Gitiles
Code Review Sign In
review.evervolv.com / android_kernel_htc_msm8960 / bb6da9546e90fc34b1f42e1f41e3b474810f5d36^! / . / arch / arm / mach-msm / bam_dmux.c
commitbb6da9546e90fc34b1f42e1f41e3b474810f5d36[log] [tgz]
authorJeff Hugo <jhugo@codeaurora.org>Mon Jan 16 15:02:42 2012 -0700
committerJeff Hugo <jhugo@codeaurora.org>Thu Jan 19 10:02:41 2012 -0700
treeec72f3e31450b95a42edc5486a6c6fe5adf6c4be
parent66f7f1ea5a32845eed2d2472cf5b7793f463577e [diff] [blame]
msm: bam_dmux: extend tx list lock around sps_transfer_one()

The tx list must be kept in sync with the packets queued to BAM via
sps_transfer_one().  Releasing the tx list lock allows a small window
to exist where the tx list could lose sync and possibly cause a crash
later on.  Since sps_transfer_one() can be run in atomic context, do
not release the list lock until after sps_transfer_one() returns.

Change-Id: Ibd79e983c04a1e050ec83252d0156844f6af3594
Signed-off-by: Jeffrey Hugo <jhugo@codeaurora.org>

diff --git a/arch/arm/mach-msm/bam_dmux.c b/arch/arm/mach-msm/bam_dmux.c
index 0e4c756..852d690 100644
--- a/arch/arm/mach-msm/bam_dmux.c
+++ b/arch/arm/mach-msm/bam_dmux.c

@@ -551,16 +551,16 @@
 	INIT_WORK(&pkt->work, bam_mux_write_done);
 	spin_lock_irqsave(&bam_tx_pool_spinlock, flags);
 	list_add_tail(&pkt->list_node, &bam_tx_pool);
-	spin_unlock_irqrestore(&bam_tx_pool_spinlock, flags);
 	rc = sps_transfer_one(bam_tx_pipe, dma_address, len,
 				pkt, SPS_IOVEC_FLAG_INT | SPS_IOVEC_FLAG_EOT);
 	if (rc) {
 		DBG("%s sps_transfer_one failed rc=%d\n", __func__, rc);
-		spin_lock_irqsave(&bam_tx_pool_spinlock, flags);
 		list_del(&pkt->list_node);
 		DBG_INC_TX_SPS_FAILURE_CNT();
 		spin_unlock_irqrestore(&bam_tx_pool_spinlock, flags);
 		kfree(pkt);
+	} else {
+		spin_unlock_irqrestore(&bam_tx_pool_spinlock, flags);
 	}
 
 	ul_packet_written = 1;
@@ -718,12 +718,10 @@
 	INIT_WORK(&pkt->work, bam_mux_write_done);
 	spin_lock_irqsave(&bam_tx_pool_spinlock, flags);
 	list_add_tail(&pkt->list_node, &bam_tx_pool);
-	spin_unlock_irqrestore(&bam_tx_pool_spinlock, flags);
 	rc = sps_transfer_one(bam_tx_pipe, dma_address, skb->len,
 				pkt, SPS_IOVEC_FLAG_INT | SPS_IOVEC_FLAG_EOT);
 	if (rc) {
 		DBG("%s sps_transfer_one failed rc=%d\n", __func__, rc);
-		spin_lock_irqsave(&bam_tx_pool_spinlock, flags);
 		list_del(&pkt->list_node);
 		DBG_INC_TX_SPS_FAILURE_CNT();
 		spin_unlock_irqrestore(&bam_tx_pool_spinlock, flags);
@@ -731,6 +729,7 @@
 		if (new_skb)
 			dev_kfree_skb_any(new_skb);
 	} else {
+		spin_unlock_irqrestore(&bam_tx_pool_spinlock, flags);
 		spin_lock_irqsave(&bam_ch[id].lock, flags);
 		bam_ch[id].num_tx_pkts++;
 		spin_unlock_irqrestore(&bam_ch[id].lock, flags);