Re: tty: serial: sh-sci: hrtimer not properly canceled on chan_rx invalidation?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Wolfram,

On Tue, Apr 16, 2024 at 1:49 PM Wolfram Sang
<wsa+renesas@xxxxxxxxxxxxxxxxxxxx> wrote:
> > Analyzing this we found that in sci_dma_rx_timer_fn() s->chan_rx is NULL.
>
> Again, good catch. Thank you! Here is the outcome of my first debugging
> session...
>
> > Is there any chance that there is a race condition where the timer function
> > sci_dma_rx_timer_fn() is called while s->chan_rx is invalidated, already.
> > E.g. via sci_dma_rx_chan_invalidate()/sci_dma_rx_release()? Or anything
> > else?
>
> Only 'sci_dma_rx_chan_invalidate' clears s->chan_rx. I think these paths
> involving 'sci_dma_rx_chan_invalidate' are OK:
>
> sci_dma_rx_chan_invalidate <- sci_dma_rx_release <- sci_free_dma ...
>
> A) <- sci_startup (no issue because interrupts could not be requested
>                    and RX DMA is started in an interrupt)
>
> B) <- sci_shutdown (no issue because 'hrtimer_cancel' has been called
>                     before freeing DMA)
>
> This path also seems ok:
>
> sci_dma_rx_chan_invalidate <- sci_dma_rx_submit (error path)
>   <- sci_rx_interrupt (no issue because timer is started after
>                        'sci_dma_rx_submit')
>
> This path looks problematic:
>
> sci_dma_rx_chan_invalidate <- sci_dma_rx_complete (error path)
>
> The timer is started before DMA is set up. In the unlikely event of the
> DMA setup failing, s->chan_rx will be cleared while the timer has
> already been started. This is in deed a very rare condition.

Or when the previous (still running) timer expires...

> The problem is that I cannot trigger the code patch so far. It is easy
> to force 'sci_dma_rx_complete' to bail out but, so far, I couldn't get
> it called.

Note that DMA is disabled for the serial console, cfr. the check for
uart_console() in sci_request_dma().  For testing, you can just remove
that check.

Also, plain text typing (on the serial console, or on a getty running
on a secondary port) does not trigger a DMA RX transfer.  Pasting
a block of text larger than the FIFO size to the terminal should
trigger DMA RX.

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds
[Index of Archives]     [Linux Samsung SOC]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux