Re: [PATCH] usb: gadget: f_fs: add zombie mode
On Tue, Oct 07 2014, Alan Stern st...@rowland.harvard.edu wrote: If you want to allow for the possibility of orderly shutdown (and maybe even possible restart) of a userspace handler, the function library should first tell the kernel explicitly to disconnect. On Tue, 7 Oct 2014, Michal Nazarewicz wrote: I'm wondering if it would be possible to support user-space daemon restarts with O_APPEND flag. This is probably looking too far to the future though. On Wed, Oct 08 2014, Alan Stern st...@rowland.harvard.edu wrote: Actually, we shouldn't need to consider the case where the descriptors change. That _always_ requires a disconnect, and the user can cause a disconnect simply by killing the daemon and starting it again. No separate restart capability is needed. Correct. This may be going a bit off-topic, but I was thinking of a possible feature that would allow the daemon to indicate to kernel it is ready to pick up the pieces after its previous instance crashed. This would require the zombie mode to be implemented. * Currently, once the daemon finishes or crashes, USB disconnect happens. * In zombie mode, I could imagine the following scenarios: - daemon crashes, but the gadget still works, no disconnect happens; - daemon opens ep0 with O_APPEND, no disconnect happens; - daemon sends *the same* descriptors as before; - kernel recreates all the ep# files and let the daemon continue handling USB requests with host possibly never noticing. Opening ep0 w/o O_APPEND or sending different descriptors would cause a disconnect. With the above, user-space would be able to force gadget to disconnect by killing the daemon and then doing printf '' /dev/functionfs/ep0 So I guess my point is that with zombie mode, user space could tell the kernel to not-disconnect (rather than having an explicit disconnect request) if it was written in a way that supports crash recovery. This is a wishful thinking at this stage I guess, but perhaps it's worth considering when deciding how the zombie interface should look like. For example, I have some concerns if it should be enabled by an fs mount option. -- Best regards, _ _ .o. | Liege of Serenely Enlightened Majesty of o' \,=./ `o ..o | Computer Science, Michał “mina86” Nazarewicz(o o) ooo +--m...@google.com--xmpp:min...@jabber.org--ooO--(_)--Ooo-- -- To unsubscribe from this list: send the line unsubscribe linux-usb in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
RE: [PATCH] usb: gadget: f_fs: add zombie mode
Hi, -Original Message- From: Mike Nazarewicz [mailto:m...@google.com] On Behalf Of Michal Nazarewicz Sent: Tuesday, October 07, 2014 10:08 PM To: Alan Stern; Felipe Balbi Cc: Krzysztof Opasiak; 'Robert Baldyga'; gre...@linuxfoundation.org; linux-usb@vger.kernel.org; linux- ker...@vger.kernel.org; andrze...@samsung.com Subject: Re: [PATCH] usb: gadget: f_fs: add zombie mode On Tue, 7 Oct 2014, Felipe Balbi wrote: Right, but if we allow this, I can already see folks abusing to connect to the host early and only when necessary do some trickery to e.g. start adbd (not saying Android will do this, just using it as an easy example). I don't really see that happening. For the gadget to start all descriptors need to be known. Functionfs will know the descriptors only once the user space daemon provides them. Therefore, with the current features (or even with addition of Robert's feature) there is no way to let the gadget start without having the daemon running. Well, to be honest we do some lazy daemon startup in gadgetd. The idea is to provide functionality quite similar to inet. So we have divided functionfs services into two parts: - Descriptors - provided in configuration file - function implementation - provided in binary Now user can create ffs function using gadgetd without worrying about mounting the file system, running daemon and many other stuff. Gadgetd is system-wide usb gadget manager which provides abstraction layer for kernel functions and ffs-based functions. Example: User would like to create gadget which contains MTP in first configuration and ADB in second. When gadgetd receives such request via DBUS it creates suitable functions on configfs, find suitable configuration files, mount two instances of ffs, write descriptors from config files and run poll() on both ep0. Please notice here that any other daemon has not been run but the whole gadget can be bound to UDC. When usb device is connected to host then host will select one of available configurations. All functions in that configuration receive ENABLE event. When gadgetd receives such event from one of ep0 then fork() is executed and desired service is being run with all file descriptors opened and ready to use. Please also notice here that if host select first configuration, only one of those daemon is going to be run. (...) -- Krzysztof Opasiak Samsung RD Institute Poland Samsung Electronics k.opas...@samsung.com -- To unsubscribe from this list: send the line unsubscribe linux-usb in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] usb: gadget: f_fs: add zombie mode
-Original Message- From: Mike Nazarewicz [mailto:m...@google.com] I don't really see that happening. For the gadget to start all descriptors need to be known. Functionfs will know the descriptors only once the user space daemon provides them. Therefore, with the current features (or even with addition of Robert's feature) there is no way to let the gadget start without having the daemon running. On Wed, Oct 08 2014, Krzysztof Opasiak k.opas...@samsung.com wrote: Well, to be honest we do some lazy daemon startup in gadgetd. The idea is to provide functionality quite similar to inet. So we have divided functionfs services into two parts: - Descriptors - provided in configuration file - function implementation - provided in binary Sure, and I'm not surprised to hear that has been implemented, but from kernel point of view, the daemon is there and running. Furthermore, such behaviour is possible with or without the zombie feature, and in fact kernel isn't able to prevent it, so it's immaterial to discussion of the zombie feature. -- Best regards, _ _ .o. | Liege of Serenely Enlightened Majesty of o' \,=./ `o ..o | Computer Science, Michał “mina86” Nazarewicz(o o) ooo +--m...@google.com--xmpp:min...@jabber.org--ooO--(_)--Ooo-- -- To unsubscribe from this list: send the line unsubscribe linux-usb in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] usb: gadget: f_fs: add zombie mode
On Tue, 7 Oct 2014, Michal Nazarewicz wrote: On Tue, 7 Oct 2014, Felipe Balbi wrote: Right, but if we allow this, I can already see folks abusing to connect to the host early and only when necessary do some trickery to e.g. start adbd (not saying Android will do this, just using it as an easy example). I don't really see that happening. For the gadget to start all descriptors need to be known. Functionfs will know the descriptors only once the user space daemon provides them. Therefore, with the current features (or even with addition of Robert's feature) there is no way to let the gadget start without having the daemon running. On Tue, Oct 07 2014, Alan Stern st...@rowland.harvard.edu wrote: We can still keep the pullup turned off until all the functions are ready. That's a part of normal behavior -- unlike what happens when a userspace component crashes or is killed. Then how do we differentiate a normal close() from a oh-crap-I-died close() ? We can't, so why worry about it? We actually might be able to distinguish those cases with another ioctl which daemon must issue on the ep0 prior to closing it. I'm not saying that we should implement that though. If a file handle was closed for normal reasons then userspace probably in the middle of shutting down the gadget anyway. If not then the user will get what they deserve. If the file handle was closed for abnormal reasons, we can behave like crashed firmware. Which means, in the end, doing the same thing as in the normal-reason case -- i.e., do nothing. In particular, don't disconnect. If you want to allow for the possibility of orderly shutdown (and maybe even possible restart) of a userspace handler, the function library should first tell the kernel explicitly to disconnect. Then function components can be changed around completely, and when everything is ready, userspace can tell the kernel to connect again. I'm wondering if it would be possible to support user-space daemon restarts with O_APPEND flag. This is probably looking too far to the future though. Actually, we shouldn't need to consider the case where the descriptors change. That _always_ requires a disconnect, and the user can cause a disconnect simply by killing the daemon and starting it again. No separate restart capability is needed. Alan Stern -- To unsubscribe from this list: send the line unsubscribe linux-usb in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] usb: gadget: f_fs: add zombie mode
On 10/07/2014 04:28 AM, Felipe Balbi wrote: Hi, On Mon, Oct 06, 2014 at 01:25:14PM +0200, Robert Baldyga wrote: Since we can compose gadgets from many functions, there is the problem related to gadget breakage while FunctionFS daemon being closed. In some cases it's strongly desired to keep gadget alive for a while, despite FunctionFS files are closed, to allow another functions to complete some presumably critical operations. For this purpose this patch introduces zombie mode. It can be enabled by setting mount option zombie=1, and results with defering function closure to the moment of reopening ep0 file or filesystem umount. When ffs-state == FFS_ZOMBIE: - function is still binded and visible to host, - setup requests are automatically stalled, - all another transfers are refused, - opening ep0 causes function close, and then FunctionFS is ready for descriptors and string write, - umount of functionfs cause function close. Signed-off-by: Robert Baldyga r.bald...@samsung.com Can you further explain how do you trigger this ? Do I understand correctly that you composed a gadget using configfs and that gadget has functionfs + another gadget ? Yes, I compose configfs gadget from functionfs + another gadget, and when functionfs daemon closes ep files, entire gadget get disconnected from host. FFS function is userspace code so there is no way to know when it will close files (it doesn't matter what is the reason of this situation, it can be daemon logic, program breakage, process kill or any other). So when we have another function in gadget which, for example, sends some amount of data, does some software update or implements some real-time functionality, we may want to keep the gadget connected despite FFS function is no longer functional. We can't just remove one of functions from gadget since it has been enumerated, so the only way we can do that is to make broken FFS function zombie. It will be still visible to host but it will no longer implement it's functionality. Then what do you need to do the trigger the issue, and what really _is_ the issue ? Is gadget disconnecting from host too early ? Do you see a crash ? Memory leak ? Any logs available ? Any steps to reproduce ? You simply compose gadget from, for example, ethernet and functionfs. You try to send some huge file through ftp, and in meantime FFS function breaks. If FFS hasn't enabled zombie mode, entire gadget will be disconnected and data transmission will fail. If zombie mode is enabled, then FFS function after daemon breakage will become zombie and will be nonfunctional, but ethernet gadget will be still active and data transfer will be completed. Quite frankly, I don't really like this zombie mode. joke I know there's a The Walking Dead hype right now, but this is too much. /joke I see, but after all I couldn't find more descriptive name for this feature. Anyway, please giver me further details of how to get this done. Best regards, Robert Baldyga -- To unsubscribe from this list: send the line unsubscribe linux-usb in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] usb: gadget: f_fs: add zombie mode
Hi, On Tue, Oct 07, 2014 at 08:33:16AM +0200, Robert Baldyga wrote: On 10/07/2014 04:28 AM, Felipe Balbi wrote: Hi, On Mon, Oct 06, 2014 at 01:25:14PM +0200, Robert Baldyga wrote: Since we can compose gadgets from many functions, there is the problem related to gadget breakage while FunctionFS daemon being closed. In some cases it's strongly desired to keep gadget alive for a while, despite FunctionFS files are closed, to allow another functions to complete some presumably critical operations. For this purpose this patch introduces zombie mode. It can be enabled by setting mount option zombie=1, and results with defering function closure to the moment of reopening ep0 file or filesystem umount. When ffs-state == FFS_ZOMBIE: - function is still binded and visible to host, - setup requests are automatically stalled, - all another transfers are refused, - opening ep0 causes function close, and then FunctionFS is ready for descriptors and string write, - umount of functionfs cause function close. Signed-off-by: Robert Baldyga r.bald...@samsung.com Can you further explain how do you trigger this ? Do I understand correctly that you composed a gadget using configfs and that gadget has functionfs + another gadget ? Yes, I compose configfs gadget from functionfs + another gadget, and when functionfs daemon closes ep files, entire gadget get disconnected from host. FFS function is userspace code so there is no way to know when it will close files (it doesn't matter what is the reason of this situation, it can be daemon logic, program breakage, process kill or any other). So when we have another function in gadget which, for example, sends some amount of data, does some software update or implements some real-time functionality, we may want to keep the gadget connected despite FFS function is no longer functional. We can't just remove one of functions from gadget since it has been enumerated, so the only way we can do that is to make broken FFS function zombie. It will be still visible to host but it will no longer implement it's functionality. now that's an explanation. Can you update commit log with some of this info (once we agree on how to go about fixing this) ? I'm not sure we should try to fix this. The only case where this could trigger is if ffs daemon crashes and dies or somebody sends a bogus signal to kill it. A function cannot communicate with the host if it isn't functional and ffs depends on its userland daemon. If daemon is crashing, why not print a big WARN(closed %s while connected to host\n) ? That seems like it's as much as we can do from the kernel. Userland should know that they can't have a buggy ffs daemon. Then what do you need to do the trigger the issue, and what really _is_ the issue ? Is gadget disconnecting from host too early ? Do you see a crash ? Memory leak ? Any logs available ? Any steps to reproduce ? You simply compose gadget from, for example, ethernet and functionfs. You try to send some huge file through ftp, and in meantime FFS function breaks. If FFS hasn't enabled zombie mode, entire gadget will be disconnected and data transmission will fail. If zombie mode is enabled, then FFS function after daemon breakage will become zombie and will be nonfunctional, but ethernet gadget will be still active and data transfer will be completed. yeah, this is the problem I have with the feature. We can't expose a non-working interface to USB host. If daemon crashes, we have to disconnect. Quite frankly, I don't really like this zombie mode. joke I know there's a The Walking Dead hype right now, but this is too much. /joke I see, but after all I couldn't find more descriptive name for this feature. That was a joke :) -- balbi signature.asc Description: Digital signature
RE: [PATCH] usb: gadget: f_fs: add zombie mode
Hi, -Original Message- From: Felipe Balbi [mailto:ba...@ti.com] Sent: Tuesday, October 07, 2014 4:07 PM To: Robert Baldyga Cc: ba...@ti.com; gre...@linuxfoundation.org; linux- u...@vger.kernel.org; linux-ker...@vger.kernel.org; min...@mina86.com; andrze...@samsung.com; k.opas...@samsung.com Subject: Re: [PATCH] usb: gadget: f_fs: add zombie mode Hi, On Tue, Oct 07, 2014 at 08:33:16AM +0200, Robert Baldyga wrote: On 10/07/2014 04:28 AM, Felipe Balbi wrote: Hi, On Mon, Oct 06, 2014 at 01:25:14PM +0200, Robert Baldyga wrote: Since we can compose gadgets from many functions, there is the problem related to gadget breakage while FunctionFS daemon being closed. In some cases it's strongly desired to keep gadget alive for a while, despite FunctionFS files are closed, to allow another functions to complete some presumably critical operations. For this purpose this patch introduces zombie mode. It can be enabled by setting mount option zombie=1, and results with defering function closure to the moment of reopening ep0 file or filesystem umount. When ffs-state == FFS_ZOMBIE: - function is still binded and visible to host, - setup requests are automatically stalled, - all another transfers are refused, - opening ep0 causes function close, and then FunctionFS is ready for descriptors and string write, - umount of functionfs cause function close. Signed-off-by: Robert Baldyga r.bald...@samsung.com Can you further explain how do you trigger this ? Do I understand correctly that you composed a gadget using configfs and that gadget has functionfs + another gadget ? Yes, I compose configfs gadget from functionfs + another gadget, and when functionfs daemon closes ep files, entire gadget get disconnected from host. FFS function is userspace code so there is no way to know when it will close files (it doesn't matter what is the reason of this situation, it can be daemon logic, program breakage, process kill or any other). So when we have another function in gadget which, for example, sends some amount of data, does some software update or implements some real-time functionality, we may want to keep the gadget connected despite FFS function is no longer functional. We can't just remove one of functions from gadget since it has been enumerated, so the only way we can do that is to make broken FFS function zombie. It will be still visible to host but it will no longer implement it's functionality. now that's an explanation. Can you update commit log with some of this info (once we agree on how to go about fixing this) ? I'm not sure we should try to fix this. The only case where this could trigger is if ffs daemon crashes and dies or somebody sends a bogus signal to kill it. A function cannot communicate with the host if it isn't functional and ffs depends on its userland daemon. If daemon is crashing, why not print a big WARN(closed %s while connected to host\n) ? That seems like it's as much as we can do from the kernel. Userland should know that they can't have a buggy ffs daemon. It's not a problem of buggy ffs daemon. The problem is that there are some non deterministic mechanisms in userspace like OOM killer. FFS daemon can be written very well but if we are out of memory it may become a victim. In this case reliability of whole gadget hurts a lot. If it's going about WARN(). I'm not enthusiastic about it. Userspace process dies all the time, that's quite normal;) I don't think that it is good idea to generate a warning on kernel level when some process dies. Kernel should be resistant for such situations and know how to deal with them (maybe user could select exact behavior, but it should be done on kernel site) -- Krzysztof Opasiak Samsung RD Institute Poland Samsung Electronics k.opas...@samsung.com -- To unsubscribe from this list: send the line unsubscribe linux-usb in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] usb: gadget: f_fs: add zombie mode
Hi, On Tue, Oct 07, 2014 at 05:01:15PM +0200, Krzysztof Opasiak wrote: Hi, On Mon, Oct 06, 2014 at 01:25:14PM +0200, Robert Baldyga wrote: Since we can compose gadgets from many functions, there is the problem related to gadget breakage while FunctionFS daemon being closed. In some cases it's strongly desired to keep gadget alive for a while, despite FunctionFS files are closed, to allow another functions to complete some presumably critical operations. For this purpose this patch introduces zombie mode. It can be enabled by setting mount option zombie=1, and results with defering function closure to the moment of reopening ep0 file or filesystem umount. When ffs-state == FFS_ZOMBIE: - function is still binded and visible to host, - setup requests are automatically stalled, - all another transfers are refused, - opening ep0 causes function close, and then FunctionFS is ready for descriptors and string write, - umount of functionfs cause function close. Signed-off-by: Robert Baldyga r.bald...@samsung.com Can you further explain how do you trigger this ? Do I understand correctly that you composed a gadget using configfs and that gadget has functionfs + another gadget ? Yes, I compose configfs gadget from functionfs + another gadget, and when functionfs daemon closes ep files, entire gadget get disconnected from host. FFS function is userspace code so there is no way to know when it will close files (it doesn't matter what is the reason of this situation, it can be daemon logic, program breakage, process kill or any other). So when we have another function in gadget which, for example, sends some amount of data, does some software update or implements some real-time functionality, we may want to keep the gadget connected despite FFS function is no longer functional. We can't just remove one of functions from gadget since it has been enumerated, so the only way we can do that is to make broken FFS function zombie. It will be still visible to host but it will no longer implement it's functionality. now that's an explanation. Can you update commit log with some of this info (once we agree on how to go about fixing this) ? I'm not sure we should try to fix this. The only case where this could trigger is if ffs daemon crashes and dies or somebody sends a bogus signal to kill it. A function cannot communicate with the host if it isn't functional and ffs depends on its userland daemon. If daemon is crashing, why not print a big WARN(closed %s while connected to host\n) ? That seems like it's as much as we can do from the kernel. Userland should know that they can't have a buggy ffs daemon. It's not a problem of buggy ffs daemon. The problem is that there are some non deterministic mechanisms in userspace like OOM killer. FFS daemon can be written very well but if we are out of memory it may become a victim. In this case reliability of whole gadget hurts a lot. If it's going about WARN(). I'm not enthusiastic about it. Userspace process dies all the time, that's quite normal;) I don't think that it is good idea to generate a warning on kernel level when some process dies. Kernel should be resistant for such situations and know how to deal with them (maybe user could select exact behavior, but it should be done on kernel site) yeah, and the way to deal with that is disconnecting from the host because that USB function, can't be functional anymore. I mean, imagine you try to e.g. unload pictures from your nice DSLR and that DSLR runs Linux and implements MTP or PTP using FFS. Then ptpd dies and you're still connected to the host so you can't know that something went wrong, the camera just stoped sending you data. So you figure: well, it must just be slow, I'll leave it here and go have a nap. Hours later and nothing has changed, because ptpd is still missing. If you disconnect from the host, however, user knows instantaneously that something went wrong. I don't think maintaining a zombie function is very nice. In fact, the very reason for adding usb_function_activate/deactivate was exactly to prevent us from ever connecting to a host with a non-working function. -- balbi signature.asc Description: Digital signature
RE: [PATCH] usb: gadget: f_fs: add zombie mode
Hi -Original Message- From: Felipe Balbi [mailto:ba...@ti.com] Sent: Tuesday, October 07, 2014 5:28 PM To: Krzysztof Opasiak Cc: ba...@ti.com; 'Robert Baldyga'; gre...@linuxfoundation.org; linux-usb@vger.kernel.org; linux-ker...@vger.kernel.org; min...@mina86.com; andrze...@samsung.com Subject: Re: [PATCH] usb: gadget: f_fs: add zombie mode Hi, On Tue, Oct 07, 2014 at 05:01:15PM +0200, Krzysztof Opasiak wrote: Hi, On Mon, Oct 06, 2014 at 01:25:14PM +0200, Robert Baldyga wrote: Since we can compose gadgets from many functions, there is the problem related to gadget breakage while FunctionFS daemon being closed. In some cases it's strongly desired to keep gadget alive for a while, despite FunctionFS files are closed, to allow another functions to complete some presumably critical operations. For this purpose this patch introduces zombie mode. It can be enabled by setting mount option zombie=1, and results with defering function closure to the moment of reopening ep0 file or filesystem umount. When ffs-state == FFS_ZOMBIE: - function is still binded and visible to host, - setup requests are automatically stalled, - all another transfers are refused, - opening ep0 causes function close, and then FunctionFS is ready for descriptors and string write, - umount of functionfs cause function close. Signed-off-by: Robert Baldyga r.bald...@samsung.com Can you further explain how do you trigger this ? Do I understand correctly that you composed a gadget using configfs and that gadget has functionfs + another gadget ? Yes, I compose configfs gadget from functionfs + another gadget, and when functionfs daemon closes ep files, entire gadget get disconnected from host. FFS function is userspace code so there is no way to know when it will close files (it doesn't matter what is the reason of this situation, it can be daemon logic, program breakage, process kill or any other). So when we have another function in gadget which, for example, sends some amount of data, does some software update or implements some real-time functionality, we may want to keep the gadget connected despite FFS function is no longer functional. We can't just remove one of functions from gadget since it has been enumerated, so the only way we can do that is to make broken FFS function zombie. It will be still visible to host but it will no longer implement it's functionality. now that's an explanation. Can you update commit log with some of this info (once we agree on how to go about fixing this) ? I'm not sure we should try to fix this. The only case where this could trigger is if ffs daemon crashes and dies or somebody sends a bogus signal to kill it. A function cannot communicate with the host if it isn't functional and ffs depends on its userland daemon. If daemon is crashing, why not print a big WARN(closed %s while connected to host\n) ? That seems like it's as much as we can do from the kernel. Userland should know that they can't have a buggy ffs daemon. It's not a problem of buggy ffs daemon. The problem is that there are some non deterministic mechanisms in userspace like OOM killer. FFS daemon can be written very well but if we are out of memory it may become a victim. In this case reliability of whole gadget hurts a lot. If it's going about WARN(). I'm not enthusiastic about it. Userspace process dies all the time, that's quite normal;) I don't think that it is good idea to generate a warning on kernel level when some process dies. Kernel should be resistant for such situations and know how to deal with them (maybe user could select exact behavior, but it should be done on kernel site) yeah, and the way to deal with that is disconnecting from the host because that USB function, can't be functional anymore. I mean, imagine you try to e.g. unload pictures from your nice DSLR and that DSLR runs Linux and implements MTP or PTP using FFS. Then ptpd dies and you're still connected to the host so you can't know that something went wrong, the camera just stoped sending you data. So you figure: well, it must just be slow, I'll leave it here and go have a nap. Hours later and nothing has changed, because ptpd is still missing. If you disconnect from the host, however, user knows instantaneously that something went wrong. Please believe me that I totally agree with you, but I also see Robert's point. Let's take ADB as example. Before ADB has been ported to FunctionFS it communicated with kernel using dev node provided by ADB function driver. With that infrastructure death of daemon didn't cause gadget unbind because kernel driver of that function was just stalling the endpoints. This allows
Re: [PATCH] usb: gadget: f_fs: add zombie mode
Hi, On Tue, Oct 07, 2014 at 06:37:26PM +0200, Krzysztof Opasiak wrote: [snip] yeah, and the way to deal with that is disconnecting from the host because that USB function, can't be functional anymore. I mean, imagine you try to e.g. unload pictures from your nice DSLR and that DSLR runs Linux and implements MTP or PTP using FFS. Then ptpd dies and you're still connected to the host so you can't know that something went wrong, the camera just stoped sending you data. So you figure: well, it must just be slow, I'll leave it here and go have a nap. Hours later and nothing has changed, because ptpd is still missing. If you disconnect from the host, however, user knows instantaneously that something went wrong. Please believe me that I totally agree with you, but I also see Robert's point. Let's take ADB as example. Before ADB has been ported to FunctionFS it communicated with kernel using dev node provided by ADB function driver. With that infrastructure death of daemon didn't cause gadget unbind because kernel driver of that function was just stalling the endpoints. This allows user to use all other functions of this I really mixed feelings about that. It's really counter-intuitive to allow a non-working function to be exposed to the host. gadget. In current design ADB uses FunctionFS and for example if daemon will be killed by OOM whole gadget get's unbind and user cannot use any other function. Don't you think that's a bit of regression? Why ? Why would you event want to keep the other functions working ? Since you're running out of memory anyway, you'd just delay the inevitable. Soon enough you won't be able to transfer files through mtp/ptp, or enable usb tethering, or any of that. I see and understand yours and Roberts point of view. Personally I'm not too enthusiastic about using this solution but I see some rationales for this and use cases. Summing it up, this patch may be useful in some case. Let's allow end user to decide whether to use this mode or not. I think that a few people will find this useful. It can't be only end user, we have to also consider USB certification. If we go to certification with a non-working function (say adbd crashed during init or whatever), then we won't pass certification. I would rather cause the gadget to disconnect so any crashes on adbd can be fixed and we pass certification, then exposing that non-working function to the host. OOM is another situation which we don't really have control over. There's nothing we can do to prevent an application from malloc(1 30) and cause OOM to go crazy, however arguably that application is wrong for allocating 1GiB of memory, in any case, you get the point :-) I don't think maintaining a zombie function is very nice. In fact, the very reason for adding usb_function_activate/deactivate was exactly to prevent us from ever connecting to a host with a non-working function. Here also I agree. Zombie mode should mock the function until first next enumeration or unbind. It should not be possible to bind gadget with function in zombie mode to UDC. Zombie mode should pretend only as long as gadget is bound and enumerated. Not really. We shouldn't even coonect to host until adbd is running. Now, when adbd crashes we fix adbd. If it gets killed due to OOM we can't even say ok, we'll buffer USB requests until adbd is restarted because, well, we're running out of memory. So, OOM we can't fix. Soon enough, another daemon (mtpd, ptpd, whatever) will be killed and another function will be left unusable. As for adbd/mtpd/ptpd crashes, those need to fixed and kernel should not have to deal with them in any way. -- balbi signature.asc Description: Digital signature
Re: [PATCH] usb: gadget: f_fs: add zombie mode
On Tue, 7 Oct 2014, Felipe Balbi wrote: Please believe me that I totally agree with you, but I also see Robert's point. Let's take ADB as example. Before ADB has been ported to FunctionFS it communicated with kernel using dev node provided by ADB function driver. With that infrastructure death of daemon didn't cause gadget unbind because kernel driver of that function was just stalling the endpoints. This allows user to use all other functions of this I really mixed feelings about that. It's really counter-intuitive to allow a non-working function to be exposed to the host. ... Here also I agree. Zombie mode should mock the function until first next enumeration or unbind. It should not be possible to bind gadget with function in zombie mode to UDC. Zombie mode should pretend only as long as gadget is bound and enumerated. Not really. We shouldn't even coonect to host until adbd is running. Now, when adbd crashes we fix adbd. If it gets killed due to OOM we can't even say ok, we'll buffer USB requests until adbd is restarted because, well, we're running out of memory. So, OOM we can't fix. Soon enough, another daemon (mtpd, ptpd, whatever) will be killed and another function will be left unusable. As for adbd/mtpd/ptpd crashes, those need to fixed and kernel should not have to deal with them in any way. It seems to me that we should imitate what an ordinary USB device would do. If part of the firmware crashes, generally you would expect none of the endpoints associated with that function to work. Either they refuse to accept output from the host or they stall everything. But endpoints associated with other parts of the firmware might very well continue to work okay. Don't buffer requests. Either allow the internal FIFOs to fill up or else reject everything. Any reasonable host will start getting timeout expirations and will realize that something is wrong. Alan Stern -- To unsubscribe from this list: send the line unsubscribe linux-usb in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] usb: gadget: f_fs: add zombie mode
Hi, On Tue, Oct 07, 2014 at 01:15:32PM -0400, Alan Stern wrote: Here also I agree. Zombie mode should mock the function until first next enumeration or unbind. It should not be possible to bind gadget with function in zombie mode to UDC. Zombie mode should pretend only as long as gadget is bound and enumerated. Not really. We shouldn't even coonect to host until adbd is running. Now, when adbd crashes we fix adbd. If it gets killed due to OOM we can't even say ok, we'll buffer USB requests until adbd is restarted because, well, we're running out of memory. So, OOM we can't fix. Soon enough, another daemon (mtpd, ptpd, whatever) will be killed and another function will be left unusable. As for adbd/mtpd/ptpd crashes, those need to fixed and kernel should not have to deal with them in any way. It seems to me that we should imitate what an ordinary USB device would do. If part of the firmware crashes, generally you would expect none of the endpoints associated with that function to work. Either they refuse to accept output from the host or they stall everything. But endpoints associated with other parts of the firmware might very well continue to work okay. dunno, I have never seen a USB device firmware crash and I don't think anybody deliberately does anything to make sure other parts of the device work. If it _does_ work, I'd assume it's really by chance. Don't buffer requests. Either allow the internal FIFOs to fill up or else reject everything. Any reasonable host will start getting timeout expirations and will realize that something is wrong. Right, but if we allow this, I can already see folks abusing to connect to the host early and only when necessary do some trickery to e.g. start adbd (not saying Android will do this, just using it as an easy example). Sure, we can deactivate and only activate when files are opened but is there any guarantee that when a process receives segfault that we will have, from FFS point of view, any information to know that the thing crashed ? I mean, a userland application can register its own handler for SIGSEGV/SIGKILL, right ? And that handler could very well just call close() on all file descriptors. Then how do we differentiate a normal close() from a oh-crap-I-died close() ? -- balbi signature.asc Description: Digital signature
Re: [PATCH] usb: gadget: f_fs: add zombie mode
On Tue, 7 Oct 2014, Felipe Balbi wrote: It seems to me that we should imitate what an ordinary USB device would do. If part of the firmware crashes, generally you would expect none of the endpoints associated with that function to work. Either they refuse to accept output from the host or they stall everything. But endpoints associated with other parts of the firmware might very well continue to work okay. dunno, I have never seen a USB device firmware crash and I don't think anybody deliberately does anything to make sure other parts of the device work. If it _does_ work, I'd assume it's really by chance. I've seen it happen lots of times, but only on single-function devices. When it somes to multi-function devices, who knows? Still, with the single-function devices, firmware crashes generally don't lead to disconnections. Sometimes they do, but usually they don't. Don't buffer requests. Either allow the internal FIFOs to fill up or else reject everything. Any reasonable host will start getting timeout expirations and will realize that something is wrong. Right, but if we allow this, I can already see folks abusing to connect to the host early and only when necessary do some trickery to e.g. start adbd (not saying Android will do this, just using it as an easy example). We can still keep the pullup turned off until all the functions are ready. That's a part of normal behavior -- unlike what happens when a userspace component crashes or is killed. Sure, we can deactivate and only activate when files are opened but is there any guarantee that when a process receives segfault that we will have, from FFS point of view, any information to know that the thing crashed ? I mean, a userland application can register its own handler for SIGSEGV/SIGKILL, right ? And that handler could very well just call close() on all file descriptors. Then how do we differentiate a normal close() from a oh-crap-I-died close() ? We can't, so why worry about it? If a file handle was closed for normal reasons then userspace probably in the middle of shutting down the gadget anyway. If not then the user will get what they deserve. If the file handle was closed for abnormal reasons, we can behave like crashed firmware. Which means, in the end, doing the same thing as in the normal-reason case -- i.e., do nothing. In particular, don't disconnect. If you want to allow for the possibility of orderly shutdown (and maybe even possible restart) of a userspace handler, the function library should first tell the kernel explicitly to disconnect. Then function components can be changed around completely, and when everything is ready, userspace can tell the kernel to connect again. Alan Stern -- To unsubscribe from this list: send the line unsubscribe linux-usb in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] usb: gadget: f_fs: add zombie mode
Hi, On Tue, Oct 07, 2014 at 02:42:33PM -0400, Alan Stern wrote: It seems to me that we should imitate what an ordinary USB device would do. If part of the firmware crashes, generally you would expect none of the endpoints associated with that function to work. Either they refuse to accept output from the host or they stall everything. But endpoints associated with other parts of the firmware might very well continue to work okay. dunno, I have never seen a USB device firmware crash and I don't think anybody deliberately does anything to make sure other parts of the device work. If it _does_ work, I'd assume it's really by chance. I've seen it happen lots of times, but only on single-function devices. When it somes to multi-function devices, who knows? Still, with the single-function devices, firmware crashes generally don't lead to disconnections. Sometimes they do, but usually they don't. Don't buffer requests. Either allow the internal FIFOs to fill up or else reject everything. Any reasonable host will start getting timeout