tty: serial: sh-sci: hrtimer not properly canceled on chan_rx invalidation?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
using drivers/tty/serial/sh-sci.c (on 4.14.x Renesas BSP) what is quite similar to [1] we got [2]. 

Analyzing this we found that in sci_dma_rx_timer_fn() s->chan_rx is NULL.
Is there any chance that there is a race condition where the timer function sci_dma_rx_timer_fn() is called while s->chan_rx is invalidated, already. E.g. via sci_dma_rx_chan_invalidate()/sci_dma_rx_release()? Or anything else? 

Any idea?

Best regards

Dirk
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/tty/serial/sh-sci.c 

[2]

Unable to handle kernel NULL pointer dereference at virtual address 00000000
Mem abort info:
  Exception class = DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgd = ffff80061f6ba000
[0000000000000000] *pgd=000000065f6c0003, *pud=000000065f6bf003, *pmd=0000000000000000 
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Process (pid: 3983, stack limit = 0xffff000009540000)
CPU: 2 PID: 3983 Tainted: G         C      4.14.327-ltsi #1
Hardware name: Bosch custom board based on r8a7796 (DT)
pc : sci_dma_rx_timer_fn+0x64/0x194
lr : sci_dma_rx_timer_fn+0x3c/0x194
sp : ffff000008013df0 pstate : 600001c5
x29: ffff000008013df0 x28: ffff0000084055e8
x27: 00000060cce93e4e x26: 0000000000000003
x25: ffff000008c48b38 x24: 0000000000000000
x23: 00000000000001c0 x22: ffff000008d98708
x21: ffff000008999000 x20: 0000000000000000
x19: ffff000008d98810 x18: 00004000362715f6
x17: 00000039f1fc5610 x16: 00000039f22bd748
x15: 000007b1e26dc9d4 x14: 000112a7eb4cd8a2
x13: 00000000631508c6 x12: 0000000000000028
x11: 0101010101010101 x10: 0000000000000000
x9 : 00000000000000cc x8 : ffff800696c04500
x7 : 0000000000000064 x6 : ffff000008d98b08
x5 : ffff00000a923e31 x4 : ffff80069ff09580
x3 : ffff00000a923e30 x2 : 0000000000000000
x1 : 00000000ffffffea x0 : 0000000000000000
Call trace:
 sci_dma_rx_timer_fn+0x64/0x194
 __hrtimer_run_queues+0x19c/0x2f8
 hrtimer_interrupt+0xa0/0x1b0
 arch_timer_handler_phys+0x28/0x3c
 handle_percpu_devid_irq+0xbc/0x268
 generic_handle_irq+0x18/0x2c
 __handle_domain_irq+0xa8/0xac
 gic_handle_irq+0x68/0xa8
 el0_irq_naked+0x50/0x5c
Code: 6b00003f 54000101 52800034 f941aac0 (f9400002)
---[ end trace 07c3c96aa9b5135e ]---
Kernel panic - not syncing: Fatal exception in interrupt
SMP: stopping secondary CPUs
Kernel Offset: disabled
CPU features: 0x61002004
Memory Limit: 6016 MB
Rebooting in 3 seconds..
[Index of Archives]     [Linux Samsung SOC]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux