Quoting Douglas Anderson (2020-07-20 17:24:53)
> When I have KASAN enabled on my kernel and I start stressing the
> touchscreen my system tends to hang. The touchscreen is one of the
> only things that does a lot of big i2c transfers and ends up hitting
> the DMA paths in the geni i2c driver. It appears that KASAN adds
> enough delay in my system to tickle a race condition in the DMA setup
> code.
>
> When the system hangs, I found that it was running the geni_i2c_irq()
> over and over again. It had these:
>
> m_stat = 0x04000080
> rx_st = 0x30000011
> dm_tx_st = 0x00000000
> dm_rx_st = 0x00000000
> dma = 0x00000001
>
> Notably we're in DMA mode but are getting M_RX_IRQ_EN and
> M_RX_FIFO_WATERMARK_EN over and over again.
>
> Putting some traces in geni_i2c_rx_one_msg() showed that when we
> failed we were getting to the start of geni_i2c_rx_one_msg() but were
> never executing geni_se_rx_dma_prep().
>
> I believe that the problem here is that we are writing the transfer
> length and setting up the geni command before we run
> geni_se_rx_dma_prep(). If a transfer makes it far enough before we do
> that then we get into the state I have observed. Let's change the
> order, which seems to work fine.
Does the length matter or the I2C_READ m_cmd matter? Or somehow both?
Otherwise it sounds correct to me that we're configuring it to start the
read before mapping the buffer.
>
> Fixes: 37692de5d523 ("i2c: i2c-qcom-geni: Add bus driver for the Qualcomm GENI I2C controller")
> Signed-off-by: Douglas Anderson <dianders@xxxxxxxxxxxx>
> ---
>
> drivers/i2c/busses/i2c-qcom-geni.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c
> index 18d1e4fd4cf3..21e27f10510a 100644
> --- a/drivers/i2c/busses/i2c-qcom-geni.c
> +++ b/drivers/i2c/busses/i2c-qcom-geni.c
> @@ -366,15 +366,15 @@ static int geni_i2c_rx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg,
> else
> geni_se_select_mode(se, GENI_SE_FIFO);
>
> - writel_relaxed(len, se->base + SE_I2C_RX_TRANS_LEN);
> - geni_se_setup_m_cmd(se, I2C_READ, m_param);
> -
> if (dma_buf && geni_se_rx_dma_prep(se, dma_buf, len, &rx_dma)) {
> geni_se_select_mode(se, GENI_SE_FIFO);
> i2c_put_dma_safe_msg_buf(dma_buf, msg, false);
> dma_buf = NULL;
> }
>
I worry that we also need a dmb() here to make sure the dma buffer is
properly mapped before this write to the device is attempted. But it may
only matter to be before the I2C_READ.
> + writel_relaxed(len, se->base + SE_I2C_RX_TRANS_LEN);
> + geni_se_setup_m_cmd(se, I2C_READ, m_param);
> +
> time_left = wait_for_completion_timeout(&gi2c->done, XFER_TIMEOUT);
> if (!time_left)
> geni_i2c_abort_xfer(gi2c);
