info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[PATCH net 0/2] r8152: rx patches
380 views
Skip to first unread message
Hayes Wang
Nov 11, 2016, 2:20:04 AM11/11/16
to
Let the rx sw checksum available and add some checks for rx desc.
Hayes Wang (2):
r8152: fix the sw rx checksum is unavailable
r8152: rx descriptor check
drivers/net/usb/r8152.c | 46 +++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 45 insertions(+), 1 deletion(-)
--
2.7.4
Hayes Wang (2):
r8152: fix the sw rx checksum is unavailable
r8152: rx descriptor check
drivers/net/usb/r8152.c | 46 +++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 45 insertions(+), 1 deletion(-)
--
2.7.4
Hayes Wang
Nov 11, 2016, 2:20:04 AM11/11/16
to
For some platforms, the data in memory is not the same with the one
from the device. That is, the data of memory is unbelievable. The
check is used to find out this situation.
Signed-off-by: Hayes Wang <haye...@realtek.com>
---
drivers/net/usb/r8152.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 0e42a78..e766121 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -1756,6 +1756,43 @@ static u8 r8152_rx_csum(struct r8152 *tp, struct rx_desc *rx_desc)
return checksum;
}
+static int invalid_rx_desc(struct r8152 *tp, struct rx_desc *rx_desc)
+{
+ u32 opts1 = le32_to_cpu(rx_desc->opts1);
+ u32 opts2 = le32_to_cpu(rx_desc->opts2);
+ unsigned int pkt_len = opts1 & RX_LEN_MASK;
+
+ switch (tp->version) {
+ case RTL_VER_01:
+ case RTL_VER_02:
+ if (pkt_len > RTL8152_RMS)
+ return -EIO;
+ break;
+ default:
+ if (pkt_len > RTL8153_RMS)
+ return -EIO;
+ break;
+ }
+
+ switch (opts2 & (RD_IPV4_CS | RD_IPV6_CS)) {
+ case (RD_IPV4_CS | RD_IPV6_CS):
+ return -EIO;
+ case RD_IPV4_CS:
+ case RD_IPV6_CS:
+ switch (opts2 & (RD_UDP_CS | RD_TCP_CS)) {
+ case (RD_UDP_CS | RD_TCP_CS):
+ return -EIO;
+ default:
+ break;
+ }
+ break;
+ default:
+ break;
+ }
+
+ return 0;
+}
+
static int rx_bottom(struct r8152 *tp, int budget)
{
unsigned long flags;
@@ -1812,6 +1849,18 @@ static int rx_bottom(struct r8152 *tp, int budget)
unsigned int pkt_len;
struct sk_buff *skb;
+ if (unlikely(invalid_rx_desc(tp, rx_desc))) {
+ if (net_ratelimit())
+ netif_err(tp, rx_err, netdev,
+ "Memory unbelievable\n");
+ if (tp->netdev->features & NETIF_F_RXCSUM) {
+ tp->netdev->features &= ~NETIF_F_RXCSUM;
+ netif_err(tp, rx_err, netdev,
+ "rx checksum off\n");
+ }
+ break;
+ }
+
pkt_len = le32_to_cpu(rx_desc->opts1) & RX_LEN_MASK;
if (pkt_len < ETH_ZLEN)
break;
--
2.7.4
from the device. That is, the data of memory is unbelievable. The
check is used to find out this situation.
Signed-off-by: Hayes Wang <haye...@realtek.com>
---
drivers/net/usb/r8152.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 0e42a78..e766121 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -1756,6 +1756,43 @@ static u8 r8152_rx_csum(struct r8152 *tp, struct rx_desc *rx_desc)
return checksum;
}
+static int invalid_rx_desc(struct r8152 *tp, struct rx_desc *rx_desc)
+{
+ u32 opts1 = le32_to_cpu(rx_desc->opts1);
+ u32 opts2 = le32_to_cpu(rx_desc->opts2);
+ unsigned int pkt_len = opts1 & RX_LEN_MASK;
+
+ switch (tp->version) {
+ case RTL_VER_01:
+ case RTL_VER_02:
+ if (pkt_len > RTL8152_RMS)
+ return -EIO;
+ break;
+ default:
+ if (pkt_len > RTL8153_RMS)
+ return -EIO;
+ break;
+ }
+
+ switch (opts2 & (RD_IPV4_CS | RD_IPV6_CS)) {
+ case (RD_IPV4_CS | RD_IPV6_CS):
+ return -EIO;
+ case RD_IPV4_CS:
+ case RD_IPV6_CS:
+ switch (opts2 & (RD_UDP_CS | RD_TCP_CS)) {
+ case (RD_UDP_CS | RD_TCP_CS):
+ return -EIO;
+ default:
+ break;
+ }
+ break;
+ default:
+ break;
+ }
+
+ return 0;
+}
+
static int rx_bottom(struct r8152 *tp, int budget)
{
unsigned long flags;
@@ -1812,6 +1849,18 @@ static int rx_bottom(struct r8152 *tp, int budget)
unsigned int pkt_len;
struct sk_buff *skb;
+ if (unlikely(invalid_rx_desc(tp, rx_desc))) {
+ if (net_ratelimit())
+ netif_err(tp, rx_err, netdev,
+ "Memory unbelievable\n");
+ if (tp->netdev->features & NETIF_F_RXCSUM) {
+ tp->netdev->features &= ~NETIF_F_RXCSUM;
+ netif_err(tp, rx_err, netdev,
+ "rx checksum off\n");
+ }
+ break;
+ }
+
pkt_len = le32_to_cpu(rx_desc->opts1) & RX_LEN_MASK;
if (pkt_len < ETH_ZLEN)
break;
--
2.7.4
Hayes Wang
Nov 11, 2016, 2:20:05 AM11/11/16
to
Fix the hw rx checksum is always enabled, and the user couldn't switch
it to sw rx checksum.
Note that the RTL_VER_01 only supports sw rx checksum only. Besides,
the hw rx checksum for RTL_VER_02 is disabled after
commit b9a321b48af4 ("r8152: Fix broken RX checksums."). Re-enable it.
drivers/net/usb/r8152.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 75c5168..0e42a78 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -1730,7 +1730,7 @@ static u8 r8152_rx_csum(struct r8152 *tp, struct rx_desc *rx_desc)
u8 checksum = CHECKSUM_NONE;
u32 opts2, opts3;
- if (tp->version == RTL_VER_01 || tp->version == RTL_VER_02)
+ if (!(tp->netdev->features & NETIF_F_RXCSUM))
goto return_result;
opts2 = le32_to_cpu(rx_desc->opts2);
@@ -4307,6 +4307,11 @@ static int rtl8152_probe(struct usb_interface *intf,
NETIF_F_HIGHDMA | NETIF_F_FRAGLIST |
NETIF_F_IPV6_CSUM | NETIF_F_TSO6;
+ if (tp->version == RTL_VER_01) {
+ netdev->features &= ~NETIF_F_RXCSUM;
+ netdev->hw_features &= ~NETIF_F_RXCSUM;
+ }
+
netdev->ethtool_ops = &ops;
netif_set_gso_max_size(netdev, RTL_LIMITED_TSO_SIZE);
--
2.7.4
it to sw rx checksum.
Note that the RTL_VER_01 only supports sw rx checksum only. Besides,
the hw rx checksum for RTL_VER_02 is disabled after
commit b9a321b48af4 ("r8152: Fix broken RX checksums."). Re-enable it.
drivers/net/usb/r8152.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 75c5168..0e42a78 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -1730,7 +1730,7 @@ static u8 r8152_rx_csum(struct r8152 *tp, struct rx_desc *rx_desc)
u8 checksum = CHECKSUM_NONE;
u32 opts2, opts3;
- if (tp->version == RTL_VER_01 || tp->version == RTL_VER_02)
+ if (!(tp->netdev->features & NETIF_F_RXCSUM))
goto return_result;
opts2 = le32_to_cpu(rx_desc->opts2);
@@ -4307,6 +4307,11 @@ static int rtl8152_probe(struct usb_interface *intf,
NETIF_F_HIGHDMA | NETIF_F_FRAGLIST |
NETIF_F_IPV6_CSUM | NETIF_F_TSO6;
+ if (tp->version == RTL_VER_01) {
+ netdev->features &= ~NETIF_F_RXCSUM;
+ netdev->hw_features &= ~NETIF_F_RXCSUM;
+ }
+
netdev->ethtool_ops = &ops;
netif_set_gso_max_size(netdev, RTL_LIMITED_TSO_SIZE);
--
2.7.4
Francois Romieu
Nov 11, 2016, 7:20:05 AM11/11/16
to
Hayes Wang <haye...@realtek.com> :
reminds of CVE-2009-4537.
Is the silicium of both devices different enough to prevent the same
exploit to happen ?
--
Ueimor
> For some platforms, the data in memory is not the same with the one
> from the device. That is, the data of memory is unbelievable. The
> check is used to find out this situation.
Invalid packet size corrupted receive descriptors in Realtek's device
> from the device. That is, the data of memory is unbelievable. The
> check is used to find out this situation.
reminds of CVE-2009-4537.
Is the silicium of both devices different enough to prevent the same
exploit to happen ?
--
Ueimor
Mark Lord
Nov 12, 2016, 8:30:05 AM11/12/16
to
driver regularly attempts to process huge unreal packet sizes here.
I've had to patch it to reject "packets" larger than the configured MRU.
--
Mark Lord
Real-Time Remedies Inc.
ml...@pobox.com
David Miller
Nov 13, 2016, 12:50:04 PM11/13/16
to
From: Hayes Wang <haye...@realtek.com>
Date: Fri, 11 Nov 2016 15:15:41 +0800
> For some platforms, the data in memory is not the same with the one
> from the device. That is, the data of memory is unbelievable. The
> check is used to find out this situation.
>
> Signed-off-by: Hayes Wang <haye...@realtek.com>
I'm all for adding consistency checks, but I disagree with proceeding
in this manner for this.
If you add this patch now, there is a much smaller likelyhood that you
will work with a high priority to figure out _why_ this is happening.
For all we know this could be a platform bug in the DMA API for the
systems in question.
It could also be a bug elsewhere in the driver, either in setting up
the descriptor DMA mappings or how the chip is programmed.
Either way the true cause must be found before we start throwing
changes like this into the driver.
I'm not applying this series, sorry.
Date: Fri, 11 Nov 2016 15:15:41 +0800
> For some platforms, the data in memory is not the same with the one
> from the device. That is, the data of memory is unbelievable. The
> check is used to find out this situation.
>
> Signed-off-by: Hayes Wang <haye...@realtek.com>
in this manner for this.
If you add this patch now, there is a much smaller likelyhood that you
will work with a high priority to figure out _why_ this is happening.
For all we know this could be a platform bug in the DMA API for the
systems in question.
It could also be a bug elsewhere in the driver, either in setting up
the descriptor DMA mappings or how the chip is programmed.
Either way the true cause must be found before we start throwing
changes like this into the driver.
I'm not applying this series, sorry.
Mark Lord
Nov 13, 2016, 3:40:05 PM11/13/16
to
The system I use it with is a 32-bit ppc476, with non-coherent RAM,
and using 16KB page sizes.
The dongle instantly becomes a lot more reliable when r8152.c is updated
to use usb_alloc_coherent() for URB buffers, rather than kmalloc().
Not sure why that would be though, as the USB stack normally would handle
kmalloc'd buffers just fine. It is calling the appropriate routines,
which boil down to invalidating the dcache lines (for inbound bulk xfers)
as part of usb_submit_urb(), and yet the problem there persists.
It could be caused by cache-line sharing with other allocations, but that seems
unlikely as the kmalloc() size is 16384 bytes per buffer. Perhaps the driver
is somehow accessing the buffer space again after doing usb_submit_urb()?
That would certainly produce this kind of behaviour.
Or maybe there's just a memory barrier missing somewhere in path.
The really weird thing is that ASIX-based dongles (which use a different driver)
don't have this problem, and yet they also use kmalloc'd buffers.
I have access to the test system only for a day or two a week,
and it takes a few hours to do a good test as to whether something helps or not.
I'll continue to poke at it as time and New Ideas permit.
New Ideas welcome!
Mark Lord
Nov 13, 2016, 3:40:06 PM11/13/16
to
On 16-11-13 03:34 PM, Mark Lord wrote:
>
> The system I use it with is a 32-bit ppc476, with non-coherent RAM,
> and using 16KB page sizes.
>
> The dongle instantly becomes a lot more reliable when r8152.c is updated
> to use usb_alloc_coherent() for URB buffers, rather than kmalloc().
>
> Not sure why that would be though, as the USB stack normally would handle
> kmalloc'd buffers just fine. It is calling the appropriate routines,
> which boil down to invalidating the dcache lines (for inbound bulk xfers)
> as part of usb_submit_urb(), and yet the problem there persists.
>
> It could be caused by cache-line sharing with other allocations, but that seems
> unlikely as the kmalloc() size is 16384 bytes per buffer. Perhaps the driver
> is somehow accessing the buffer space again after doing usb_submit_urb()?
> That would certainly produce this kind of behaviour.
>
> Or maybe there's just a memory barrier missing somewhere in path.
>
> The really weird thing is that ASIX-based dongles (which use a different driver)
> don't have this problem, and yet they also use kmalloc'd buffers.
>
> I have access to the test system only for a day or two a week,
> and it takes a few hours to do a good test as to whether something helps or not.
> I'll continue to poke at it as time and New Ideas permit.
Oh, and the problems did not exist with the 3.14.xx kernels and earlier.
>
> The system I use it with is a 32-bit ppc476, with non-coherent RAM,
> and using 16KB page sizes.
>
> The dongle instantly becomes a lot more reliable when r8152.c is updated
> to use usb_alloc_coherent() for URB buffers, rather than kmalloc().
>
> Not sure why that would be though, as the USB stack normally would handle
> kmalloc'd buffers just fine. It is calling the appropriate routines,
> which boil down to invalidating the dcache lines (for inbound bulk xfers)
> as part of usb_submit_urb(), and yet the problem there persists.
>
> It could be caused by cache-line sharing with other allocations, but that seems
> unlikely as the kmalloc() size is 16384 bytes per buffer. Perhaps the driver
> is somehow accessing the buffer space again after doing usb_submit_urb()?
> That would certainly produce this kind of behaviour.
>
> Or maybe there's just a memory barrier missing somewhere in path.
>
> The really weird thing is that ASIX-based dongles (which use a different driver)
> don't have this problem, and yet they also use kmalloc'd buffers.
>
> I have access to the test system only for a day or two a week,
> and it takes a few hours to do a good test as to whether something helps or not.
> I'll continue to poke at it as time and New Ideas permit.
They began to show up when we tried 3.16.xx and all newer kernels.
The difference there is that RX checksums were enabled in hardware as of 3.16.xx,
and thus the network stack began accepting bad packets from the r8152 driver.
I don't know if the ASIX driver uses hardware checksums or just software checksums.
That might explain why it is more reliable here.
Hayes Wang
Nov 14, 2016, 1:50:04 AM11/14/16
to
Francois Romieu [mailto:rom...@fr.zoreil.com]
> Sent: Friday, November 11, 2016 8:13 PM
[...]
which is set to RxMaxSize? I check it with our hw engineers.
They don't get any issue about RxMaxSize. And their test for
RxMaxSize register is fine.
> Is the silicium of both devices different enough to prevent the same
> exploit to happen ?
For this case, I don't think the device provide a invalid value
for the receive descriptors. However, the driver sees a different
value. That is why I say the memory is unbelievable.
Best Regards,
Hayes
> Sent: Friday, November 11, 2016 8:13 PM
[...]
> Invalid packet size corrupted receive descriptors in Realtek's device
> reminds of CVE-2009-4537.
Do you mean that the driver would get a packet exceed the size
> reminds of CVE-2009-4537.
which is set to RxMaxSize? I check it with our hw engineers.
They don't get any issue about RxMaxSize. And their test for
RxMaxSize register is fine.
> Is the silicium of both devices different enough to prevent the same
> exploit to happen ?
for the receive descriptors. However, the driver sees a different
value. That is why I say the memory is unbelievable.
Best Regards,
Hayes
Hayes Wang
Nov 14, 2016, 2:10:05 AM11/14/16
to
David Miller [mailto:da...@davemloft.net]
> Sent: Monday, November 14, 2016 1:40 AM
[...]
driver. However, for the other parts, such as the USB host
controller or memory, it is difficult for me to make sure whether
they are correct or not. I could only promise our devices and
driver work fine.
Best Regards,
Hayes
> Sent: Monday, November 14, 2016 1:40 AM
[...]
> If you add this patch now, there is a much smaller likelyhood that you
> will work with a high priority to figure out _why_ this is happening.
>
> For all we know this could be a platform bug in the DMA API for the
> systems in question.
>
> It could also be a bug elsewhere in the driver, either in setting up
> the descriptor DMA mappings or how the chip is programmed.
>
> Either way the true cause must be found before we start throwing
> changes like this into the driver.
Our hw engineer could check our device, and I could check the
> will work with a high priority to figure out _why_ this is happening.
>
> For all we know this could be a platform bug in the DMA API for the
> systems in question.
>
> It could also be a bug elsewhere in the driver, either in setting up
> the descriptor DMA mappings or how the chip is programmed.
>
> Either way the true cause must be found before we start throwing
> changes like this into the driver.
driver. However, for the other parts, such as the USB host
controller or memory, it is difficult for me to make sure whether
they are correct or not. I could only promise our devices and
driver work fine.
Best Regards,
Hayes
Hayes Wang
Nov 14, 2016, 2:30:06 AM11/14/16
to
Mark Lord [mailto:ml...@pobox.com]
> Sent: Monday, November 14, 2016 4:34 AM
[...]
That is, the driver would not change (or write) the data. Second,
The driver would lose the point address of the received buffer
after submitting the urb to the USB host controller, until the
transfer is completed by the USB host controller. That is, the
driver doesn't how to access the buffer after calling usb_submit_urb().
Best Regards,
Hayes
> Sent: Monday, November 14, 2016 4:34 AM
[...]
> Perhaps the driver
> is somehow accessing the buffer space again after doing usb_submit_urb()?
> That would certainly produce this kind of behaviour.
I don't think so. First, the driver only read the received buffer.
> is somehow accessing the buffer space again after doing usb_submit_urb()?
> That would certainly produce this kind of behaviour.
That is, the driver would not change (or write) the data. Second,
The driver would lose the point address of the received buffer
after submitting the urb to the USB host controller, until the
transfer is completed by the USB host controller. That is, the
driver doesn't how to access the buffer after calling usb_submit_urb().
Best Regards,
Hayes
David Miller
Nov 14, 2016, 12:30:06 PM11/14/16
to
From: Hayes Wang <haye...@realtek.com>
Date: Mon, 14 Nov 2016 07:23:51 +0000
This is why it's most likely some DMA implementation issue or similar.
Date: Mon, 14 Nov 2016 07:23:51 +0000
Francois Romieu
Nov 14, 2016, 8:20:05 PM11/14/16
to
Hayes Wang <haye...@realtek.com> :
get it wrong twice, especially if some part of the hardware design
is recycled. I don't mean anything else.
I won't speculate about some cache consistency issue or some badly
aborted dma transaction to explain the memory corruption.
--
Ueimor
> Francois Romieu [mailto:rom...@fr.zoreil.com]
> > Sent: Friday, November 11, 2016 8:13 PM
> [...]
> > Invalid packet size corrupted receive descriptors in Realtek's device
> > reminds of CVE-2009-4537.
>
> Do you mean that the driver would get a packet exceed the size
> which is set to RxMaxSize ?
If it was possible to get it wrong once, it should be possible to
> > Sent: Friday, November 11, 2016 8:13 PM
> [...]
> > Invalid packet size corrupted receive descriptors in Realtek's device
> > reminds of CVE-2009-4537.
>
> Do you mean that the driver would get a packet exceed the size
> which is set to RxMaxSize ?
get it wrong twice, especially if some part of the hardware design
is recycled. I don't mean anything else.
I won't speculate about some cache consistency issue or some badly
aborted dma transaction to explain the memory corruption.
--
Ueimor
Hayes Wang
Nov 16, 2016, 10:10:09 PM11/16/16
to
Francois Romieu [mailto:rom...@fr.zoreil.com]
> Sent: Tuesday, November 15, 2016 9:11 AM
[...]
for confirming it.
Besides, the behavior is different for PCIe and USB device. There
is no action of DMA for USB device. It is done by the USB host
controller. And, the USB host controller wouldn't allow the device
sends a data which is more than the size of the buffer.
Best Regards,
Hayes
> Sent: Tuesday, November 15, 2016 9:11 AM
[...]
> If it was possible to get it wrong once, it should be possible to
> get it wrong twice, especially if some part of the hardware design
> is recycled. I don't mean anything else.
I agree with you. However, I have to let it could be reproduced
> get it wrong twice, especially if some part of the hardware design
> is recycled. I don't mean anything else.
for confirming it.
Besides, the behavior is different for PCIe and USB device. There
is no action of DMA for USB device. It is done by the USB host
controller. And, the USB host controller wouldn't allow the device
sends a data which is more than the size of the buffer.
Best Regards,
Hayes
Hayes Wang
Nov 16, 2016, 10:40:06 PM11/16/16
to
[...]
RTL_VER_02 use rx hw checksum?
Best Regards,
Hayes
> Fix the hw rx checksum is always enabled, and the user couldn't switch
> it to sw rx checksum.
>
> Note that the RTL_VER_01 only supports sw rx checksum only. Besides,
> the hw rx checksum for RTL_VER_02 is disabled after
> commit b9a321b48af4 ("r8152: Fix broken RX checksums."). Re-enable it.
Excuse me. If I want to re-send this one patch, should I let
> it to sw rx checksum.
>
> Note that the RTL_VER_01 only supports sw rx checksum only. Besides,
> the hw rx checksum for RTL_VER_02 is disabled after
> commit b9a321b48af4 ("r8152: Fix broken RX checksums."). Re-enable it.
RTL_VER_02 use rx hw checksum?
Best Regards,
Hayes
Mark Lord
Nov 17, 2016, 9:30:05 AM11/17/16
to
On 16-11-17 09:14 AM, Mark Lord wrote:
..
> Using coherent buffers (non-cacheable, allocated with usb_alloc_coherent),
Note that the same behaviour also happens with the original kmalloc'd buffers.
> I can get it to fail extremely regularly by simply reducing the buffer size
> (agg_buf_sz) from 16KB down to 4KB. This makes reproducing the issue
> much much easier -- the same problems do happen with the larger 16KB size,
> but much less often than with smaller sizes.
Increasing the buffer size to 64KB makes the problem much less frequent,
as one might expect. Thus far I haven't seen it happen at all, but a longer
run (1-3 days) is needed to make sure. This however is NOT a "fix".
> So.. with a 4KB URB transfer_buffer size, along with a ton of added error-checking,
> I see this behaviour every 10 (rx) URBs or so:
>
> First URB (number 593):
> [ 34.260667] r8152_rx_bottom: 593 corrupted urb: head=bf014000 urb_offset=2856/4096 pkt_len(1518) exceeds remainder(1216)
> [ 34.271931] r8152_dump_rx_desc: 044805ee 40080000 006005dc 06020000 00000000 00000000 rx_len=1518
>
> Next URB (number 594):
> [ 34.281172] r8152_check_rx_desc: rx_desc looks bad.
> [ 34.286228] r8152_rx_bottom: 594 corrupted urb. head=bf018000 urb_offset=0/304 len_used=24
> [ 34.294774] r8152_dump_rx_desc: 00008300 00008400 00008500 00008600 00008700 00008800 rx_len=768
>
> What the above sample shows, is the URB transfer buffer ran out of space in the middle
> of a packet, and the hardware then tried to just continue that same packet in the next URB,
> without an rx_desc header inserted. The r8152.c driver always assumes the URB buffer begins
> with an rx_desc, so of course this behaviour produces really weird effects, and system crashes, etc..
>
> So until that driver bug is addressed, I would advise disabling hardware RX checksums
> for all chip versions, not only for version 02.
>
> It is not clear to me how the chip decides when to forward an rx URB to the host.
> If you could describe how that part works for us, then it would help in further
> understanding why fast systems (eg. a PC) don't generally notice the issue,
> while much slower embedded systems do see the issue regularly.
That last part is critical to understanding things:
How does the chip decide that a URB is "full enough" before sending it to the host?
Why does a really fast host see fewer packets jammed together into a single URB than a slower host?
The answers will help understand if there are more bugs to be found/fixed,
or if everything is explained by what has been observed thus far.
To recap: the hardware sometimes fills a URB to the very end, and then continues the
current packet at the first byte of the following URB. The r8152.c driver does NOT
handle this situation; instead it always interprets the first 24 bytes of every URB
as an "rx_desc" structure, without any kind of sanity/validation. This results in
buffer overruns (it trusts the packet length field, even though the URB is too small
to hold such a packet), and other semi-random behaviour.
Using software rx checksums prevents Bad Things(tm) happening from most of this,
but even that is not perfect given the severity of the bug.
Cheers
..
> Using coherent buffers (non-cacheable, allocated with usb_alloc_coherent),
Note that the same behaviour also happens with the original kmalloc'd buffers.
> I can get it to fail extremely regularly by simply reducing the buffer size
> (agg_buf_sz) from 16KB down to 4KB. This makes reproducing the issue
> much much easier -- the same problems do happen with the larger 16KB size,
> but much less often than with smaller sizes.
Increasing the buffer size to 64KB makes the problem much less frequent,
as one might expect. Thus far I haven't seen it happen at all, but a longer
run (1-3 days) is needed to make sure. This however is NOT a "fix".
> So.. with a 4KB URB transfer_buffer size, along with a ton of added error-checking,
> I see this behaviour every 10 (rx) URBs or so:
>
> First URB (number 593):
> [ 34.260667] r8152_rx_bottom: 593 corrupted urb: head=bf014000 urb_offset=2856/4096 pkt_len(1518) exceeds remainder(1216)
> [ 34.271931] r8152_dump_rx_desc: 044805ee 40080000 006005dc 06020000 00000000 00000000 rx_len=1518
>
> Next URB (number 594):
> [ 34.281172] r8152_check_rx_desc: rx_desc looks bad.
> [ 34.286228] r8152_rx_bottom: 594 corrupted urb. head=bf018000 urb_offset=0/304 len_used=24
> [ 34.294774] r8152_dump_rx_desc: 00008300 00008400 00008500 00008600 00008700 00008800 rx_len=768
>
> What the above sample shows, is the URB transfer buffer ran out of space in the middle
> of a packet, and the hardware then tried to just continue that same packet in the next URB,
> without an rx_desc header inserted. The r8152.c driver always assumes the URB buffer begins
> with an rx_desc, so of course this behaviour produces really weird effects, and system crashes, etc..
>
> So until that driver bug is addressed, I would advise disabling hardware RX checksums
> for all chip versions, not only for version 02.
>
> It is not clear to me how the chip decides when to forward an rx URB to the host.
> If you could describe how that part works for us, then it would help in further
> understanding why fast systems (eg. a PC) don't generally notice the issue,
> while much slower embedded systems do see the issue regularly.
That last part is critical to understanding things:
How does the chip decide that a URB is "full enough" before sending it to the host?
Why does a really fast host see fewer packets jammed together into a single URB than a slower host?
The answers will help understand if there are more bugs to be found/fixed,
or if everything is explained by what has been observed thus far.
To recap: the hardware sometimes fills a URB to the very end, and then continues the
current packet at the first byte of the following URB. The r8152.c driver does NOT
handle this situation; instead it always interprets the first 24 bytes of every URB
as an "rx_desc" structure, without any kind of sanity/validation. This results in
buffer overruns (it trusts the packet length field, even though the URB is too small
to hold such a packet), and other semi-random behaviour.
Using software rx checksums prevents Bad Things(tm) happening from most of this,
but even that is not perfect given the severity of the bug.
Cheers
Mark Lord
Nov 17, 2016, 9:40:08 AM11/17/16
to
(resending.. not sure if the original had mailer errors)
Definitely NOT.
I am still doing low-level tracing through the driver as time permits,
and just now found some really interesting evidence.
Using coherent buffers (non-cacheable, allocated with usb_alloc_coherent),
Mark
I am still doing low-level tracing through the driver as time permits,
and just now found some really interesting evidence.
Using coherent buffers (non-cacheable, allocated with usb_alloc_coherent),
I can get it to fail extremely regularly by simply reducing the buffer size
(agg_buf_sz) from 16KB down to 4KB. This makes reproducing the issue
much much easier -- the same problems do happen with the larger 16KB size,
but much less often than with smaller sizes.
(agg_buf_sz) from 16KB down to 4KB. This makes reproducing the issue
much much easier -- the same problems do happen with the larger 16KB size,
but much less often than with smaller sizes.
So.. with a 4KB URB transfer_buffer size, along with a ton of added error-checking,
I see this behaviour every 10 (rx) URBs or so:
First URB (number 593):
[ 34.260667] r8152_rx_bottom: 593 corrupted urb: head=bf014000 urb_offset=2856/4096 pkt_len(1518) exceeds remainder(1216)
[ 34.271931] r8152_dump_rx_desc: 044805ee 40080000 006005dc 06020000 00000000 00000000 rx_len=1518
Next URB (number 594):
[ 34.281172] r8152_check_rx_desc: rx_desc looks bad.
[ 34.286228] r8152_rx_bottom: 594 corrupted urb. head=bf018000 urb_offset=0/304 len_used=24
[ 34.294774] r8152_dump_rx_desc: 00008300 00008400 00008500 00008600 00008700 00008800 rx_len=768
What the above sample shows, is the URB transfer buffer ran out of space in the middle
of a packet, and the hardware then tried to just continue that same packet in the next URB,
without an rx_desc header inserted. The r8152.c driver always assumes the URB buffer begins
with an rx_desc, so of course this behaviour produces really weird effects, and system crashes, etc..
So until that driver bug is addressed, I would advise disabling hardware RX checksums
for all chip versions, not only for version 02.
It is not clear to me how the chip decides when to forward an rx URB to the host.
If you could describe how that part works for us, then it would help in further
understanding why fast systems (eg. a PC) don't generally notice the issue,
while much slower embedded systems do see the issue regularly.
Thanks
I see this behaviour every 10 (rx) URBs or so:
First URB (number 593):
[ 34.260667] r8152_rx_bottom: 593 corrupted urb: head=bf014000 urb_offset=2856/4096 pkt_len(1518) exceeds remainder(1216)
[ 34.271931] r8152_dump_rx_desc: 044805ee 40080000 006005dc 06020000 00000000 00000000 rx_len=1518
Next URB (number 594):
[ 34.281172] r8152_check_rx_desc: rx_desc looks bad.
[ 34.286228] r8152_rx_bottom: 594 corrupted urb. head=bf018000 urb_offset=0/304 len_used=24
[ 34.294774] r8152_dump_rx_desc: 00008300 00008400 00008500 00008600 00008700 00008800 rx_len=768
What the above sample shows, is the URB transfer buffer ran out of space in the middle
of a packet, and the hardware then tried to just continue that same packet in the next URB,
without an rx_desc header inserted. The r8152.c driver always assumes the URB buffer begins
with an rx_desc, so of course this behaviour produces really weird effects, and system crashes, etc..
So until that driver bug is addressed, I would advise disabling hardware RX checksums
for all chip versions, not only for version 02.
It is not clear to me how the chip decides when to forward an rx URB to the host.
If you could describe how that part works for us, then it would help in further
understanding why fast systems (eg. a PC) don't generally notice the issue,
while much slower embedded systems do see the issue regularly.
Mark
Hayes Wang
Nov 18, 2016, 3:00:05 AM11/18/16
to
Mark Lord [mailto:ml...@pobox.com]
> Sent: Thursday, November 17, 2016 9:42 PM
[...]
the USB host controller knows. Therefore, the device sends the
data to host, and the host fills the memory. According to your
description, it seems the host splits the data from the device
into two different buffers (or URB transfers). I wonder if it would
occur. As far as I know, the host wouldn't allow the buffer size
less than the data length.
Our hw engineers need the log from the USB analyzer to confirm
what the device sends to the host. However, I don't think you
have USB analyzer to do this. I would try to reproduce the issue.
But, I am busy, so I don't think I would response quickly.
Besides, the maximum data length which the RTL8152 would send to
the host is 16KB. That is, if the agg_buf_sz is 16KB, the host
wouldn't split it. However, you still see problems for it.
[...]
rx_desc + a packet + padding to 8 alignment +
rx_desc + a packet + padding to 8 alignment + ...
Therefore, when a urb transfer is completed, the driver parsers
the buffer by this way. After the buffer is handled, it would
be submitted to the host, until the transfer is completed again.
If the submitting fail, the driver would try again later. The
urb->actual_length means how much data the host fills. The drive
uses it to check the end of the data. The urb->status mean if
the transfer is successful. The driver submits the urb to the
host directly if the status is not successful.
Best Regards,
Hayes
> Sent: Thursday, November 17, 2016 9:42 PM
[...]
> What the above sample shows, is the URB transfer buffer ran out of space in the
> middle
> of a packet, and the hardware then tried to just continue that same packet in the
> next URB,
> without an rx_desc header inserted. The r8152.c driver always assumes the URB
> buffer begins
> with an rx_desc, so of course this behaviour produces really weird effects, and
> system crashes, etc..
The USB device wouldn't know the address and size of buffer. Only
> middle
> of a packet, and the hardware then tried to just continue that same packet in the
> next URB,
> without an rx_desc header inserted. The r8152.c driver always assumes the URB
> buffer begins
> with an rx_desc, so of course this behaviour produces really weird effects, and
> system crashes, etc..
the USB host controller knows. Therefore, the device sends the
data to host, and the host fills the memory. According to your
description, it seems the host splits the data from the device
into two different buffers (or URB transfers). I wonder if it would
occur. As far as I know, the host wouldn't allow the buffer size
less than the data length.
Our hw engineers need the log from the USB analyzer to confirm
what the device sends to the host. However, I don't think you
have USB analyzer to do this. I would try to reproduce the issue.
But, I am busy, so I don't think I would response quickly.
Besides, the maximum data length which the RTL8152 would send to
the host is 16KB. That is, if the agg_buf_sz is 16KB, the host
wouldn't split it. However, you still see problems for it.
[...]
> It is not clear to me how the chip decides when to forward an rx URB to the host.
> If you could describe how that part works for us, then it would help in further
> understanding why fast systems (eg. a PC) don't generally notice the issue,
> while much slower embedded systems do see the issue regularly.
The driver expects the rx buffer would be
> If you could describe how that part works for us, then it would help in further
> understanding why fast systems (eg. a PC) don't generally notice the issue,
> while much slower embedded systems do see the issue regularly.
rx_desc + a packet + padding to 8 alignment +
rx_desc + a packet + padding to 8 alignment + ...
Therefore, when a urb transfer is completed, the driver parsers
the buffer by this way. After the buffer is handled, it would
be submitted to the host, until the transfer is completed again.
If the submitting fail, the driver would try again later. The
urb->actual_length means how much data the host fills. The drive
uses it to check the end of the data. The urb->status mean if
the transfer is successful. The driver submits the urb to the
host directly if the status is not successful.
Best Regards,
Hayes
Mark Lord
Nov 18, 2016, 7:10:06 AM11/18/16
to
On 16-11-18 02:57 AM, Hayes Wang wrote:
..
rather than some other number? Is this a hardwired number
in the hardware, or is it a parameter that the software
sends to the chip during initialization?
I have a USB analyzer, but it is difficult to figure out how
to program an appropriate trigger point for the capture,
since the problem (with 16KB URBs) takes minutes to hours
or even days to trigger.
And the output from the analyzer is in some proprietary format.
The in-kernel software analzer could be useful, but I have never
figured out how to use it. :)
Since my earlier email, I have figured out another piece of the
puzzle with this dongle.
The first issue is that a packet sometimes begins in one URB,
and completes in the next URB, without an rx_desc at the start
of the second URB. This I have already reported earlier.
But the driver, as written, sometimes accesses bytes outside
of the 16KB URB buffer, because it trusts the non-existent
rx_desc in these cases, and also because it accesses bytes
from the rx_desc without first checking whether there is
sufficient remaining space in the URB to hold an rx_desc.
These incorrect accesses sometimes touch memory outside
of the URB buffer. Since the driver allocates all of its
rx URB buffers at once, they are highly likely to be
physically (and therefore virtually) adjacent in memory.
So mistakenly accessing beyond the end of one buffer will
often result in a read from memory of the next URB buffer.
Which causes a portion of it to be loaded in the the D-cache.
When that URB is subsequently filled by DMA, there then exists
a data-consistency issue: the D-cache contains stale information
from before the latest DMA cycle.
So this explains the strange memory behaviour observed earlier on.
When I add a call to invalidate_dcache_range() to the driver
just before it begins examining a new rx URB, the problems go away.
So this confirms the observations.
Using non-cacheable RAM also makes the problem go away.
But neither is a fix for the real buffer overrun accesses in the driver.
Fix the "packet spans URBs" bug, and fix the driver to ALWAYS
test lengths/ranges before accessing the actual buffer,
and everything should begin working reliably.
Cheers
..
> Besides, the maximum data length which the RTL8152 would send to
> the host is 16KB. That is, if the agg_buf_sz is 16KB, the host
> wouldn't split it. However, you still see problems for it.
How does the RTL8152 know that the limit is 16KB,
> the host is 16KB. That is, if the agg_buf_sz is 16KB, the host
> wouldn't split it. However, you still see problems for it.
rather than some other number? Is this a hardwired number
in the hardware, or is it a parameter that the software
sends to the chip during initialization?
I have a USB analyzer, but it is difficult to figure out how
to program an appropriate trigger point for the capture,
since the problem (with 16KB URBs) takes minutes to hours
or even days to trigger.
And the output from the analyzer is in some proprietary format.
The in-kernel software analzer could be useful, but I have never
figured out how to use it. :)
Since my earlier email, I have figured out another piece of the
puzzle with this dongle.
The first issue is that a packet sometimes begins in one URB,
and completes in the next URB, without an rx_desc at the start
of the second URB. This I have already reported earlier.
But the driver, as written, sometimes accesses bytes outside
of the 16KB URB buffer, because it trusts the non-existent
rx_desc in these cases, and also because it accesses bytes
from the rx_desc without first checking whether there is
sufficient remaining space in the URB to hold an rx_desc.
These incorrect accesses sometimes touch memory outside
of the URB buffer. Since the driver allocates all of its
rx URB buffers at once, they are highly likely to be
physically (and therefore virtually) adjacent in memory.
So mistakenly accessing beyond the end of one buffer will
often result in a read from memory of the next URB buffer.
Which causes a portion of it to be loaded in the the D-cache.
When that URB is subsequently filled by DMA, there then exists
a data-consistency issue: the D-cache contains stale information
from before the latest DMA cycle.
So this explains the strange memory behaviour observed earlier on.
When I add a call to invalidate_dcache_range() to the driver
just before it begins examining a new rx URB, the problems go away.
So this confirms the observations.
Using non-cacheable RAM also makes the problem go away.
But neither is a fix for the real buffer overrun accesses in the driver.
Fix the "packet spans URBs" bug, and fix the driver to ALWAYS
test lengths/ranges before accessing the actual buffer,
and everything should begin working reliably.
Cheers
Mark Lord
Nov 22, 2016, 8:20:05 AM11/22/16
to
On 16-11-18 07:03 AM, Mark Lord wrote:
> On 16-11-18 02:57 AM, Hayes Wang wrote:
> ..
>> Besides, the maximum data length which the RTL8152 would send to
>> the host is 16KB. That is, if the agg_buf_sz is 16KB, the host
>> wouldn't split it. However, you still see problems for it.
>
> How does the RTL8152 know that the limit is 16KB,
> rather than some other number? Is this a hardwired number
> in the hardware, or is it a parameter that the software
> sends to the chip during initialization?
..
> On 16-11-18 02:57 AM, Hayes Wang wrote:
> ..
>> Besides, the maximum data length which the RTL8152 would send to
>> the host is 16KB. That is, if the agg_buf_sz is 16KB, the host
>> wouldn't split it. However, you still see problems for it.
>
> How does the RTL8152 know that the limit is 16KB,
> rather than some other number? Is this a hardwired number
> in the hardware, or is it a parameter that the software
> sends to the chip during initialization?
> The first issue is that a packet sometimes begins in one URB,
> and completes in the next URB, without an rx_desc at the start
> of the second URB. This I have already reported earlier.
Long run tests over the weekend, with the invalidate_dcache_range() call
> and completes in the next URB, without an rx_desc at the start
> of the second URB. This I have already reported earlier.
before the inner loop of r8152_rx_bottom(), turned up a few instances
where packets were truncated inside a 16384 byte URB buffer, without filling the URB.
[10.293228] r8152_rx_bottom: 4278 corrupted urb: head=9d210000 urb_offset=2856/3376 pkt_len(1518) exceeds remainder(496)
[10.304523] r8152_dump_rx_desc: 044805ee 40080000 006005dc 06020000 00000000 00000000 rx_len=1518
..
[ 16.660431] r8152_rx_bottom: 7802 corrupted urb: head=9d1f8000 urb_offset=1544/2064 pkt_len(1518) exceeds remainder(496)
[ 16.671719] r8152_dump_rx_desc: 044805ee 40480000 004005dc 46020006 00000000 00000000 rx_len=1518
The r8152.c driver attempted to build skb's for the entire packet size,
even though the 1518-byte packets had only 496-bytes of data in the URB.
It is not clear what the chip did with the rest of the packets in question,
but the next URBs in each case began with a new/real rx_desc and new packet.
There were also unconnected events during the test runs where the
test code noticed totally invalid rx_desc structs in the middles of URBs.
The stock driver would again have attempted to treat those as "valid" (ugh).
..
[ 10.273906] r8152_check_rx_desc: rx_desc looks bad.
[ 10.279012] r8152_rx_bottom: 4338 corrupted urb. head=9d210000 urb_offset=2856/3376 len_used=2880
[ 10.288196] r8152_dump_rx_desc: 312e3239 382e3836 0a20382e 3d435253 3034336d 202f3a30 rx_len=12857
..
[ 7.184565] r8152_check_rx_desc: rx_desc looks bad.
[ 7.189657] r8152_rx_bottom: 1678 corrupted urb. head=9d210000 urb_offset=2856/3376 len_used=2880
[ 7.198852] r8152_dump_rx_desc: a1388402 803c9001 84380810 a67c5c4c a77c782b c64c782b rx_len=1026
..
[ 10.351251] r8152_check_rx_desc: rx_desc looks bad.
[ 10.356356] r8152_rx_bottom: 4397 corrupted urb. head=9d20c000 urb_offset=4400/7984 len_used=4424
[ 10.365543] r8152_dump_rx_desc: 312e3239 382e3836 0a20382e 3d435253 3034336d 202f3a30 rx_len=12857
..
[ 10.518119] r8152_check_rx_desc: rx_desc looks bad.
[ 10.523204] r8152_rx_bottom: 4458 corrupted urb. head=9d210000 urb_offset=4400/7984 len_used=4424
[ 10.532416] r8152_dump_rx_desc: 54544120 6e3d5352 636f6c6f 65762c6b 343d7372 6464612c rx_len=16672
..
Hayes Wang
Nov 22, 2016, 11:00:06 PM11/22/16
to
Mark Lord [mailto:ml...@pobox.com]
> Sent: Friday, November 18, 2016 8:03 PM
[..]
> I have a USB analyzer, but it is difficult to figure out how
> to program an appropriate trigger point for the capture,
> since the problem (with 16KB URBs) takes minutes to hours
> or even days to trigger.
It is good. Our hw engineers real want it. Maybe you could send
a specific packet, and trigger it. You could allocate a skb and
fill the data which you prefer, and call
skb_queue_tail(&tp->tx_queue, skb);
[...]
sends rx_desc + packet + padding. The hw wouldn't split it to
two or more transmission. That is why I wonder who does it.
> But the driver, as written, sometimes accesses bytes outside
> of the 16KB URB buffer, because it trusts the non-existent
> rx_desc in these cases, and also because it accesses bytes
> from the rx_desc without first checking whether there is
> sufficient remaining space in the URB to hold an rx_desc.
I think I check them. According to the followning code,
list_for_each_safe(cursor, next, &rx_queue) {
struct rx_desc *rx_desc;
struct rx_agg *agg;
int len_used = 0;
struct urb *urb;
u8 *rx_data;
...
rx_desc = agg->head;
rx_data = agg->head;
len_used += sizeof(struct rx_desc); //<-- add the size of next rx_desc
while (urb->actual_length > len_used) {
struct net_device *netdev = tp->netdev;
struct net_device_stats *stats = &netdev->stats;
if (urb->actual_length < len_used)
break;
pkt_len -= CRC_SIZE;
rx_data += sizeof(struct rx_desc);
...
find_next_rx:
rx_data = rx_agg_align(rx_data + pkt_len + CRC_SIZE);
rx_desc = (struct rx_desc *)rx_data;
len_used = (int)(rx_data - (u8 *)agg->head);
len_used += sizeof(struct rx_desc); //<-- add the size of next rx_desc
}
submit:
...
}
The while loop would check if the next rx_desc is inside the urb
buffer, because the len_used includes the size of the next rx_desc.
Then, in the while loop, the len_used adds the packet size and check
with urb->actual_length again. These make sure the rx_desc and the
packet are inside the urb buffer. Except the urb->actual_length
is more than agg_buf_sz. However, I don't think it would happen.
Best Regards,
Hayes
> Sent: Friday, November 18, 2016 8:03 PM
[..]
> How does the RTL8152 know that the limit is 16KB,
> rather than some other number? Is this a hardwired number
> in the hardware, or is it a parameter that the software
> sends to the chip during initialization?
It is the limitation of the hardware.
> rather than some other number? Is this a hardwired number
> in the hardware, or is it a parameter that the software
> sends to the chip during initialization?
> I have a USB analyzer, but it is difficult to figure out how
> to program an appropriate trigger point for the capture,
> since the problem (with 16KB URBs) takes minutes to hours
> or even days to trigger.
a specific packet, and trigger it. You could allocate a skb and
fill the data which you prefer, and call
skb_queue_tail(&tp->tx_queue, skb);
[...]
> The first issue is that a packet sometimes begins in one URB,
> and completes in the next URB, without an rx_desc at the start
> of the second URB. This I have already reported earlier.
However, our hw engineer says it wouldn't happen. Our hw always
> and completes in the next URB, without an rx_desc at the start
> of the second URB. This I have already reported earlier.
sends rx_desc + packet + padding. The hw wouldn't split it to
two or more transmission. That is why I wonder who does it.
> But the driver, as written, sometimes accesses bytes outside
> of the 16KB URB buffer, because it trusts the non-existent
> rx_desc in these cases, and also because it accesses bytes
> from the rx_desc without first checking whether there is
> sufficient remaining space in the URB to hold an rx_desc.
list_for_each_safe(cursor, next, &rx_queue) {
struct rx_desc *rx_desc;
struct rx_agg *agg;
int len_used = 0;
struct urb *urb;
u8 *rx_data;
...
rx_desc = agg->head;
rx_data = agg->head;
len_used += sizeof(struct rx_desc); //<-- add the size of next rx_desc
while (urb->actual_length > len_used) {
struct net_device *netdev = tp->netdev;
struct net_device_stats *stats = &netdev->stats;
unsigned int pkt_len;
struct sk_buff *skb;
struct sk_buff *skb;
pkt_len = le32_to_cpu(rx_desc->opts1) & RX_LEN_MASK;
if (pkt_len < ETH_ZLEN)
break;
len_used += pkt_len;
if (pkt_len < ETH_ZLEN)
break;
if (urb->actual_length < len_used)
break;
pkt_len -= CRC_SIZE;
rx_data += sizeof(struct rx_desc);
...
find_next_rx:
rx_data = rx_agg_align(rx_data + pkt_len + CRC_SIZE);
rx_desc = (struct rx_desc *)rx_data;
len_used = (int)(rx_data - (u8 *)agg->head);
len_used += sizeof(struct rx_desc); //<-- add the size of next rx_desc
}
submit:
...
}
The while loop would check if the next rx_desc is inside the urb
buffer, because the len_used includes the size of the next rx_desc.
Then, in the while loop, the len_used adds the packet size and check
with urb->actual_length again. These make sure the rx_desc and the
packet are inside the urb buffer. Except the urb->actual_length
is more than agg_buf_sz. However, I don't think it would happen.
Best Regards,
Hayes
Mark Lord
Nov 23, 2016, 8:50:06 AM11/23/16
to
What does this code do:
>static void r8153_set_rx_early_size(struct r8152 *tp)
>{
> u32 mtu = tp->netdev->mtu;
> u32 ocp_data = (agg_buf_sz - mtu - VLAN_ETH_HLEN - VLAN_HLEN) / 4;
>
> ocp_write_word(tp, MCU_TYPE_USB, USB_RX_EARLY_SIZE, ocp_data);
>}
How is ocp_data used by the hardware?
Shouldn't the calculation also include sizeof(rx_desc) in there somewhere?
Thanks
>static void r8153_set_rx_early_size(struct r8152 *tp)
>{
> u32 mtu = tp->netdev->mtu;
> u32 ocp_data = (agg_buf_sz - mtu - VLAN_ETH_HLEN - VLAN_HLEN) / 4;
>
> ocp_write_word(tp, MCU_TYPE_USB, USB_RX_EARLY_SIZE, ocp_data);
>}
How is ocp_data used by the hardware?
Shouldn't the calculation also include sizeof(rx_desc) in there somewhere?
Thanks
Hayes Wang
Nov 23, 2016, 10:20:05 AM11/23/16
to
Mark Lord [ml...@pobox.com]
[...]
It is like delay completion. It is used to reduce the loading of CPU
by letting a transfer contain more data to reduce the number of
transfers.
> How is ocp_data used by the hardware?
> Shouldn't the calculation also include sizeof(rx_desc) in there somewhere?
The algorithm is from our hw engineers, and it should be
(agg_buf_sz - packet size) / 8
You could refer to commit a59e6d815226 ("r8152: correct the rx early size").
[...]
> What does this code do:
> >static void r8153_set_rx_early_size(struct r8152 *tp)
> >{
> > u32 mtu = tp->netdev->mtu;
> > u32 ocp_data = (agg_buf_sz - mtu - VLAN_ETH_HLEN - VLAN_HLEN) / 4;
> >
> > ocp_write_word(tp, MCU_TYPE_USB, USB_RX_EARLY_SIZE, ocp_data);
> >}
This only works for RTL8153. However, what you use is RTL8152.
> >static void r8153_set_rx_early_size(struct r8152 *tp)
> >{
> > u32 mtu = tp->netdev->mtu;
> > u32 ocp_data = (agg_buf_sz - mtu - VLAN_ETH_HLEN - VLAN_HLEN) / 4;
> >
> > ocp_write_word(tp, MCU_TYPE_USB, USB_RX_EARLY_SIZE, ocp_data);
> >}
It is like delay completion. It is used to reduce the loading of CPU
by letting a transfer contain more data to reduce the number of
transfers.
> How is ocp_data used by the hardware?
> Shouldn't the calculation also include sizeof(rx_desc) in there somewhere?
(agg_buf_sz - packet size) / 8
You could refer to commit a59e6d815226 ("r8152: correct the rx early size").
Mark Lord
Nov 23, 2016, 2:30:04 PM11/23/16
to
Right now I am working quite hard trying to narrow things down exactly.
You are correct that the driver does appear to be careful about accesses
beyond the filled portion of a URB buffer -- for some reason I thought
the original driver had issues there, but looking again it does not seem to.
One idea that is now looking more likely:
Things could be suffering from speculative CPU accesses to RAM
(the system here has non-coherent d-cache/RAM).
This could incorrectly pre-load data from adjacent URB buffers
into the d-cache, creating coherency issues. I am testing now
with cacheline-sized guard zones between the buffers to see if
that is the issue or not.
Worth repeating: other dongles we have tried, eg. those using the asix driver,
do not cause us any troubles here. Only the r8152 dongles do.
The other drivers do not use hardware checksums, so even if they did
incur similar bad packets, whatever the reason, those bad packets
would be detected/rejected by the Linux network stack (software checksums).
So everything appears to behave fine with them, as it does with
the r8152 driver when hardware checksums are disabled.
Still trying to understand exactly how these errors are happening.
It takes a very long time to do a conclusive test of anything here,
and I only have the hardware for a day or two a week.
So my apologies if I am slow in getting back to you on stuff.
Cheers
Hayes Wang
Nov 23, 2016, 10:30:04 PM11/23/16
to
Mark Lord [mailto:ml...@pobox.com]
> Sent: Thursday, November 24, 2016 3:30 AM
[...]
RTL8152 on raspberry pi platform with iperf more than 17 hours. And
I don't see any invalid rx descriptor. I don't think it really is the
issue about our hw.
Best Regards,
Hayes
> Sent: Thursday, November 24, 2016 3:30 AM
[...]
> Worth repeating: other dongles we have tried, eg. those using the asix driver,
> do not cause us any troubles here. Only the r8152 dongles do.
I couldn't tell you why you would see the problem. I have tested the
> do not cause us any troubles here. Only the r8152 dongles do.
RTL8152 on raspberry pi platform with iperf more than 17 hours. And
I don't see any invalid rx descriptor. I don't think it really is the
issue about our hw.
Best Regards,
Hayes
Hayes Wang
Nov 24, 2016, 7:40:06 AM11/24/16
to
Mark Lord [mailto:ml...@pobox.com]
> Sent: Wednesday, November 23, 2016 9:41 PM
[...]
The size of rx descriptor should be calculated, too.
Best Regards,
Hayes
> Sent: Wednesday, November 23, 2016 9:41 PM
[...]
> >static void r8153_set_rx_early_size(struct r8152 *tp)
> >{
> > u32 mtu = tp->netdev->mtu;
> > u32 ocp_data = (agg_buf_sz - mtu - VLAN_ETH_HLEN - VLAN_HLEN) / 4;
> >
> > ocp_write_word(tp, MCU_TYPE_USB, USB_RX_EARLY_SIZE, ocp_data);
> >}
>
> How is ocp_data used by the hardware?
> Shouldn't the calculation also include sizeof(rx_desc) in there somewhere?
I check your question with our hw engineers, and you are right.
> >{
> > u32 mtu = tp->netdev->mtu;
> > u32 ocp_data = (agg_buf_sz - mtu - VLAN_ETH_HLEN - VLAN_HLEN) / 4;
> >
> > ocp_write_word(tp, MCU_TYPE_USB, USB_RX_EARLY_SIZE, ocp_data);
> >}
>
> How is ocp_data used by the hardware?
> Shouldn't the calculation also include sizeof(rx_desc) in there somewhere?
The size of rx descriptor should be calculated, too.
Best Regards,
Hayes
Mark Lord
Nov 24, 2016, 7:40:10 AM11/24/16
to
Oddly, adding a couple of memory barriers to specific places in the driver
does help, A LOT. Still not 100%, but it did pass 1800 reboot tests over night
with only three bad rx_desc's reported.
That's a new record here for the driver using kmalloc'd buffers,
and put reliability on par with using non-cacheable buffers.
Any way we look at it though, the chip/driver are simply unreliable,
and relying upon hardware checksums (which fail due to the driver
looking at garbage rather than the checksum bits) leads to data corruption.
Cheers
Hayes Wang
Nov 24, 2016, 8:30:07 AM11/24/16
to
Mark Lord [mailto:ml...@pobox.com]
> Sent: Thursday, November 24, 2016 8:31 PM
[...]
If it is the issue about memory, I think the host driver ought
to deal with it, because it handles the DMA.
Besides, it doesn't seem to occur for all platforms. I have
tested the iperf more than 26 hours, and it still works fine.
I think I would get the same result on x86 or x86_64 platform.
Best Regards,
Hayes
> Sent: Thursday, November 24, 2016 8:31 PM
[...]
> Nope. Guard zones did not fix it, so it's probably not a prefetch issue.
> Oddly, adding a couple of memory barriers to specific places in the driver
> does help, A LOT. Still not 100%, but it did pass 1800 reboot tests over night
> with only three bad rx_desc's reported.
>
> That's a new record here for the driver using kmalloc'd buffers,
> and put reliability on par with using non-cacheable buffers.
>
> Any way we look at it though, the chip/driver are simply unreliable,
> and relying upon hardware checksums (which fail due to the driver
> looking at garbage rather than the checksum bits) leads to data corruption.
I don't think the garbage results from our driver or device.
> Oddly, adding a couple of memory barriers to specific places in the driver
> does help, A LOT. Still not 100%, but it did pass 1800 reboot tests over night
> with only three bad rx_desc's reported.
>
> That's a new record here for the driver using kmalloc'd buffers,
> and put reliability on par with using non-cacheable buffers.
>
> Any way we look at it though, the chip/driver are simply unreliable,
> and relying upon hardware checksums (which fail due to the driver
> looking at garbage rather than the checksum bits) leads to data corruption.
If it is the issue about memory, I think the host driver ought
to deal with it, because it handles the DMA.
Besides, it doesn't seem to occur for all platforms. I have
tested the iperf more than 26 hours, and it still works fine.