expirations and will realize that something is wrong. Right, but if we allow this, I can already see folks abusing to connect to the host early and only when necessary do some trickery to e.g. start adbd (not saying Android will do this, just using it as an easy example). We can still keep the pullup turned off until all the functions are ready. That's a part of normal behavior -- unlike what happens when a userspace component crashes or is killed. Sure, we can deactivate and only activate when files are opened but is there any guarantee that when a process receives segfault that we will have, from FFS point of view, any information to know that the thing crashed ? I mean, a userland application can register its own handler for SIGSEGV/SIGKILL, right ? And that handler could very well just call close() on all file descriptors. Then how do we differentiate a normal close() from a oh-crap-I-died close() ? We can't, so why worry about it? because on close(), I want to disconnect data pullups :-) Everything has been tore down and there's nothing else to do. If a file handle was closed for normal reasons then userspace probably in the middle of shutting down the gadget anyway. If not then the user will get what they deserve. yeah, I think the same way about a crashing functionfs daemon :-) If the file handle was closed for abnormal reasons, we can behave like crashed firmware. Which means, in the end, doing the same thing as in the normal-reason case -- i.e., do nothing. In particular, don't disconnect. If you want to allow for the possibility of orderly shutdown (and maybe even possible restart) of a userspace handler, the function library should first tell the kernel explicitly to disconnect. Then function components can be changed around completely, and when everything is ready, userspace can tell the kernel to connect again. I still feel iffy about it, but I must say I understand where you're coming from. It's weird to force a disconnect, sure. I guess we could accept this with a new option (just not 'zombie', perhaps no_disconnect :-) but only if we still have the same delay pullups until daemon is running requirement. /me hides -- balbi signature.asc Description: Digital signature
Re: [PATCH] usb: gadget: f_fs: add zombie mode
On Tue, 7 Oct 2014, Felipe Balbi wrote: If the file handle was closed for abnormal reasons, we can behave like crashed firmware. Which means, in the end, doing the same thing as in the normal-reason case -- i.e., do nothing. In particular, don't disconnect. If you want to allow for the possibility of orderly shutdown (and maybe even possible restart) of a userspace handler, the function library should first tell the kernel explicitly to disconnect. Then function components can be changed around completely, and when everything is ready, userspace can tell the kernel to connect again. I still feel iffy about it, but I must say I understand where you're coming from. It's weird to force a disconnect, sure. I guess we could Well, it's not all that weird. Devices disconnect automatically when they receive a firmware update, so that they can reconnect with new descriptors. Much the same thing should happen if the user wants to replace one function driver with a different one. I guess the real idea is to give the user a choice of disconnecting or not. Don't always force the whole device to disconnect when one of the function drivers goes away. accept this with a new option (just not 'zombie', perhaps no_disconnect :-) but only if we still have the same delay pullups until daemon is running requirement. Seems reasonable to me. Or something that can be adjusted while the library is running, as opposed to setting an option once when the library starts. /me hides I'm out of further ideas. What do the library designers think? Alan Stern -- To unsubscribe from this list: send the line unsubscribe linux-usb in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] usb: gadget: f_fs: add zombie mode
On Tue, 7 Oct 2014, Felipe Balbi wrote: Right, but if we allow this, I can already see folks abusing to connect to the host early and only when necessary do some trickery to e.g. start adbd (not saying Android will do this, just using it as an easy example). I don't really see that happening. For the gadget to start all descriptors need to be known. Functionfs will know the descriptors only once the user space daemon provides them. Therefore, with the current features (or even with addition of Robert's feature) there is no way to let the gadget start without having the daemon running. On Tue, Oct 07 2014, Alan Stern st...@rowland.harvard.edu wrote: We can still keep the pullup turned off until all the functions are ready. That's a part of normal behavior -- unlike what happens when a userspace component crashes or is killed. Then how do we differentiate a normal close() from a oh-crap-I-died close() ? We can't, so why worry about it? We actually might be able to distinguish those cases with another ioctl which daemon must issue on the ep0 prior to closing it. I'm not saying that we should implement that though. If a file handle was closed for normal reasons then userspace probably in the middle of shutting down the gadget anyway. If not then the user will get what they deserve. If the file handle was closed for abnormal reasons, we can behave like crashed firmware. Which means, in the end, doing the same thing as in the normal-reason case -- i.e., do nothing. In particular, don't disconnect. If you want to allow for the possibility of orderly shutdown (and maybe even possible restart) of a userspace handler, the function library should first tell the kernel explicitly to disconnect. Then function components can be changed around completely, and when everything is ready, userspace can tell the kernel to connect again. I'm wondering if it would be possible to support user-space daemon restarts with O_APPEND flag. This is probably looking too far to the future though. -- Best regards, _ _ .o. | Liege of Serenely Enlightened Majesty of o' \,=./ `o ..o | Computer Science, Michał “mina86” Nazarewicz(o o) ooo +--m...@google.com--xmpp:min...@jabber.org--ooO--(_)--Ooo-- -- To unsubscribe from this list: send the line unsubscribe linux-usb in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] usb: gadget: f_fs: add zombie mode
