msm: bam_dmux: Extend locking around SPS transfer call
When a new receive packet is created in queue_rx(), it is added to the
receive packet queue and also queued with the SPS driver. Once the
packet is filled, then BAM DMUX calls sps_get_iovec() to get the filled
receive buffer. BAM DMUX then pulls the receive packet info off of the
RX queue and compares the DMA address from the sps_get_iovec() call to
the expected DMA address. In some cases, they do not match resulting in
BAM DMUX processing the wrong RX buffer.
Going back to the queue_rx() processing, the packet is added to the
receive queue with a mutex locked, but then the mutex is unlocked before
the call to sps_transfer_one() which allows a race condition to exist if
multiple threads call queue_rx().
During normal operation, queue_rx() is only called by the
single-threaded receive workqueue, but during the call to
reconnect_to_bam(), a race condition is expected between the call to
rx_siwtch_to_interrupt_mode() and the final call to queue_rx() if a
packet comes in and is processed before the queue_rx() call is
completed.
This change extends the receive pool mutex locking around
sps_transfer_one() call which resolves the issue.
CRs-Fixed: 377609
Change-Id: Iba5b10e291a1612846fa58dae87aadbd79aa297b
Signed-off-by: Eric Holmberg <eholmber@codeaurora.org>
diff --git a/arch/arm/mach-msm/bam_dmux.c b/arch/arm/mach-msm/bam_dmux.c
index a44ba7a..813824e 100644
--- a/arch/arm/mach-msm/bam_dmux.c
+++ b/arch/arm/mach-msm/bam_dmux.c
@@ -434,30 +434,26 @@
mutex_lock(&bam_rx_pool_mutexlock);
list_add_tail(&info->list_node, &bam_rx_pool);
rx_len_cached = ++bam_rx_pool_len;
- mutex_unlock(&bam_rx_pool_mutexlock);
-
ret = sps_transfer_one(bam_rx_pipe, info->dma_address,
BUFFER_SIZE, info,
SPS_IOVEC_FLAG_INT | SPS_IOVEC_FLAG_EOT);
-
if (ret) {
+ list_del(&info->list_node);
+ rx_len_cached = --bam_rx_pool_len;
+ mutex_unlock(&bam_rx_pool_mutexlock);
DMUX_LOG_KERR("%s: sps_transfer_one failed %d\n",
__func__, ret);
- goto fail_transfer;
+
+ dma_unmap_single(NULL, info->dma_address, BUFFER_SIZE,
+ DMA_FROM_DEVICE);
+
+ goto fail_skb;
}
+ mutex_unlock(&bam_rx_pool_mutexlock);
+
}
return;
-fail_transfer:
- mutex_lock(&bam_rx_pool_mutexlock);
- list_del(&info->list_node);
- --bam_rx_pool_len;
- rx_len_cached = bam_rx_pool_len;
- mutex_unlock(&bam_rx_pool_mutexlock);
-
- dma_unmap_single(NULL, info->dma_address, BUFFER_SIZE,
- DMA_FROM_DEVICE);
-
fail_skb:
dev_kfree_skb_any(info->skb);
@@ -1078,18 +1074,29 @@
mutex_lock(&bam_rx_pool_mutexlock);
if (unlikely(list_empty(&bam_rx_pool))) {
+ DMUX_LOG_KERR("%s: have iovec %p but rx pool empty\n",
+ __func__, (void *)iov.addr);
mutex_unlock(&bam_rx_pool_mutexlock);
continue;
}
info = list_first_entry(&bam_rx_pool, struct rx_pkt_info,
list_node);
+ if (info->dma_address != iov.addr) {
+ DMUX_LOG_KERR("%s: iovec %p != dma %p\n",
+ __func__,
+ (void *)iov.addr,
+ (void *)info->dma_address);
+ list_for_each_entry(info, &bam_rx_pool, list_node) {
+ DMUX_LOG_KERR("%s: dma %p\n", __func__,
+ (void *)info->dma_address);
+ if (iov.addr == info->dma_address)
+ break;
+ }
+ }
+ BUG_ON(info->dma_address != iov.addr);
list_del(&info->list_node);
--bam_rx_pool_len;
mutex_unlock(&bam_rx_pool_mutexlock);
- if (info->dma_address != iov.addr)
- DMUX_LOG_KERR("%s: iovec %p != dma %p\n",
- __func__,
- (void *)info->dma_address, (void *)iov.addr);
handle_bam_mux_cmd(&info->work);
}
return;
@@ -1123,13 +1130,30 @@
inactive_cycles = 0;
mutex_lock(&bam_rx_pool_mutexlock);
if (unlikely(list_empty(&bam_rx_pool))) {
+ DMUX_LOG_KERR(
+ "%s: have iovec %p but rx pool empty\n",
+ __func__, (void *)iov.addr);
mutex_unlock(&bam_rx_pool_mutexlock);
continue;
}
info = list_first_entry(&bam_rx_pool,
struct rx_pkt_info, list_node);
- --bam_rx_pool_len;
+ if (info->dma_address != iov.addr) {
+ DMUX_LOG_KERR("%s: iovec %p != dma %p\n",
+ __func__,
+ (void *)iov.addr,
+ (void *)info->dma_address);
+ list_for_each_entry(info, &bam_rx_pool,
+ list_node) {
+ DMUX_LOG_KERR("%s: dma %p\n", __func__,
+ (void *)info->dma_address);
+ if (iov.addr == info->dma_address)
+ break;
+ }
+ }
+ BUG_ON(info->dma_address != iov.addr);
list_del(&info->list_node);
+ --bam_rx_pool_len;
mutex_unlock(&bam_rx_pool_mutexlock);
handle_bam_mux_cmd(&info->work);
}