I think I would get the same result on x86 or x86_64 platform.
Best Regards,
Hayes
David Miller
Nov 24, 2016, 11:30:05 AM11/24/16
to
From: Hayes Wang <haye...@realtek.com>
Date: Thu, 24 Nov 2016 13:26:55 +0000
> I don't think the garbage results from our driver or device.
This is my impression with what has been presented so far as well.
Date: Thu, 24 Nov 2016 13:26:55 +0000
> I don't think the garbage results from our driver or device.
David Miller
Nov 24, 2016, 11:30:07 AM11/24/16
to
From: Mark Lord <ml...@pobox.com>
Date: Thu, 24 Nov 2016 07:31:17 -0500
> Any way we look at it though, the chip/driver are simply unreliable,
> and relying upon hardware checksums (which fail due to the driver
> looking at garbage rather than the checksum bits) leads to data
> corruption.
If the cpu/DMA implementation is the problem, then turning off
checksums is not an appropriate fix at all.
In fact, we have no idea what the cause is yet.
That makes turning off random features no more than grasping at straws
and makes no sense at all upstream.
It may make sense for you to do such a change locally in _your_ tree
to fix your situation temporarily. But upstream we shouldn't be doing
it.
Date: Thu, 24 Nov 2016 07:31:17 -0500
> Any way we look at it though, the chip/driver are simply unreliable,
> and relying upon hardware checksums (which fail due to the driver
> looking at garbage rather than the checksum bits) leads to data
> corruption.
checksums is not an appropriate fix at all.
In fact, we have no idea what the cause is yet.
That makes turning off random features no more than grasping at straws
and makes no sense at all upstream.
It may make sense for you to do such a change locally in _your_ tree
to fix your situation temporarily. But upstream we shouldn't be doing
it.
Mark Lord
Nov 24, 2016, 11:50:06 AM11/24/16
to
The latest run with the debug code I posted here earlier just spat out this below.
Using coherent (guarded, non-cacheable) RX buffers, with mb() calls:
[ 15.199157] r8152_check_rx_desc: rx_desc looks bad.
[ 15.204270] r8152_rx_bottom: offset=0/3376 bad rx_desc
[ 15.209584] r8152_dump_rx_desc: 3d435253 3034336d 202f3a30 47524154 2f3d5445 3034336d rx_len=21075
The bad data in this case is ASCII:
"SRC=m3400:/ TARGET=/m340"
This data is what is seen in /run/mount/utab, a file that is read/written over NFS on each boot.
"SRC=m3400:/ TARGET=/m3400 ROOT=/ ATTRS=nolock,addr=192.168.8.1\n"
But how does this ASCII data end up at offset zero of the rx buffer??
Not possible -- this isn't even stale data, because only an rx_desc could
be at that offset in that buffer.
So even if this were a platform memory coherency issue, one should still
never see ASCII data at the beginning of an rx buffer. The driver NEVER
writes anything to the rx buffers. Only the USB hardware ever does.
And only the r8152 dongle/driver exhibits this issue.
Other USB dongles do not. They *might* still have such issues,
but because they use software checksums, the bad packets are caught/rejected.
The r8152 driver, without the debug/error-checking additions, would have tried
to interpret that ASCII data as an "rx_desc", and would have interpreted the
"checksum bits" therein as "valid checksum", and the packet would have passed
through the network stack, corrupting data.
This driver worked without noticeable issues in 3.12.xx.
It hasn't worked since. Because it now trusts the hardware checksums,
without first checking to see if noise-on-the-line or something else
has corrupted the data before receipt in the rx buffer.
Based on the above capture, I suspect a bug in the chip itself, which perhaps
is only manifest on a very slow CPU.
Nobody here tests with slow CPUs, but they are very prevalent in embedded space.
And very few people use USB network dongles nowadays either, as nearly all "computers"
have built-in networking. The market for USB network dongles is mostly embedded space.
Ergo.
Cheers
Mark Lord
Nov 24, 2016, 12:10:06 PM11/24/16
to
On 16-11-24 11:43 AM, Mark Lord wrote:
..
..
> But how does this ASCII data end up at offset zero of the rx buffer??
> Not possible -- this isn't even stale data, because only an rx_desc could
> be at that offset in that buffer.
Answering my own question here, I suspect it ends up there as a result
> Not possible -- this isn't even stale data, because only an rx_desc could
> be at that offset in that buffer.
of overrunning the previous URB. So I have updated the test copy of the driver
here now to check for that exact situation. It's running now, but could take
hours or a day for the bug to occur again.
It seems I am being overly helpful here.
Perhaps I should have just stopped with the original regression report
(driver works in 3.12.xx, fails on all newer kernels, as a result of enabling
hardware checksums).
Had I left it there, one might reasonably expect the onus to be on the driver
developer to sort it out, with me providing retests of supplied patches as need be.
But I've gone WAY BEYOND that, even questioning the sanity of the platform on
which it is being used, just to avoid blaming a buggy USB dongle for some other issue.
And this is leading people to suspect that I really think the platform is buggy.
It isn't. It's been running for years, with a variety of USB hardware attached,
and nary a problem. Except with this r8152 dongle on kernels > 3.12.
So, yeah, the driver is fixed in our local tree, and has been for some time now.
I just was hoping that perhaps others might be interested in it too,
since the bug (whatever it is) corrupts data on the NFS server.
Cheers
David Miller
Nov 24, 2016, 12:20:05 PM11/24/16
to
From: Mark Lord <ml...@pobox.com>
Date: Thu, 24 Nov 2016 12:00:15 -0500
> It seems I am being overly helpful here.
Either you want to cry or you want to keep helping us track down
this problem. It is your choice, and your choice alone.
Please do not pretend otherwise, everyone else in this thread is
operating with the best intentions and wants to see this through
to a full analysis and a proper solution for the corruptions.
Thank you.
Date: Thu, 24 Nov 2016 12:00:15 -0500
> It seems I am being overly helpful here.
this problem. It is your choice, and your choice alone.
Please do not pretend otherwise, everyone else in this thread is
operating with the best intentions and wants to see this through
to a full analysis and a proper solution for the corruptions.
Thank you.
David Miller
Nov 24, 2016, 12:20:05 PM11/24/16
to
From: Mark Lord <ml...@pobox.com>
Date: Thu, 24 Nov 2016 11:43:53 -0500
> So even if this were a platform memory coherency issue, one should
> still never see ASCII data at the beginning of an rx buffer.
I'm not so convinced, since this is the kind of random corruption one
would expect to see when dealing with virtual caches that have
aliasing or similar issues.
Writes to address X that show up at address Y or not at all are
precisely the signature of virtual cache aliasing problems.
Is it a case of the chip writing to X but the cpu is still seeing
stale data from a previous CPU store?
For NFS the cpu is writing into the page cache, so we know that
cpu side stores are where the ASCII text is coming from.
Now is the r8152 buffer one that the USB host controller is DMA'ing
into directly, or is it one that SWIOMMU or similar bounce buffering
is copying into? In the latter case we are doing cpu stores into
the area and the writes aren't coming from the device.
Date: Thu, 24 Nov 2016 11:43:53 -0500
> So even if this were a platform memory coherency issue, one should
> still never see ASCII data at the beginning of an rx buffer.
would expect to see when dealing with virtual caches that have
aliasing or similar issues.
Writes to address X that show up at address Y or not at all are
precisely the signature of virtual cache aliasing problems.
Is it a case of the chip writing to X but the cpu is still seeing
stale data from a previous CPU store?
For NFS the cpu is writing into the page cache, so we know that
cpu side stores are where the ASCII text is coming from.
Now is the r8152 buffer one that the USB host controller is DMA'ing
into directly, or is it one that SWIOMMU or similar bounce buffering
is copying into? In the latter case we are doing cpu stores into
the area and the writes aren't coming from the device.
Mark Lord
Nov 24, 2016, 1:40:05 PM11/24/16
to
is being directly DMA'd into. And the USB layer does an invalidate_dcache
on that entire buffer before initiating the DMA (confirmed via printk).
The driver itself NEVER writes anything to that buffer,
and nobody else has a pointer to it other than the USB host controller,
so there's nothing else that can write to it either.
According to the driver writer, the chip should only ever write a fresh
rx_desc struct at the beginning of a buffer, never ASCII data.
So how does that buffer end up containing ASCII data from the NFS transfers?
The only explanation I can see, is if the URB itself contains
the data that we see in the URB buffer. Which is what one would expect.
So for that to happen, the ethernet chip must be transferring that data.
The thing that is special about the situation here, is that the processor
is very slow (800Mhz 32-bit powerpc), and very busy elsewhere.
So it can easily fall way behind in servicing the ethernet dongle,
something that never happens with most modern faster machines.
So perhaps this results in a FIFO overflow somewhere in the chip.
We can boot/run this same machine from a USB memory stick, and nary a problem.
Ditto for other types of ethernet dongles.
But boot/run from that specific ethernet dongle, and we get regular
random segfaults from corrupted page fetches over NFS.
The only end-to-end data integrity available here is the rx checksum,
when verified by software rather than trusting it to the chip/driver.
One thought: bulk data streams are byte streams, not packets.
Scheduling on the USB bus can break up larger transfers across
multiple in-kernel buffers. A "real" URB buffer on USB2 is max 512 bytes.
The driver is providing 16384-byte buffers, and assumes that data will
never spill over from one such buffer to the next.
Yet the observations here consistently show otherwise.
Cheers
--
Mark Lord
Greg KH
Nov 24, 2016, 1:50:06 PM11/24/16
to
On Thu, Nov 24, 2016 at 11:43:53AM -0500, Mark Lord wrote:
> On 16-11-24 11:21 AM, David Miller wrote:
> > From: Hayes Wang <haye...@realtek.com>
> > Date: Thu, 24 Nov 2016 13:26:55 +0000
> >
> > > I don't think the garbage results from our driver or device.
> > This is my impression with what has been presented so far as well.
>
> It's not garbage.
>
> The latest run with the debug code I posted here earlier just spat out this below.
> Using coherent (guarded, non-cacheable) RX buffers, with mb() calls:
>
> [ 15.199157] r8152_check_rx_desc: rx_desc looks bad.
> [ 15.204270] r8152_rx_bottom: offset=0/3376 bad rx_desc
> [ 15.209584] r8152_dump_rx_desc: 3d435253 3034336d 202f3a30 47524154 2f3d5445 3034336d rx_len=21075
>
> The bad data in this case is ASCII:
>
> "SRC=m3400:/ TARGET=/m340"
Have you tried using usbmon? Details for how to use it is in
> On 16-11-24 11:21 AM, David Miller wrote:
> > From: Hayes Wang <haye...@realtek.com>
> > Date: Thu, 24 Nov 2016 13:26:55 +0000
> >
> > > I don't think the garbage results from our driver or device.
> > This is my impression with what has been presented so far as well.
>
> It's not garbage.
>
> The latest run with the debug code I posted here earlier just spat out this below.
> Using coherent (guarded, non-cacheable) RX buffers, with mb() calls:
>
> [ 15.199157] r8152_check_rx_desc: rx_desc looks bad.
> [ 15.204270] r8152_rx_bottom: offset=0/3376 bad rx_desc
> [ 15.209584] r8152_dump_rx_desc: 3d435253 3034336d 202f3a30 47524154 2f3d5445 3034336d rx_len=21075
>
> The bad data in this case is ASCII:
>
> "SRC=m3400:/ TARGET=/m340"
Documentation/usbmon.txt and it might help you rule out the driver vs.
the USB host controller issues as it sees the raw data the USB host
controller sees before it sends it to the driver.
thanks,
greg k-h
Mark Lord
Nov 24, 2016, 1:50:07 PM11/24/16
to
On 16-11-24 01:34 PM, Mark Lord wrote:
>From tracing through the powerpc arch code, this is the buffer that
> is being directly DMA'd into. And the USB layer does an invalidate_dcache
> on that entire buffer before initiating the DMA (confirmed via printk).
Slight correction: the invalidate_dcache_range() is only done when
>From tracing through the powerpc arch code, this is the buffer that
> is being directly DMA'd into. And the USB layer does an invalidate_dcache
> on that entire buffer before initiating the DMA (confirmed via printk).
using kmalloc'd buffers. I have converted the driver here
to use usb_alloc_coherent() instead, so that now gets skipped
since the memory is never cached.
Mark Lord
Nov 24, 2016, 2:00:04 PM11/24/16
to
On 16-11-24 01:42 PM, Greg KH wrote:
>
> Have you tried using usbmon?
This system is running rootfs over NFS, so usbmon
>
> Have you tried using usbmon?
isn't realistically going to be usable in that scenario
without a lot of reconfiguration of the setup (which in itself
might obscure the original problem).
There is a hardware USB analyzer in the building though.
But it requires a MS-Windows machine (very scarce here, I don't have one)
for the incredibly user-unfriendly software. I'm not sure if it can be
setup to stop the trace somehow at the right point either, as it takes
overnight runs usually to catch an occurrence of the issue.
I also seem to recall that it only exports data captures in a proprietary
format that only that brand of software/device can read, but perhaps
that might not be true. Would still need to find a MS-Windows machine/license
to even check it out though.
Greg KH
Nov 24, 2016, 2:10:04 PM11/24/16
to
On Thu, Nov 24, 2016 at 01:34:08PM -0500, Mark Lord wrote:
> One thought: bulk data streams are byte streams, not packets.
> Scheduling on the USB bus can break up larger transfers across
> multiple in-kernel buffers. A "real" URB buffer on USB2 is max 512 bytes.
> The driver is providing 16384-byte buffers, and assumes that data will
> never spill over from one such buffer to the next.
> Yet the observations here consistently show otherwise.
Wait, how do you know that data will not spill over? What is making
> One thought: bulk data streams are byte streams, not packets.
> Scheduling on the USB bus can break up larger transfers across
> multiple in-kernel buffers. A "real" URB buffer on USB2 is max 512 bytes.
> The driver is providing 16384-byte buffers, and assumes that data will
> never spill over from one such buffer to the next.
> Yet the observations here consistently show otherwise.
that guarantee? Will the USB device send a "zero packet" in order to
show that all of the "logical" data is now sent for this specific
endpoint? Is there some sort of "framing" that the device does with the
USB data so that the driver "knows" where the end of packet is?
