Re: [PATCH v1] serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ

Next message: Pratyush Yadav: "Re: [PATCH v1 1/3] liveupdate: skip serialization for context-preserving kexec"
Previous message: Tudor Ambarus: "Re: [PATCH v5 0/7] firmware: samsung: acpm: Various fixes for sashiko bug reports"
In reply to: Viken Dadhaniya: "[PATCH v1] serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bartosz Golaszewski

Date: Wed May 06 2026 - 04:32:07 EST

On Wed, 6 May 2026 06:45:21 +0200, Viken Dadhaniya
<viken.dadhaniya@xxxxxxxxxxxxxxxx> said:
> When uart_flush_buffer() runs before the DMA completion IRQ is delivered,
> the following race can occur (all steps serialized by uart_port_lock):
>
> 1. DMA starts: tx_remaining = N, kfifo contains N bytes
> 2. DMA completes in hardware; IRQ is pending but not yet delivered
> 3. uart_flush_buffer() acquires the port lock and calls kfifo_reset(),
> making kfifo_len() = 0 while tx_remaining remains N
> 4. uart_flush_buffer() releases the port lock
> 5. DMA IRQ fires; handle_tx_dma() acquires the port lock and calls
> uart_xmit_advance(uport, tx_remaining) on an empty kfifo
>
> uart_xmit_advance() increments kfifo->out by tx_remaining. Since
> kfifo_reset() already set both in and out to 0, out wraps past in,
> causing kfifo_len() to return UART_XMIT_SIZE - tx_remaining. The next
> start_tx_dma() call then submits a DMA transfer of stale buffer data.
>
> Fix this by snapshotting kfifo_len() at the start of handle_tx_dma()
> and skipping uart_xmit_advance() when fifo_len < tx_remaining, which
> indicates the kfifo was reset by a preceding flush.
>
> Fixes: 2aaa43c70778 ("tty: serial: qcom-geni-serial: add support for serial engine DMA")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Viken Dadhaniya <viken.dadhaniya@xxxxxxxxxxxxxxxx>
> ---

Make sense, thanks.

Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@xxxxxxxxxxxxxxxx>