Hi, On Tue, Oct 07, 2014 at 01:15:32PM -0400, Alan Stern wrote: > > > Here also I agree. Zombie mode should "mock" the function until first > > > next enumeration or unbind. It should not be possible to bind gadget > > > with function in zombie mode to UDC. Zombie mode should "pretend" only > > > as long as gadget is bound and enumerated. > > > > Not really. We shouldn't even coonect to host until adbd is running. > > Now, when adbd crashes we fix adbd. If it gets killed due to OOM we > > can't even say "ok, we'll buffer USB requests until adbd is restarted" > > because, well, we're running out of memory. > > > > So, OOM we can't fix. Soon enough, another daemon (mtpd, ptpd, whatever) > > will be killed and another function will be left unusable. > > > > As for adbd/mtpd/ptpd crashes, those need to fixed and kernel should not > > have to deal with them in any way. > > It seems to me that we should imitate what an ordinary USB device would > do. If part of the firmware crashes, generally you would expect none > of the endpoints associated with that function to work. Either they > refuse to accept output from the host or they stall everything. But > endpoints associated with other parts of the firmware might very well > continue to work okay. dunno, I have never seen a USB device firmware crash and I don't think anybody deliberately does anything to make sure other parts of the device work. If it _does_ work, I'd assume it's really by chance. > Don't buffer requests. Either allow the internal FIFOs to fill up or > else reject everything. Any reasonable host will start getting timeout > expirations and will realize that something is wrong. Right, but if we allow this, I can already see folks abusing to connect to the host early and only when necessary do some trickery to e.g. start adbd (not saying Android will do this, just using it as an easy example). Sure, we can deactivate and only activate when files are opened but is there any guarantee that when a process receives segfault that we will have, from FFS point of view, any information to know that the thing crashed ? I mean, a userland application can register its own handler for SIGSEGV/SIGKILL, right ? And that handler could very well just call close() on all file descriptors. Then how do we differentiate a normal close() from a "oh-crap-I-died" close() ? -- balbi
Attachment:
signature.asc
Description: Digital signature