Check the zero-packet stuff for this device, that's tripped up many a
USB driver writer over the years, myself included.
thanks,
greg k-h
Greg KH
Nov 24, 2016, 2:20:06 PM11/24/16
to
On Thu, Nov 24, 2016 at 02:10:36PM -0500, Mark Lord wrote:
> On 16-11-24 02:00 PM, Greg KH wrote:
> > On Thu, Nov 24, 2016 at 01:34:08PM -0500, Mark Lord wrote:
> >> One thought: bulk data streams are byte streams, not packets.
> >> Scheduling on the USB bus can break up larger transfers across
> >> multiple in-kernel buffers. A "real" URB buffer on USB2 is max 512 bytes.
> >> The driver is providing 16384-byte buffers, and assumes that data will
> >> never spill over from one such buffer to the next.
> >> Yet the observations here consistently show otherwise.
> >
> > Wait, how do you know that data will not spill over? What is making
> > that guarantee? Will the USB device send a "zero packet" in order to
> > show that all of the "logical" data is now sent for this specific
> > endpoint? Is there some sort of "framing" that the device does with the
> > USB data so that the driver "knows" where the end of packet is?
>
> Exactly my point.
> On 16-11-24 02:00 PM, Greg KH wrote:
> > On Thu, Nov 24, 2016 at 01:34:08PM -0500, Mark Lord wrote:
> >> One thought: bulk data streams are byte streams, not packets.
> >> Scheduling on the USB bus can break up larger transfers across
> >> multiple in-kernel buffers. A "real" URB buffer on USB2 is max 512 bytes.
> >> The driver is providing 16384-byte buffers, and assumes that data will
> >> never spill over from one such buffer to the next.
> >> Yet the observations here consistently show otherwise.
> >
> > Wait, how do you know that data will not spill over? What is making
> > that guarantee? Will the USB device send a "zero packet" in order to
> > show that all of the "logical" data is now sent for this specific
> > endpoint? Is there some sort of "framing" that the device does with the
> > USB data so that the driver "knows" where the end of packet is?
>
>
> > Check the zero-packet stuff for this device, that's tripped up many a
> > USB driver writer over the years, myself included.
>
> I haven't tripped over it myself, but only because we were careful
> > Check the zero-packet stuff for this device, that's tripped up many a
> > USB driver writer over the years, myself included.
>
> to allow for such in the USB drivers I have worked on.
>
> The r8152 driver just assumes it never happens.
Assumes what? That the host will always consume data faster than the
device can create it? If so, that sounds like your real problem
there...
good luck!
greg k-h
Mark Lord
Nov 24, 2016, 2:20:08 PM11/24/16
to
On 16-11-24 02:00 PM, Greg KH wrote:
> On Thu, Nov 24, 2016 at 01:34:08PM -0500, Mark Lord wrote:
>> One thought: bulk data streams are byte streams, not packets.
>> Scheduling on the USB bus can break up larger transfers across
>> multiple in-kernel buffers. A "real" URB buffer on USB2 is max 512 bytes.
>> The driver is providing 16384-byte buffers, and assumes that data will
>> never spill over from one such buffer to the next.
>> Yet the observations here consistently show otherwise.
>
> Wait, how do you know that data will not spill over? What is making
> that guarantee? Will the USB device send a "zero packet" in order to
> show that all of the "logical" data is now sent for this specific
> endpoint? Is there some sort of "framing" that the device does with the
> USB data so that the driver "knows" where the end of packet is?
Exactly my point.
>> One thought: bulk data streams are byte streams, not packets.
>> Scheduling on the USB bus can break up larger transfers across
>> multiple in-kernel buffers. A "real" URB buffer on USB2 is max 512 bytes.
>> The driver is providing 16384-byte buffers, and assumes that data will
>> never spill over from one such buffer to the next.
>> Yet the observations here consistently show otherwise.
>
> Wait, how do you know that data will not spill over? What is making
> that guarantee? Will the USB device send a "zero packet" in order to
> show that all of the "logical" data is now sent for this specific
> endpoint? Is there some sort of "framing" that the device does with the
> USB data so that the driver "knows" where the end of packet is?
> Check the zero-packet stuff for this device, that's tripped up many a
> USB driver writer over the years, myself included.
Francois Romieu
Nov 24, 2016, 7:30:05 PM11/24/16
to
Mark Lord <ml...@pobox.com> :
[...]
received file. The ethernet chip/usb host does not write anything in it.
There could be a device or a driver problem but it may not be the real
problem.
So far the analysis focused on "how was this corrupted content written into
this receive buffer page ?". If I read David correctly (?) the "nobody
else has a pointer to it other than the USB host controller" point may be
replaced with "the pointer to it aliases some already used page".
--
Ueimor
[...]
> >From tracing through the powerpc arch code, this is the buffer that
> is being directly DMA'd into. And the USB layer does an invalidate_dcache
> on that entire buffer before initiating the DMA (confirmed via printk).
>
> The driver itself NEVER writes anything to that buffer,
> and nobody else has a pointer to it other than the USB host controller,
> so there's nothing else that can write to it either.
>
> According to the driver writer, the chip should only ever write a fresh
> rx_desc struct at the beginning of a buffer, never ASCII data.
>
> So how does that buffer end up containing ASCII data from the NFS transfers?
Through aliasing the URB was given a page that contains said (previously)
> is being directly DMA'd into. And the USB layer does an invalidate_dcache
> on that entire buffer before initiating the DMA (confirmed via printk).
>
> The driver itself NEVER writes anything to that buffer,
> and nobody else has a pointer to it other than the USB host controller,
> so there's nothing else that can write to it either.
>
> According to the driver writer, the chip should only ever write a fresh
> rx_desc struct at the beginning of a buffer, never ASCII data.
>
> So how does that buffer end up containing ASCII data from the NFS transfers?
received file. The ethernet chip/usb host does not write anything in it.
There could be a device or a driver problem but it may not be the real
problem.
So far the analysis focused on "how was this corrupted content written into
this receive buffer page ?". If I read David correctly (?) the "nobody
else has a pointer to it other than the USB host controller" point may be
replaced with "the pointer to it aliases some already used page".
--
Ueimor
Mark Lord
Nov 24, 2016, 10:50:04 PM11/24/16
to
On 16-11-24 07:27 PM, Francois Romieu wrote:
>
> Through aliasing the URB was given a page that contains said (previously)
> received file. The ethernet chip/usb host does not write anything in it.
I don't see how that could be possible. Please elaborate.
>
> Through aliasing the URB was given a page that contains said (previously)
> received file. The ethernet chip/usb host does not write anything in it.
The URB buffers are statically allocated by the driver at probe time,
ten of them in all, allocated with usb_alloc_coherent() in the copy of
the driver I am testing with.
There is no possibility for them to be used for anything other than
USB receive buffers, for this driver only. Nothing in the driver
or kernel ever writes to those buffers after initial allocation,
and only the driver and USB host controller ever have pointers to the buffers.
--
Mark Lord
Hayes Wang
Nov 25, 2016, 1:20:05 AM11/25/16
to
Mark Lord [mailto:ml...@pobox.com]
> Sent: Thursday, November 24, 2016 11:25 PM
[...]
> x86 has near fully-coherent memory, so it is the "easy" platform
> to get things working on. But Linux supports a very diverse number
> of platforms, with varying degrees of cache/memory coherency,
> and it can be tricky for things to work correctly on all of them.
However, I have test iperf on raspberry pi v1 which you suggest
for more than one day. I still couldn't reproduce your issue.
> If you are testing with the driver as currently in 4.4.34,
> then you won't even notice when things are screwing up,
> because the driver just silently drops packets.
> Or it passes them on without noticing that they have bad data.
I only drop the packet silently when the rx descriptor outside
the urb buffer. Then, I check the rx descriptor before checking
the length of the packet.
> Here (attached) is the instrumented driver I am using here now.
> I suggest you use it or something similar when testing,
> and not the stock driver.
I would test it again with your driver.
[...]
> Also, unrelated, but inside r8152_submit_rx() there is this code:
>
> /* The rx would be stopped, so skip submitting */
> if (test_bit(RTL8152_UNPLUG, &tp->flags) ||
> !test_bit(WORK_ENABLE, &tp->flags)
> || !netif_carrier_ok(tp->netdev))
> return 0;
>
> If that "return 0" statement is ever executed, doesn't it result
> in the loss/leak of a buffer?
They would be found back by calling rtl_start_rx(), when the rx
is restarted.
Best Regards,
Hayes
> Sent: Thursday, November 24, 2016 11:25 PM
[...]
> x86 has near fully-coherent memory, so it is the "easy" platform
> to get things working on. But Linux supports a very diverse number
> of platforms, with varying degrees of cache/memory coherency,
> and it can be tricky for things to work correctly on all of them.
However, I have test iperf on raspberry pi v1 which you suggest
for more than one day. I still couldn't reproduce your issue.
> If you are testing with the driver as currently in 4.4.34,
> then you won't even notice when things are screwing up,
> because the driver just silently drops packets.
> Or it passes them on without noticing that they have bad data.
I only drop the packet silently when the rx descriptor outside
the urb buffer. Then, I check the rx descriptor before checking
the length of the packet.
> Here (attached) is the instrumented driver I am using here now.
> I suggest you use it or something similar when testing,
> and not the stock driver.
I would test it again with your driver.
[...]
> Also, unrelated, but inside r8152_submit_rx() there is this code:
>
> /* The rx would be stopped, so skip submitting */
> if (test_bit(RTL8152_UNPLUG, &tp->flags) ||
> !test_bit(WORK_ENABLE, &tp->flags)
> || !netif_carrier_ok(tp->netdev))
> return 0;
>
> If that "return 0" statement is ever executed, doesn't it result
> in the loss/leak of a buffer?
They would be found back by calling rtl_start_rx(), when the rx
is restarted.
Best Regards,
Hayes
Hayes Wang
Nov 25, 2016, 1:40:05 AM11/25/16
to
Mark Lord [mailto:ml...@pobox.com]
> Sent: Friday, November 25, 2016 12:44 AM
[...]
commit 93fe9b183840 ("r8152: reset the bmu"). However, it should
only occur for the first urb buffer after rx is reset. I don't
think you would reset the rx frequently, so the situation seems
to be different.
Best Regards,
Hayes
> Sent: Friday, November 25, 2016 12:44 AM
[...]
> The bad data in this case is ASCII:
>
> "SRC=m3400:/ TARGET=/m340"
>
> This data is what is seen in /run/mount/utab, a file that is read/written over NFS on
> each boot.
>
> "SRC=m3400:/ TARGET=/m3400 ROOT=/
> ATTRS=nolock,addr=192.168.8.1\n"
>
> But how does this ASCII data end up at offset zero of the rx buffer??
> Not possible -- this isn't even stale data, because only an rx_desc could
> be at that offset in that buffer.
>
> So even if this were a platform memory coherency issue, one should still
> never see ASCII data at the beginning of an rx buffer. The driver NEVER
> writes anything to the rx buffers. Only the USB hardware ever does.
>
> And only the r8152 dongle/driver exhibits this issue.
> Other USB dongles do not. They *might* still have such issues,
> but because they use software checksums, the bad packets are caught/rejected.
Do you test it by rebooting? Maybe you could try a patch
>
> "SRC=m3400:/ TARGET=/m340"
>
> This data is what is seen in /run/mount/utab, a file that is read/written over NFS on
> each boot.
>
> "SRC=m3400:/ TARGET=/m3400 ROOT=/
> ATTRS=nolock,addr=192.168.8.1\n"
>
> But how does this ASCII data end up at offset zero of the rx buffer??
> Not possible -- this isn't even stale data, because only an rx_desc could
> be at that offset in that buffer.
>
> So even if this were a platform memory coherency issue, one should still
> never see ASCII data at the beginning of an rx buffer. The driver NEVER
> writes anything to the rx buffers. Only the USB hardware ever does.
>
> And only the r8152 dongle/driver exhibits this issue.
> Other USB dongles do not. They *might* still have such issues,
> but because they use software checksums, the bad packets are caught/rejected.
commit 93fe9b183840 ("r8152: reset the bmu"). However, it should
only occur for the first urb buffer after rx is reset. I don't
think you would reset the rx frequently, so the situation seems
to be different.
Best Regards,
Hayes
Hayes Wang
Nov 25, 2016, 2:00:05 AM11/25/16
to
not RTL8152.
Best Regards,
Hayes
Hayes Wang
Nov 25, 2016, 5:00:05 AM11/25/16
to
Mark Lord [mailto:ml...@pobox.com]
> Sent: Friday, November 25, 2016 3:11 AM
[...]
What is the value of /sys/bus/usb/devices/.../power/control ?
Could you make sure it is "on" and try again?
Or you could call usb_disable_autosuspend() in probe().
Best Regards,
Hayes
> Sent: Friday, November 25, 2016 3:11 AM
[...]
Could you make sure it is "on" and try again?
Or you could call usb_disable_autosuspend() in probe().
Best Regards,
Hayes
Greg KH
Nov 25, 2016, 5:00:05 AM11/25/16
to
On Thu, Nov 24, 2016 at 10:49:33PM -0500, Mark Lord wrote:
> There is no possibility for them to be used for anything other than
> USB receive buffers, for this driver only. Nothing in the driver
> or kernel ever writes to those buffers after initial allocation,
> and only the driver and USB host controller ever have pointers to the buffers.
You really are going to have to break out that USB monitor to verify
> There is no possibility for them to be used for anything other than
> USB receive buffers, for this driver only. Nothing in the driver
> or kernel ever writes to those buffers after initial allocation,
> and only the driver and USB host controller ever have pointers to the buffers.
that this is the data coming across the wire. Note, there are "cheap"
USB monitors that can be quite handy and that work on Linux:
http://www.totalphase.com/products/beagle-usb12/
Or most high-end scopes have a USB mode that you can use to catch stuff
like this (but they are usually harder to use/trigger and only store a
very limited buffer).
good luck!
greg k-h
Mark Lord
Nov 25, 2016, 7:50:06 AM11/25/16
to
On 16-11-25 04:53 AM, Greg KH wrote:
> Note, there are "cheap" USB monitors that can be quite handy and that work on Linux:
> http://www.totalphase.com/products/beagle-usb12/
USD$455/each in quantity, vs. USD$8 for the USB ethernet dongle.
> Note, there are "cheap" USB monitors that can be quite handy and that work on Linux:
> http://www.totalphase.com/products/beagle-usb12/
Mark Lord
Nov 25, 2016, 7:50:07 AM11/25/16
to
On 16-11-25 01:51 AM, Hayes Wang wrote:
>
> Forgive me. I provide wrong information. This is about RTL8153, not RTL8152.
