On Mo, 2019-09-23 at 15:58 +0200, Philipp Puschmann wrote: > BD_DONE flag marks ownership of the buffer. When 1 SDMA owns the > buffer, when 0 ARM owns it. When processing the buffers in > sdma_update_channel_loop the ownership of the currently processed > buffer was set to SDMA again before running the callback function of > the buffer and while the sdma script may be running in parallel. So > there was the possibility to get the buffer overwritten by SDMA > before > it has been processed by kernel leading to kind of random errors in > the > upper layers, e.g. bluetooth. > > Fixes: 1ec1e82f2510 ("dmaengine: Add Freescale i.MX SDMA support") > Signed-off-by: Philipp Puschmann <philipp.puschmann@xxxxxxxxx> Reviewed-by: Lucas Stach <l.stach@xxxxxxxxxxxxxx> > --- > > Changelog v5: > - no changes > > Changelog v4: > - fixed the fixes tag > > Changelog v3: > - use correct dma_wmb() instead of dma_wb() > - add fixes tag > > Changelog v2: > - add dma_wb() > > drivers/dma/imx-sdma.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c > index 9ba74ab7e912..b42281604e54 100644 > --- a/drivers/dma/imx-sdma.c > +++ b/drivers/dma/imx-sdma.c > @@ -802,7 +802,6 @@ static void sdma_update_channel_loop(struct > sdma_channel *sdmac) > */ > > desc->chn_real_count = bd->mode.count; > - bd->mode.status |= BD_DONE; > bd->mode.count = desc->period_len; > desc->buf_ptail = desc->buf_tail; > desc->buf_tail = (desc->buf_tail + 1) % desc->num_bd; > @@ -817,6 +816,9 @@ static void sdma_update_channel_loop(struct > sdma_channel *sdmac) > dmaengine_desc_get_callback_invoke(&desc->vd.tx, NULL); > spin_lock(&sdmac->vc.lock); > > + dma_wmb(); > + bd->mode.status |= BD_DONE; > + > if (error) > sdmac->status = old_status; > }