0000000000000000 x9 : ffffffc0808f4fa0 > [ 104.417468] x8 : ffffffc082415000 x7 : ffffffc0808f4e2c x6 : ffffffc0823d0928 > [ 104.425450] x5 : 0000000000000282 x4 : 0000000000000201 x3 : d85bf43a692a5fcd > [ 104.433431] x2 : ffffff80047d4048 x1 : ffffff800718dea0 x0 : dead000000000122 > [ 104.441413] Call trace: > [ 104.444142] __list_del_entry_valid+0x48/0xe8 > [ 104.449013] dwc3_gadget_giveback+0x3c/0x1b0 > [ 104.453786] dwc3_gadget_ep_cleanup_cancelled_requests+0xe0/0x170 > [ 104.460599] dwc3_process_event_buf+0x2a8/0xbb0 > [ 104.465662] dwc3_thread_interrupt+0x4c/0x90 > [ 104.470435] irq_thread_fn+0x34/0xb8 > [ 104.474431] irq_thread+0x1a0/0x290 > [ 104.478327] kthread+0x10c/0x120 > [ 104.481933] ret_from_fork+0x10/0x20 > > The error path triggering these list errors are usually in the > dwc3 driver handling the cancelled or completed list. It looks like we're still freeing un-returned requests :(. If you still have the setup can you pull the uvc logs to see if waiting for requests to be returned timed out? I wonder if dwc3's interrupt handler is being scheduled too late. 500ms seemed like a reasonable time out to me, but this seems to prove otherwise. Thank you! - Avi.
On 9/15/23 18:35, Avichal Rakesh wrote: > > > On 9/15/23 16:16, Michael Grzeschik wrote: >> Hi Avichal >> >> On Thu, Sep 14, 2023 at 04:05:36PM -0700, Avichal Rakesh wrote: >>> On Mon, Sep 11, 2023 at 9:19 PM Avichal Rakesh <arakesh@google.com> wrote: >>>> >>>> We have been seeing two main bugs when stopping stream: >>>> 1. attempting to queue usb_requests on a disabled usb endpoint, and >>>> 2. use-after-free problems for inflight requests >>>> >>>> Avichal Rakesh (2): >>>> usb: gadget: uvc: prevent use of disabled endpoint >>>> usb: gadget: uvc: prevent de-allocating inflight usb_requests >>>> >>>> drivers/usb/gadget/function/f_uvc.c | 11 ++++---- >>>> drivers/usb/gadget/function/f_uvc.h | 2 +- >>>> drivers/usb/gadget/function/uvc.h | 5 +++- >>>> drivers/usb/gadget/function/uvc_v4l2.c | 21 ++++++++++++--- >>>> drivers/usb/gadget/function/uvc_video.c | 34 +++++++++++++++++++++++-- >>>> 5 files changed, 60 insertions(+), 13 deletions(-) >>>> >>> >>> Bumping this thread up. Laurent, Dan, and Michael could you take a look? >> >> I tested the patches against my setup and it did not help. > > Thank you for testing the patch, I really appreciate your help in testing the > patches! > >> >> In fact I saw two different issues when calling the streamoff event. >> >> One issue was a stalled pipeline after the streamoff from the host came in. >> The streaming application did not handle any events anymore. > > This sounds like uvc_function_setup_continue was never called, so no more control > events were queued for the userspace to handle. This is a little bit of a shot in > the dark: if you are not using the Laurent's uvc-gadget > (https://git.ideasonboard.org/uvc-gadget.git) on the gadget, could you check that > your userspace application (on the gadget side) calls VIDIOC_STREAMOFF when > handling UVC_EVENT_STREAMOFF? > > This is similar to how it should called VIDIOC_STREAMON when handling > UVC_EVENT_STREAMON. Before my patch, I think UVC gadget driver is functionally fine > with userspace application not calling VIDIOC_STREAMOFF. However, my patch prevents > the host from making any more control requests until the gadget's userspace > application calls VIDIOC_STREAMOFF, which looks like a stalled control ep. > >> >> The second issue was when the streamoff event is triggered sometimes the >> following trace is shown, even with your patches applied. >> >> >> [ 104.202689] Unable to handle kernel paging request at virtual address 005bf43a692a5fd5 >> [ 104.235122] Mem abort info: >> [ 104.238257] ESR = 0x0000000096000004 >> [ 104.242449] EC = 0x25: DABT (current EL), IL = 32 bits >> [ 104.248391] SET = 0, FnV = 0 >> [ 104.251803] EA = 0, S1PTW = 0 >> [ 104.255313] FSC = 0x04: level 0 translation fault >> [ 104.260765] Data abort info: >> [ 