No problem. Thanks for trying though.
>
> Forgive me. I provide wrong information. This is about RTL8153, not RTL8152.
Mark Lord
Nov 25, 2016, 7:50:08 AM11/25/16
to
On 16-11-25 01:11 AM, Hayes Wang wrote:
> Mark Lord [mailto:ml...@pobox.com]
..
entirely sure about the control flow around stop/restart there.
Thanks.
> Mark Lord [mailto:ml...@pobox.com]
..
>> If that "return 0" statement is ever executed, doesn't it result
>> in the loss/leak of a buffer?
>
> They would be found back by calling rtl_start_rx(), when the rx
> is restarted.
Good. I figured it was probably something like that, but wasn't
>> in the loss/leak of a buffer?
>
> They would be found back by calling rtl_start_rx(), when the rx
> is restarted.
entirely sure about the control flow around stop/restart there.
Thanks.
Mark Lord
Nov 25, 2016, 7:50:15 AM11/25/16
to
The USB2 version is a mere USD$1300 in quantity.
Seems like rather a lot of money just to report a bug in a USB driver.
Perhaps the Linux Foundation might purchase one and loan it for this task?
Mark Lord
Nov 25, 2016, 8:00:06 AM11/25/16
to
On 16-11-25 04:53 AM, Greg KH wrote:
> On Thu, Nov 24, 2016 at 10:49:33PM -0500, Mark Lord wrote:
>> There is no possibility for them to be used for anything other than
>> USB receive buffers, for this driver only. Nothing in the driver
>> or kernel ever writes to those buffers after initial allocation,
>> and only the driver and USB host controller ever have pointers to the buffers.
>
> You really are going to have to break out that USB monitor to verify
> that this is the data coming across the wire.
Not sure why, because there really is no other way for the data to
>> There is no possibility for them to be used for anything other than
>> USB receive buffers, for this driver only. Nothing in the driver
>> or kernel ever writes to those buffers after initial allocation,
>> and only the driver and USB host controller ever have pointers to the buffers.
>
> You really are going to have to break out that USB monitor to verify
> that this is the data coming across the wire.
appear where it does at the beginning of that URB buffer.
This does seem a rather unexpected burden to place upon someone
reporting a regression in a USB network driver that corrupts user data.
I have already spent about 50 hours looking at this issue,
and everything now points firmly at some kind of FIFO overflow
within the dongle itself. There is no evidence to the contrary.
I am very happy to test any driver updates, or data collection mods
provided by the author, to help the author find/fix the issue.
One idea, might be to have the author try testing with the dongle
connected through a USB1.1 hub, forcing it to slower speeds.
This might make reproducing the issue (if indeed a FIFO overflow)
easier, as the host transfers will then be slower than the
ethernet wire speed.
I have access to the hardware here next Tuesday.
If we can scrounge up the USB analyzer, cables, and a suitable
MS-Windows (ugh) machine of some kind, then I'll see if it can
be programmed to somewhow capture the event. Probably just set it
in continuous capture mode, and have the target system halt
when it sees bad data at offset zero.
This can take days to reproduce, so don't hold your breaths.
Something useful to do in the meanwhile, is to then think
about "what next" after the analyzer confirms the issue.
--
Mark Lord
Real-Time Remedies Inc.
ml...@pobox.com
Mark Lord
Nov 25, 2016, 8:40:05 AM11/25/16
to
On 16-11-25 04:52 AM, Hayes Wang wrote:
..
disabled on this board.
Good try, though -- USB power control still causes me trouble
on PCs with mice and remote controls. But not here.
..
> What is the value of /sys/bus/usb/devices/.../power/control ?
That entry does not exist -- power control is completely
disabled on this board.
Good try, though -- USB power control still causes me trouble
on PCs with mice and remote controls. But not here.
Greg KH
Nov 25, 2016, 9:30:05 AM11/25/16
to
buy one and ship it around the world instead? Makes no sense...
greg k-h
Greg KH
Nov 25, 2016, 9:40:05 AM11/25/16
to
On Fri, Nov 25, 2016 at 07:49:35AM -0500, Mark Lord wrote:
> On 16-11-25 04:53 AM, Greg KH wrote:
> > On Thu, Nov 24, 2016 at 10:49:33PM -0500, Mark Lord wrote:
> >> There is no possibility for them to be used for anything other than
> >> USB receive buffers, for this driver only. Nothing in the driver
> >> or kernel ever writes to those buffers after initial allocation,
> >> and only the driver and USB host controller ever have pointers to the buffers.
> >
> > You really are going to have to break out that USB monitor to verify
> > that this is the data coming across the wire.
>
> Not sure why, because there really is no other way for the data to
> appear where it does at the beginning of that URB buffer.
Broken USB host controller driver, or the device really is sending that
> On 16-11-25 04:53 AM, Greg KH wrote:
> > On Thu, Nov 24, 2016 at 10:49:33PM -0500, Mark Lord wrote:
> >> There is no possibility for them to be used for anything other than
> >> USB receive buffers, for this driver only. Nothing in the driver
> >> or kernel ever writes to those buffers after initial allocation,
> >> and only the driver and USB host controller ever have pointers to the buffers.
> >
> > You really are going to have to break out that USB monitor to verify
> > that this is the data coming across the wire.
>
> Not sure why, because there really is no other way for the data to
> appear where it does at the beginning of that URB buffer.
data to the host. It's either one or the other, and the only way you
can rule one of them out is to look at the data on the wire.
best of luck,
greg k-h
Mark Lord
Nov 25, 2016, 9:40:05 AM11/25/16
to
It doesn't work with Linux machines.
You are the one who suggested purchase of a working Linux compatible unit,
so I was just following up to see if you were serious about that.
No worries.
I'll see if the paperweight can be converted into something useful next week.
Cheers
David Miller
Nov 25, 2016, 12:10:05 PM11/25/16
to
From: Mark Lord <ml...@pobox.com>
Date: Fri, 25 Nov 2016 07:49:35 -0500
> On 16-11-25 04:53 AM, Greg KH wrote:
>> On Thu, Nov 24, 2016 at 10:49:33PM -0500, Mark Lord wrote:
>>> There is no possibility for them to be used for anything other than
>>> USB receive buffers, for this driver only. Nothing in the driver
>>> or kernel ever writes to those buffers after initial allocation,
>>> and only the driver and USB host controller ever have pointers to the buffers.
>>
>> You really are going to have to break out that USB monitor to verify
>> that this is the data coming across the wire.
>
> Not sure why, because there really is no other way for the data to
> appear where it does at the beginning of that URB buffer.
>
> This does seem a rather unexpected burden to place upon someone
> reporting a regression in a USB network driver that corrupts user data.
If you are the only person who can actively reproduce this, which
seems to be the case right now, this is unfortunately the only way to
reach a proper analysis and fix.
Date: Fri, 25 Nov 2016 07:49:35 -0500
> On 16-11-25 04:53 AM, Greg KH wrote:
>> On Thu, Nov 24, 2016 at 10:49:33PM -0500, Mark Lord wrote:
>>> There is no possibility for them to be used for anything other than
>>> USB receive buffers, for this driver only. Nothing in the driver
>>> or kernel ever writes to those buffers after initial allocation,
>>> and only the driver and USB host controller ever have pointers to the buffers.
>>
>> You really are going to have to break out that USB monitor to verify
>> that this is the data coming across the wire.
>
> Not sure why, because there really is no other way for the data to
> appear where it does at the beginning of that URB buffer.
>
> This does seem a rather unexpected burden to place upon someone
> reporting a regression in a USB network driver that corrupts user data.
seems to be the case right now, this is unfortunately the only way to
reach a proper analysis and fix.
Hayes Wang
Nov 30, 2016, 7:00:05 AM11/30/16
to
Mark Lord <ml...@pobox.com>
[...]
I would think if there is any other way to reproduce it.
Best Regards,
Hayes
[...]
> > Not sure why, because there really is no other way for the data to
> > appear where it does at the beginning of that URB buffer.
> >
> > This does seem a rather unexpected burden to place upon someone
> > reporting a regression in a USB network driver that corrupts user data.
>
> If you are the only person who can actively reproduce this, which
> seems to be the case right now, this is unfortunately the only way to
> reach a proper analysis and fix.
I have tested it with iperf more than five days without any error.
> > appear where it does at the beginning of that URB buffer.
> >
> > This does seem a rather unexpected burden to place upon someone
> > reporting a regression in a USB network driver that corrupts user data.
>
> If you are the only person who can actively reproduce this, which
> seems to be the case right now, this is unfortunately the only way to
> reach a proper analysis and fix.
I would think if there is any other way to reproduce it.
Best Regards,
Hayes
Mark Lord
Dec 9, 2016, 8:10:06 AM12/9/16
to
On 16-12-08 10:23 PM, Hayes Wang wrote:
> Mark Lord <ml...@pobox.com>
>
> I find an issue about autosuspend, and it may result in the same
> problem with you. I don't sure if this is helpful to you, because
> it only occurs when enabling the autosuspend.
Thanks. I am using ASIX adapters now.
I did try the latest 4.9-rc8, and 4.8.12 kernels with the r8152 dongle yesterday,
in hope that perhaps the many EHCI fixes from those kernels might help out.
The dongle was unusable with those newer kernels.
Most of the time it failed with "Get ether addr fail\n" at startup.
On the occasions where it got past that point, it often failed
the DHCP negotiation, but this looks more like a bug elsewhere in
the kernel, possibly racing against initialization of the random
number generators. Adding a 2-second sleep the the r8151 probe
function made this error mostly go away.
Cheers
--
Mark Lord
> Mark Lord <ml...@pobox.com>
>
> I find an issue about autosuspend, and it may result in the same
> problem with you. I don't sure if this is helpful to you, because
> it only occurs when enabling the autosuspend.
Thanks. I am using ASIX adapters now.
I did try the latest 4.9-rc8, and 4.8.12 kernels with the r8152 dongle yesterday,
in hope that perhaps the many EHCI fixes from those kernels might help out.
The dongle was unusable with those newer kernels.
Most of the time it failed with "Get ether addr fail\n" at startup.
On the occasions where it got past that point, it often failed
the DHCP negotiation, but this looks more like a bug elsewhere in
the kernel, possibly racing against initialization of the random
number generators. Adding a 2-second sleep the the r8151 probe
function made this error mostly go away.
Cheers
--
Mark Lord
Ansis Atteka
Dec 31, 2016, 7:10:05 PM12/31/16
to
bug related to r8152 driver, but on x86-64 platform. Also, I think
that this data corruption bug has some serious security implications,
because it appears that "corrupted data" is actually 530 byte fragment
from one of the previous Ethernet frames that Realtek device just
received. See the ping test in the bottom of my email that
demonstrates this.
Besides the data corruption problem I am also experiencing another
serious problem that could be related and manifests itself in XHCI
module when Realtek Ethernet port receives packets at "high" rate (ie
10Mbps or higher). This second problem correlates with error messages
in kern.log printed by xhci-hcd. Ethernet connectivity is completely
lost at this time until I reload r8152 driver:
[ 2540.426240] xhci_hcd 0000:0e:00.0: ERROR Transfer event TRB DMA ptr
not part of current TD ep_index 2 comp_code 13
[ 2540.426258] xhci_hcd 0000:0e:00.0: Looking for event-dma
00000000fff0f010 trb-start 00000000ff5c9fe0 trb-end 00000000ff5c9fe0
seg-start 00000000ff5c9000 seg-end 00000000ff5c9ff0
[ 2540.426259] xhci_hcd 0000:0e:00.0: ERROR Transfer event TRB DMA ptr
not part of current TD ep_index 2 comp_code 13
[ 2540.426260] xhci_hcd 0000:0e:00.0: Looking for event-dma
00000000fff0f020 trb-start 00000000ff5c9fe0 trb-end 00000000ff5c9fe0
seg-start 00000000ff5c9000 seg-end 00000000ff5c9ff0
[ 2540.426334] xhci_hcd 0000:0e:00.0: ERROR Transfer event TRB DMA ptr
not part of current TD ep_index 2 comp_code 13
[ 2540.426336] xhci_hcd 0000:0e:00.0: Looking for event-dma
00000000fff0f030 trb-start 00000000ff5c9fe0 trb-end 00000000ff5c9fe0
seg-start 00000000ff5c9000 seg-end 00000000ff5c9ff0
[ 2540.426372] xhci_hcd 0000:0e:00.0: ERROR Transfer event TRB DMA ptr
not part of current TD ep_index 2 comp_code 13
[ 2540.426373] xhci_hcd 0000:0e:00.0: Looking for event-dma
00000000fff0f040 trb-start 00000000ff5c9fe0 trb-end 00000000ff5c9fe0
seg-start 00000000ff5c9000 seg-end 00000000ff5c9ff0
[ 2540.426488] xhci_hcd 0000:0e:00.0: ERROR Transfer event TRB DMA ptr
not part of current TD ep_index 2 comp_code 13
[ 2540.426491] xhci_hcd 0000:0e:00.0: Looking for event-dma
00000000fff0f050 trb-start 00000000ff5c9fe0 trb-end 00000000ff5c9fe0
seg-start 00000000ff5c9000 seg-end 00000000ff5c9ff0
[ 2540.437020] xhci_hcd 0000:0e:00.0: ERROR Transfer event TRB DMA ptr
not part of current TD ep_index 2 comp_code 13
[ 2540.437024] xhci_hcd 0000:0e:00.0: Looking for event-dma
00000000fff0f060 trb-start 00000000ff5c9fe0 trb-end 00000000ff5c9fe0
seg-start 00000000ff5c9000 seg-end 00000000ff5c9ff0
[ 2540.438239] xhci_hcd 0000:0e:00.0: ERROR Transfer event TRB DMA ptr
not part of current TD ep_index 2 comp_code 13
[ 2540.438246] xhci_hcd 0000:0e:00.0: Looking for event-dma
00000000fff0f070 trb-start 00000000ff5c9fe0 trb-end 00000000ff5c9fe0
seg-start 00000000ff5c9000 seg-end 00000000ff5c9ff0
[ 2540.438493] xhci_hcd 0000:0e:00.0: ERROR Transfer event TRB DMA ptr
not part of current TD ep_index 2 comp_code 13
[ 2540.438495] xhci_hcd 0000:0e:00.0: Looking for event-dma
00000000fff0f080 trb-start 00000000ff5c9fe0 trb-end 00000000ff5c9fe0
seg-start 00000000ff5c9000 seg-end 00000000ff5c9ff0
All of that is happening on my X86-64 Dell XPS15 9550 laptop that is
connected to Ethernet via Dell TB15 dock. This Dell TB 15 Dock uses
Realtek chip to provide Ethernet connectivity to laptop:
# lsusb
...
