Re: [linux-usb-devel] Re: serious 2.6 bug in USB subsystem?

From: David Mosberger
Date: Sat Mar 06 2004 - 00:50:55 EST

Next message: Len Brown: "[BKPATCH] ACPI for 2.4"
Previous message: glennpj: "Re: nicksched v30"
In reply to: David Brownell: "Re: [linux-usb-devel] Re: serious 2.6 bug in USB subsystem?"
Next in thread: David Mosberger: "Re: [linux-usb-devel] Re: serious 2.6 bug in USB subsystem?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>>>> On Fri, 05 Mar 2004 20:55:01 -0800, David Brownell <david-b@xxxxxxxxxxx> said:
>> Turns out it's this patch that was causing the crashes:

>> http://linux.bkbits.net:8080/linux-2.5/cset@xxxxxxxxxxx

David.B> Maybe in 2.6.4-rc2... but not in 2.6.0-test{8,9}!!

Of course. What I'm saying is that in 2.6.0-test{8,9} it was rare to
trigger the problem (only with BTC keyboard) and the change above made
it trivial to trigger the keyboard. Basically, your fix in
cset 1.1619.1.17 made it more common for stuff to be unlinked in
the "deferred" (proper) manner and that made it much more likely to
trigger the bug.

David.B> The reason I keep ending up thinking that readl-elimination
David.B> must be OK (me agreeing with Martin) is that the memory
David.B> there came from dma_alloc_coherent() ... so if anything's
David.B> wrong, it'd be at most lack of rmb(), not a stale-cache
David.B> kind of thing.

It's not an issue of DMA coherency, it's an issue of DMA vs. interrupt
ordering. I believe the WHD interrupt is arriving at the CPU before
the DMA update to the HCCA is done. In my second patch, the readl()
at the beginning of the interrupt ensures that the DMA update to
the HCCA is completed before the readl() returns data.

David.B> It reads the frame number directly from the controller, so
David.B> it's not possible that it can be so stale that an rmb()
David.B> wouldn't fix sequencing issues.

Eh, it's read like this:

#define OHCI_FRAME_NO(hccap) ((u16)le32_to_cpup(&(hccap)->frame_no))

finish_unlinks (ohci, OHCI_FRAME_NO(ohci->hcca), ptregs);

The HCCA is in host memory.

>> - HCD ends up dereferencing a bad pointer and ends up reading
>> from address 0xf0000000, which on our ia64 machines is a
>> read-only area, which then results in a machine-check abort

David.B> I'm surprised that DMA from a read-only area would be a
David.B> problem! :) If OHCI is getting a PCI error, I'd expect a
David.B> "UE" IRQ.

You must have not received my follow-up message. There was a typo in
my message: it was supposed to say "write-only" area.

David.B> I still suspect some problem in the HID code. But right
David.B> now I'm quite certain of a recent-ish OHCI issue.

I'm 99% certain that the problem I saw back in October (BTC keyboard)
was identical to the one triggered by cset 1.1619.1.17.

--david
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Len Brown: "[BKPATCH] ACPI for 2.4"
Previous message: glennpj: "Re: nicksched v30"
In reply to: David Brownell: "Re: [linux-usb-devel] Re: serious 2.6 bug in USB subsystem?"
Next in thread: David Mosberger: "Re: [linux-usb-devel] Re: serious 2.6 bug in USB subsystem?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]