104.263982] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 >> [ 104.270114] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 >> [ 104.275760] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 >> [ 104.281698] [005bf43a692a5fd5] address between user and kernel address ranges >> [ 104.290042] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP >> [ 104.297060] Dumping ftrace buffer: >> [ 104.300869] (ftrace buffer empty) >> [ 104.304862] Modules linked in: st1232 hantro_vpu v4l2_vp9 v4l2_h264 uio_pdrv_genirq fuse [last unloaded: rockchip_vpu(C)] >> [ 104.312080] panfrost fde60000.gpu: Panfrost Dump: BO has no sgt, cannot dump >> [ 104.317137] CPU: 0 PID: 465 Comm: irq/46-dwc3 Tainted: G C 6.5.0-20230831-2+ #5 >> [ 104.317144] Hardware name: WolfVision PF5 (DT) >> [ 104.317148] pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) >> [ 104.317154] pc : __list_del_entry_valid+0x48/0xe8 >> [ 104.352728] lr : dwc3_gadget_giveback+0x3c/0x1b0 >> [ 104.357893] sp : ffffffc08381bc60 >> [ 104.361593] x29: ffffffc08381bc60 x28: ffffff80047d4000 x27: ffffff80047de440 >> [ 104.369576] x26: 0000000000000000 x25: ffffffc08135b2d0 x24: ffffffc08381bd00 >> [ 104.377559] x23: 00000000ffffff98 x22: ffffff8004204880 x21: ffffff80047d4000 >> [ 104.385541] x20: ffffff800718dea0 x19: ffffff800718dea0 x18: 0000000000000000 >> [ 104.393523] x17: 7461747320687469 x16: 7720646574656c70 x15: 6d6f632074736575 >> [ 104.401504] x14: 716572205356203a x13: 2e3430312d207375 x12: 7461747320687469 >> [ 104.409486] x11: ffffffc0815c98f0 x10: 0000000000000000 x9 : ffffffc0808f4fa0 >> [ 104.417468] x8 : ffffffc082415000 x7 : ffffffc0808f4e2c x6 : ffffffc0823d0928 >> [ 104.425450] x5 : 0000000000000282 x4 : 0000000000000201 x3 : d85bf43a692a5fcd >> [ 104.433431] x2 : ffffff80047d4048 x1 : ffffff800718dea0 x0 : dead000000000122 >> [ 104.441413] Call trace: >> [ 104.444142] __list_del_entry_valid+0x48/0xe8 >> [ 104.449013] dwc3_gadget_giveback+0x3c/0x1b0 >> [ 104.453786] dwc3_gadget_ep_cleanup_cancelled_requests+0xe0/0x170 >> [ 104.460599] dwc3_process_event_buf+0x2a8/0xbb0 >> [ 104.465662] dwc3_thread_interrupt+0x4c/0x90 >> [ 104.470435] irq_thread_fn+0x34/0xb8 >> [ 104.474431] irq_thread+0x1a0/0x290 >> [ 104.478327] kthread+0x10c/0x120 >> [ 104.481933] ret_from_fork+0x10/0x20 >> >> The error path triggering these list errors are usually in the >> dwc3 driver handling the cancelled or completed list. > > It looks like we're still freeing un-returned requests :(. If you still have > the setup can you pull the uvc logs to see if waiting for requests to be returned timed > out? I wonder if dwc3's interrupt handler is being scheduled too late. 500ms seemed > like a reasonable time out to me, but this seems to prove otherwise. > Hey Michael, were you able to look into the comments from the previous email? Avi.
On 9/19/23 11:24, Avichal Rakesh wrote: > > > On 9/15/23 18:35, Avichal Rakesh wrote: >> >> >> On 9/15/23 16:16, Michael Grzeschik wrote: >>> Hi Avichal >>> >>> On Thu, Sep 14, 2023 at 04:05:36PM -0700, Avichal Rakesh wrote: >>>> On Mon, Sep 11, 2023 at 9:19 PM Avichal Rakesh <arakesh@google.com> wrote: >>>>> >>>>> We have been seeing two main bugs when stopping stream: >>>>> 1. attempting to queue usb_requests on a disabled usb endpoint, and >>>>> 2. use-after-free problems for inflight requests >>>>> >>> >>> The error path triggering these list errors are usually in the >>> dwc3 driver handling the cancelled or completed list. >> >> It looks like we're still freeing un-returned requests :(. If you still have >> the setup can you pull the uvc logs to see if waiting for requests to be returned timed >> out? I wonder if dwc3's interrupt handler is being scheduled too late. 500ms seemed >> like a reasonable time out to me, but this seems to prove otherwise. >> > > > Hey Michael, were you able to look into the comments from the previous > email? > Bumping the thread up. Laurent, Dan, and Michael: the patches are ready to review/test. Please take a look when possible. Thank you! Avi.