RE: net2280 Driver Bug

[Raz Manor]

I'm not entirely sure either, that is why I wanted the specs.
Alan sent me the PLX NET2280 specs, but I'm using the USB3380/USB3381 - the 
USB3 version of the device.
As it seems from the code, the HW interface is mostly the same, with some minor 
changes, so it is the same driver (net2280.c) but with some branches for 
USB3380 when needed.
Maybe the problem has something to do with a minor difference between the 
NET2280 and USB3380, that was over looked when adding the support for the 
USB3380.
So, if any of you have the specs for that one, I would love to get them and see 
if there is such a difference in that area.

Anyway, as for the proposed path, this was my logic:
1. The req->td->dmadesc equals to 0 iff:
     -- There was a transaction ending with a short packet, and
     -- The read() to read it was shorter than the transaction length, and
     -- The read() to complete it is longer than the residue.
     I believe this is true from the printouts of various cases, but I can't be 
positive it is correct.

2. Entering this if, there should be no more data in the endpoint (a short 
packet terminated the transaction). If there is, the transaction wasn't really 
done and we should exit and wait for it to finish entirely. That is the inner 
if.
    That inner if should never happen, but it is there to be on the safe side. 
That is why it is marked with the comment /* paranoia */. 
    The size of the data available in the endpoint is ep->dma->dmacount and it 
is read to tmp.
     This entire clause is based on my own educated guesses.

3. If we passed that inner if without breaking in the original code, than tmp & 
DMA_BYTE_MASK_COUNT== 0.
    That means we will always pass dma bytes count of 0 to dma_done(), meaning 
all the requested bytes were read.

4. dma_done() reports back to the upper layer that the request (read()) was 
done and how many bytes were read. In the original code that would always be 
the request size, regardless of the actual size of the data.
    That did not make sense to me at all.

5. However, the original value of tmp is req->td->dmacount, which is the 
dmacount value when the request's dma transaction was finished. And that is a 
much more reasonable value to report back to the caller.

As you can see, this is based a lot on educated guesses and debug printouts of 
various cases. That is why I would like to get your input on this, to make sure 
I'm on the right track.

To recreate the problem., try reading from a bulk out endpoint in a loop, 1024 
* n bytes in each iteration. Connect the PLX to a host you can control, and 
send to that endpoint 1024 * n +x bytes such that  0 < x < 1024 * n and (x % 
1024) != 0
You would expect the first read() to return 1024 * n and the second read to 
return x, but you will get the first read to return 1024 *n and the second one 
to return 1024 * n.
That is true for every positive integer n.

My patch, solves the problem, and does not break any of the other cases I've 
tried.

To conclude:
I would love to get your input on this patch, as it is based on personal 
debugging and guesses, without knowing the HW specs.
I would also love to get the USB3380 specs, so I could verify some aspects of 
this problem myself, and for future references.

Peace and love and marry Christmas and happy Hanukah,
Raz

-----Original Message-----
From: Alan Stern [mailto:st...@rowland.harvard.edu] 
Sent: Tuesday, December 27, 2016 5:06 PM
To: Linus Torvalds <torva...@linux-foundation.org>
Cc: Greg Kroah-Hartman <gre...@linuxfoundation.org>; USB list 
<linux-usb@vger.kernel.org>; Felipe Balbi <ba...@kernel.org>; Raz Manor 
<raz.ma...@valens.com>; Tim Harvey <thar...@gateworks.com>; Heikki Krogerus 
<heikki.kroge...@linux.intel.com>; Jussi Kivilinna 
<jussi.kivili...@haltian.com>; Colin Ian King <colin.k...@canonical.com>
Subject: RE: net2280 Driver Bug

On Mon, 26 Dec 2016, Linus Torvalds wrote:

> On Dec 26, 2016 4:04 PM, "Alan Stern" wrote:
> 
> 
> Note that the usage of tmp in the "if (unlikely(req->td->dmadesc == 0)) {"
> branch really is not conflicting, because that branch breaks out of 
> the enclosing "while" loop.
> 
> 
> No.
> 
> Look closer.
> 
> It does indeed breast out of the loop, but before it dies that, it 
> uses "tmp" again. And it wants the *old* tmp, not the new one..

Are you certain that it doesn't want the new value of tmp?  How can you tell? 
-- it was not immediately obvious to me.  This was what I had in mind when I 
wrote that it wasn't clear whether your patch was entirely correct.

Alan Stern

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html