On Mon, Oct 06 2014, Robert Baldyga r.bald...@samsung.com wrote: Since we can compose gadgets from many functions, there is the problem related to gadget breakage while FunctionFS daemon being closed. In some cases it's strongly desired to keep gadget alive for a while, despite FunctionFS files are closed, to allow another functions to complete some presumably critical operations. For this purpose this patch introduces zombie mode. It can be enabled by setting mount option zombie=1, and results with defering function closure to the moment of reopening ep0 file or filesystem umount. When ffs-state == FFS_ZOMBIE: - function is still binded and visible to host, - setup requests are automatically stalled, - all another transfers are refused, - opening ep0 causes function close, and then FunctionFS is ready for descriptors and string write, - umount of functionfs cause function close. However, all the ep# files will still exist on the filesystem. This may be a bit confusing and error-prone, no? Signed-off-by: Robert Baldyga r.bald...@samsung.com --- drivers/usb/gadget/function/f_fs.c | 25 ++--- drivers/usb/gadget/function/u_fs.h | 4 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c @@ -1222,6 +1225,12 @@ static int ffs_fs_parse_opts(struct ffs_sb_fill_data *data, char *opts) /* Interpret option */ switch (eq - opts) { + case 6: + if (!memcmp(opts, zombie, 6)) + data-zombie_mode = !!value; Unnecessary double space before =. + else + goto invalid; + break; case 5: if (!memcmp(opts, rmode, 5)) data-root_mode = (value 0555) | S_IFDIR; diff --git a/drivers/usb/gadget/function/u_fs.h b/drivers/usb/gadget/function/u_fs.h @@ -92,6 +92,8 @@ enum ffs_state { */ FFS_ACTIVE, + FFS_ZOMBIE, + Add comment describing the state. /* * All endpoints have been closed. This state is also set if * we encounter an unrecoverable error. The only -- Best regards, _ _ .o. | Liege of Serenely Enlightened Majesty of o' \,=./ `o ..o | Computer Science, Michał “mina86” Nazarewicz(o o) ooo +--m...@google.com--xmpp:min...@jabber.org--ooO--(_)--Ooo-- -- To unsubscribe from this list: send the line unsubscribe linux-usb in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] usb: gadget: f_fs: add zombie mode
On 10/06/2014 02:36 PM, Michal Nazarewicz wrote: On Mon, Oct 06 2014, Robert Baldyga r.bald...@samsung.com wrote: Since we can compose gadgets from many functions, there is the problem related to gadget breakage while FunctionFS daemon being closed. In some cases it's strongly desired to keep gadget alive for a while, despite FunctionFS files are closed, to allow another functions to complete some presumably critical operations. For this purpose this patch introduces zombie mode. It can be enabled by setting mount option zombie=1, and results with defering function closure to the moment of reopening ep0 file or filesystem umount. When ffs-state == FFS_ZOMBIE: - function is still binded and visible to host, - setup requests are automatically stalled, - all another transfers are refused, - opening ep0 causes function close, and then FunctionFS is ready for descriptors and string write, - umount of functionfs cause function close. However, all the ep# files will still exist on the filesystem. This may be a bit confusing and error-prone, no? Shouldn't be error-prone, because opening them will fail with -ENODEV, but indeed it can be confusing. I will try to do something about that :) Signed-off-by: Robert Baldyga r.bald...@samsung.com --- drivers/usb/gadget/function/f_fs.c | 25 ++--- drivers/usb/gadget/function/u_fs.h | 4 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c @@ -1222,6 +1225,12 @@ static int ffs_fs_parse_opts(struct ffs_sb_fill_data *data, char *opts) /* Interpret option */ switch (eq - opts) { +case 6: +if (!memcmp(opts, zombie, 6)) +data-zombie_mode = !!value; Unnecessary double space before =. +else +goto invalid; +break; case 5: if (!memcmp(opts, rmode, 5)) data-root_mode = (value 0555) | S_IFDIR; diff --git a/drivers/usb/gadget/function/u_fs.h b/drivers/usb/gadget/function/u_fs.h @@ -92,6 +92,8 @@ enum ffs_state { */ FFS_ACTIVE, +FFS_ZOMBIE, + Add comment describing the state. /* * All endpoints have been closed. This state is also set if * we encounter an unrecoverable error. The only Thanks, Robert Baldyga -- To unsubscribe from this list: send the line unsubscribe linux-usb in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] usb: gadget: f_fs: add zombie mode
On 10/06/2014 02:36 PM, Michal Nazarewicz wrote: However, all the ep# files will still exist on the filesystem. This may be a bit confusing and error-prone, no? On Mon, Oct 06 2014, Robert Baldyga r.bald...@samsung.com wrote: Shouldn't be error-prone, because opening them will fail with -ENODEV, but indeed it can be confusing. I will try to do something about that I could imagine someone will write shell script like so: ffs_active() { test -d $1 || return 1 set -- $1/ep* test $# -gt 1 } if ffs_active /dev/foo-ffs; then # … fi With such a script, non-functional ep# files in the functionfs mount point, could lead to some errors in user-space. I'm not saying that this should block on any kind of changes to the way the filesystem works when the function is inactive, but if possible, w/o a lot of additional code, I'd rather if all the files disappeared in a zombie state. -- Best regards, _ _ .o. | Liege of Serenely Enlightened Majesty of o' \,=./ `o ..o | Computer Science, Michał “mina86” Nazarewicz(o o) ooo +--m...@google.com--xmpp:min...@jabber.org--ooO--(_)--Ooo-- -- To unsubscribe from this list: send the line unsubscribe linux-usb in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] usb: gadget: f_fs: add zombie mode
Hi, On Mon, Oct 06, 2014 at 01:25:14PM +0200, Robert Baldyga wrote: Since we can compose gadgets from many functions, there is the problem related to gadget breakage while FunctionFS daemon being closed. In some cases it's strongly desired to keep gadget alive for a while, despite FunctionFS files are closed, to allow another functions to complete some presumably critical operations. For this purpose this patch introduces zombie mode. It can be enabled by setting mount option zombie=1, and results with defering function closure to the moment of reopening ep0 file or filesystem umount. When ffs-state == FFS_ZOMBIE: - function is still binded and visible to host, - setup requests are automatically stalled, - all another transfers are refused, - opening ep0 causes function close, and then FunctionFS is ready for descriptors and string write, - umount of functionfs cause function close. Signed-off-by: Robert Baldyga r.bald...@samsung.com Can you further explain how do you trigger this ? Do I understand correctly that you composed a gadget using configfs and that gadget has functionfs + another gadget ? Then what do you need to do the trigger the issue, and what really _is_ the issue ? Is gadget disconnecting from host too early ? Do you see a crash ? Memory leak ? Any logs available ? Any steps to reproduce ? Quite frankly, I don't really like this zombie mode. joke I know there's a The Walking Dead hype right now, but this is too much. /joke Anyway, please giver me further details of how to get this done. -- balbi signature.asc Description: Digital signature