Bus 004 Device 003: ID 0bda:8153 Realtek Semiconductor Corp.
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 3.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 9
idVendor 0x0bda Realtek Semiconductor Corp.
idProduct 0x8153
bcdDevice 30.01
iManufacturer 1 Realtek
iProduct 2 USB 10/100/1000 LAN
iSerial 6 000001000000
bNumConfigurations 2
This Realtek Ethernet port is connected to a XHCI ASMedia host
controller that also resides on Dell TB15 Dock. The dock itself is
connected via Thunderbolt 3 cable to laptop:
# lspci
....
0e:00.0 USB controller: ASMedia Technology Inc. ASM1042A USB 3.0 Host Controller
In my case it is easy to reproduce either of those two issues. Here
are my observations:
1. The Ethernet controller on Dell TB15 dock was working completely
fine while I had Windows 10 installed on my Laptop.
2. I have tried various Linux distributions - Ubuntu 16.10, Ubuntu
14.04, CentOS 7. All of them fail with "ERROR Transfer event TRB DMA
ptr not part of current TD ep_index 2 comp_code 13" error message
under high load.
3. I have tried Ubuntu 16.10 and Ubuntu 16.04. Both of them are
affected by this data corruption bug. I did not test for data
corruption on CentOS or other Linux distributions that come with older
Linux kernels than Ubuntu.
4. If I start two ping instances at the same time then it appears that
530 bytes from the first ping instance are occasionally "injected"
into ping payload of the second ping instance. Also, I was able to
reproduce this exact same issue with TCP.
sudo ping -i 0.05 -p ff -s 15000 10.33.75.80 # Sending 0xff as payload
....
15008 bytes from 10.33.75.80: icmp_seq=39 ttl=64 time=104 ms
wrong data byte #9822 should be 0xff but was 0x0
#16 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff
#9776 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#9808 ff ff ff ff ff ff ff ff ff ff ff ff ff ff 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
#9840 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#9872 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#9904 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#9936 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#9968 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#10000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#10032 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#10064 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#10096 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#10128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#10160 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#10192 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#10224 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#10256 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#10288 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#10320 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#10352 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#10384 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
...
sudo ping -i 0.05 -p 00 -s 15000 10.33.75.80 # Sending 0x00 as payload
...
15008 bytes from 10.33.75.80: icmp_seq=164 ttl=64 time=95.4 ms
wrong data byte #11302 should be 0x0 but was 0xff
#16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
...
#11248 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#11280 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ff ff ff ff ff ff ff ff ff ff
#11312 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11344 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11376 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11408 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11440 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11472 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11504 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11536 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11568 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11600 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11632 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11664 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11696 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11728 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11760 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11792 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff
#11824 ff ff ff ff ff ff ff ff 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#11856 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
#11888 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
...
Ansis Atteka
Jan 2, 2017, 7:50:05 PM1/2/17
to
On Sat, Dec 31, 2016 at 4:07 PM, Ansis Atteka <aat...@nicira.com> wrote:
> On Wed, Nov 30, 2016 at 3:58 AM, Hayes Wang <haye...@realtek.com> wrote:
>> Mark Lord <ml...@pobox.com>
>> [...]
>>> > Not sure why, because there really is no other way for the data to
>>> > appear where it does at the beginning of that URB buffer.
>>> >
>>> > This does seem a rather unexpected burden to place upon someone
>>> > reporting a regression in a USB network driver that corrupts user data.
>>>
>>> If you are the only person who can actively reproduce this, which
>>> seems to be the case right now, this is unfortunately the only way to
>>> reach a proper analysis and fix.
>>
>> I have tested it with iperf more than five days without any error.
>> I would think if there is any other way to reproduce it.
>>
I think that I am getting closer to the root cause of this bug. Also,
> On Wed, Nov 30, 2016 at 3:58 AM, Hayes Wang <haye...@realtek.com> wrote:
>> Mark Lord <ml...@pobox.com>
>> [...]
>>> > Not sure why, because there really is no other way for the data to
>>> > appear where it does at the beginning of that URB buffer.
>>> >
>>> > This does seem a rather unexpected burden to place upon someone
>>> > reporting a regression in a USB network driver that corrupts user data.
>>>
>>> If you are the only person who can actively reproduce this, which
>>> seems to be the case right now, this is unfortunately the only way to
>>> reach a proper analysis and fix.
>>
>> I have tested it with iperf more than five days without any error.
>> I would think if there is any other way to reproduce it.
>>
I have a workaround that at least makes r8152 functionally stable in
my Dell TB15 dock. Mark, would you mind giving a chance to the patch
that I have in the bottom of this email to see if it helps your issue
too (you might have to tweak those settings slightly differently if
you use something else than USB 3.0)
Long story short - what I observed in Wireshark is that if there are
more than ~10 Ethernet frames *close together to each other* then the
data corruption bug starts to express itself. If there are ~15 or more
Ethernet frames close together to each other then the XHCI starts to
emit the "ERROR Transfer event TRB DMA ptr not part of current TD
ep_index 2 comp_code 13" error message and r8152 driver gets toasted.
Hayes, in your iperf reproduction environment did you
1) connect sender and receiver directly with an Ethernet cable?
2) use iperf's TCP mode instead of UDP mode, because I believe that
with UDP mode packets are more likely to be sparsely distributed?
Also, this bug is way easier to reproduce when IP fragmentation kicks
in because IP fragments are typically sent out very close to each
other.
3) were you plugging your USB Ethernet dongle in USB 3.0 port or
whatever Mark was using? It seems that each USB mode has different
coalesce parameters and yours might have work "out of box"?
While I would not call this a proper fix, because it simply reduces
coalescing timeouts by order of 10X and most likely does not eliminate
security aspects of the bug, it at least made my system functionally
stable and I don't see either of those two bugs in my setup anymore:
git diff
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index c254248..4979690 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -365,9 +365,9 @@
#define PCUT_STATUS 0x0001
/* USB_RX_EARLY_TIMEOUT */
-#define COALESCE_SUPER 85000U
-#define COALESCE_HIGH 250000U
-#define COALESCE_SLOW 524280U
+#define COALESCE_SUPER 8500U
+#define COALESCE_HIGH 25000U
+#define COALESCE_SLOW 52428U
/* USB_WDT11_CTRL */
#define TIMER11_EN 0x0001
Mark Lord
Jan 3, 2017, 10:00:10 AM1/3/17
to
On 17-01-02 07:40 PM, Ansis Atteka wrote:
..
in the driver [see the rtl8152_set_coalesce() function]. So that workaround
would not help here.
..
> I think that I am getting closer to the root cause of this bug. Also,
> I have a workaround that at least makes r8152 functionally stable in
> my Dell TB15 dock. Mark, would you mind giving a chance to the patch
> that I have in the bottom of this email to see if it helps your issue
> too (you might have to tweak those settings slightly differently if
> you use something else than USB 3.0)
> I have a workaround that at least makes r8152 functionally stable in
> my Dell TB15 dock. Mark, would you mind giving a chance to the patch
> that I have in the bottom of this email to see if it helps your issue
> too (you might have to tweak those settings slightly differently if
> you use something else than USB 3.0)
/* USB_RX_EARLY_TIMEOUT */
-#define COALESCE_SUPER 85000U
-#define COALESCE_HIGH 250000U
-#define COALESCE_SLOW 524280U
+#define COALESCE_SUPER 8500U
+#define COALESCE_HIGH 25000U
+#define COALESCE_SLOW 52428U
The RTL_VER_02 chip that I was using does not support interrupt coalescing
-#define COALESCE_SUPER 85000U
-#define COALESCE_HIGH 250000U
-#define COALESCE_SLOW 524280U
+#define COALESCE_SUPER 8500U
+#define COALESCE_HIGH 25000U
+#define COALESCE_SLOW 52428U
in the driver [see the rtl8152_set_coalesce() function]. So that workaround
would not help here.
Hayes Wang
Jan 9, 2017, 3:00:05 AM1/9/17
to
Ansis Atteka [mailto:aat...@nicira.com]
> Sent: Tuesday, January 03, 2017 8:41 AM
[...]
I test the RTL8152 which only support USB 2.0. Therefore, I don't
think it occurs with different coalesce parameters.
> While I would not call this a proper fix, because it simply reduces
> coalescing timeouts by order of 10X and most likely does not eliminate
> security aspects of the bug, it at least made my system functionally
> stable and I don't see either of those two bugs in my setup anymore:
Do you try commit a59e6d815226 ("r8152: correct the rx early size"),
or you have used it?
Best Regards,
Hayes
> Sent: Tuesday, January 03, 2017 8:41 AM
[...]
> Hayes, in your iperf reproduction environment did you
> 1) connect sender and receiver directly with an Ethernet cable?
> 2) use iperf's TCP mode instead of UDP mode, because I believe that
> with UDP mode packets are more likely to be sparsely distributed?
> Also, this bug is way easier to reproduce when IP fragmentation kicks
> in because IP fragments are typically sent out very close to each
> other.
> 3) were you plugging your USB Ethernet dongle in USB 3.0 port or
> whatever Mark was using? It seems that each USB mode has different
> coalesce parameters and yours might have work "out of box"?
Yes. I connect them directly and use iperf's TCP mode. However,
> 1) connect sender and receiver directly with an Ethernet cable?
> 2) use iperf's TCP mode instead of UDP mode, because I believe that
> with UDP mode packets are more likely to be sparsely distributed?
> Also, this bug is way easier to reproduce when IP fragmentation kicks
> in because IP fragments are typically sent out very close to each
> other.
> 3) were you plugging your USB Ethernet dongle in USB 3.0 port or
> whatever Mark was using? It seems that each USB mode has different
> coalesce parameters and yours might have work "out of box"?
I test the RTL8152 which only support USB 2.0. Therefore, I don't
think it occurs with different coalesce parameters.
> While I would not call this a proper fix, because it simply reduces
> coalescing timeouts by order of 10X and most likely does not eliminate
> security aspects of the bug, it at least made my system functionally
> stable and I don't see either of those two bugs in my setup anymore:
or you have used it?
Best Regards,
Hayes
Hayes Wang
Jan 11, 2017, 3:30:05 AM1/11/17
to
Fix the hw rx checksum is always enabled, and the user couldn't switch
it to sw rx checksum.
Note that the RTL_VER_01 only support sw rx checksum only. Besides,
the hw rx checksum for RTL_VER_02 is disabled after
commit b9a321b48af4 ("r8152: Fix broken RX checksums."). Re-enable it.
Signed-off-by: Hayes Wang <haye...@realtek.com>
---
drivers/net/usb/r8152.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index be41856..f3b48ad 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -1730,7 +1730,7 @@ static u8 r8152_rx_csum(struct r8152 *tp, struct rx_desc *rx_desc)
u8 checksum = CHECKSUM_NONE;
u32 opts2, opts3;
- if (tp->version == RTL_VER_01 || tp->version == RTL_VER_02)
+ if (!(tp->netdev->features & NETIF_F_RXCSUM))
goto return_result;
opts2 = le32_to_cpu(rx_desc->opts2);
@@ -4356,6 +4356,11 @@ static int rtl8152_probe(struct usb_interface *intf,
NETIF_F_HIGHDMA | NETIF_F_FRAGLIST |
NETIF_F_IPV6_CSUM | NETIF_F_TSO6;
+ if (tp->version == RTL_VER_01) {
+ netdev->features &= ~NETIF_F_RXCSUM;
+ netdev->hw_features &= ~NETIF_F_RXCSUM;
+ }
+
netdev->ethtool_ops = &ops;
netif_set_gso_max_size(netdev, RTL_LIMITED_TSO_SIZE);
--
2.7.4
it to sw rx checksum.
Note that the RTL_VER_01 only support sw rx checksum only. Besides,
the hw rx checksum for RTL_VER_02 is disabled after
commit b9a321b48af4 ("r8152: Fix broken RX checksums."). Re-enable it.
Signed-off-by: Hayes Wang <haye...@realtek.com>
---
drivers/net/usb/r8152.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index be41856..f3b48ad 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -1730,7 +1730,7 @@ static u8 r8152_rx_csum(struct r8152 *tp, struct rx_desc *rx_desc)
u8 checksum = CHECKSUM_NONE;
u32 opts2, opts3;
- if (tp->version == RTL_VER_01 || tp->version == RTL_VER_02)
+ if (!(tp->netdev->features & NETIF_F_RXCSUM))
goto return_result;
opts2 = le32_to_cpu(rx_desc->opts2);
@@ -4356,6 +4356,11 @@ static int rtl8152_probe(struct usb_interface *intf,
NETIF_F_HIGHDMA | NETIF_F_FRAGLIST |
NETIF_F_IPV6_CSUM | NETIF_F_TSO6;
+ if (tp->version == RTL_VER_01) {
+ netdev->features &= ~NETIF_F_RXCSUM;
+ netdev->hw_features &= ~NETIF_F_RXCSUM;
+ }
+
netdev->ethtool_ops = &ops;
netif_set_gso_max_size(netdev, RTL_LIMITED_TSO_SIZE);
--
2.7.4
David Miller
Jan 11, 2017, 4:20:05 PM1/11/17
to
From: Hayes Wang <haye...@realtek.com>
Date: Wed, 11 Jan 2017 16:25:34 +0800
> Fix the hw rx checksum is always enabled, and the user couldn't switch
> it to sw rx checksum.
>
> Note that the RTL_VER_01 only support sw rx checksum only. Besides,
> the hw rx checksum for RTL_VER_02 is disabled after
> commit b9a321b48af4 ("r8152: Fix broken RX checksums."). Re-enable it.
>
> Signed-off-by: Hayes Wang <haye...@realtek.com>
Applied and queued up for -stable, thanks.
Date: Wed, 11 Jan 2017 16:25:34 +0800
> Fix the hw rx checksum is always enabled, and the user couldn't switch
> it to sw rx checksum.
>
> Note that the RTL_VER_01 only support sw rx checksum only. Besides,
> the hw rx checksum for RTL_VER_02 is disabled after
> commit b9a321b48af4 ("r8152: Fix broken RX checksums."). Re-enable it.
>
> Signed-off-by: Hayes Wang <haye...@realtek.com>
0 new messages