Re: [PATCH] dmaengine: pl330: fix the race condition in pl330 driver.

[Jassi Brar]

On Tue, Mar 31, 2015 at 9:10 AM, Scott Branden <sbranden@xxxxxxxxxxxx> wrote:
> Hi Vinod, Jassi,
>
> Some details on the problem encountered.
>
>
> On 15-03-30 10:25 AM, Vinod Koul wrote:
>>
>> On Mon, Mar 30, 2015 at 10:17:17PM +0530, Jassi Brar wrote:
>>>
>>> On Fri, Mar 27, 2015 at 5:25 AM, Scott Branden <sbranden@xxxxxxxxxxxx>
>>> wrote:
>>>>
>>>> From: ismail <ismail@xxxxxxxxxxxx>
>>>>
>>>> Update the thread running index before issuing the
>>>> GO command to the DMAC.
>>>>
>>>> Tested-by: Mohamed Ismail Abdul Packir Mohamed <ismail@xxxxxxxxxxxx>
>>>> Reviewed-by: Ray Jui <rjui@xxxxxxxxxxxx>
>>>> Reviewed-by: Arun Parameswaran <aparames@xxxxxxxxxxxx>
>>>> Reviewed-by: Scott Branden <sbranden@xxxxxxxxxxxx>
>>>> Signed-off-by: Scott Branden <sbranden@xxxxxxxxxxxx>
>>>> Signed-off-by: Mohamed Ismail Abdul Packir Mohamed <ismail@xxxxxxxxxxxx>
>>>> ---
>>>>   drivers/dma/pl330.c | 4 ++--
>>>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
>>>> index 0e1f567..631642d 100644
>>>> --- a/drivers/dma/pl330.c
>>>> +++ b/drivers/dma/pl330.c
>>>> @@ -1072,11 +1072,11 @@ static bool _trigger(struct pl330_thread *thrd)
>>>>          /* Set to generate interrupts for SEV */
>>>>          writel(readl(regs + INTEN) | (1 << thrd->ev), regs + INTEN);
>>>>
>>>> +       thrd->req_running = idx;
>>>> +
>>>>          /* Only manager can execute GO */
>>>>          _execute_DBGINSN(thrd, insn, true);
>>>>
>>>> -       thrd->req_running = idx;
>>>> -
>>>
>>> It would help to know what the behavior looks like before and after
>>> the patch. If anything we should look at locking rather the
>>> reordering.
>>
>> Yes that ia fair request, looking at changelog it is hard to understand
>> the
>> issue seen?
>>
> We encountered this problem as we modified the driver to make SMC calls to a
> TZ handler.  This slowed down the driver to the point where DMA transactions
> easily failed.  I believe the same could be accomplished by adding a delay
> between the GOCMD and update of the req_running and running the built in
> dmatest.
>
> The DMA transaction is broken if the interrupt occurs before the
> thrd->req_running is updated.
>
> The pl330 issues a GOCMD (in _trigger function) to start a new transfer.
>
> The issue of GOCMD generates an interrupt and the IRQ handler will call the
> pl330_update function to process the interrupt.
>
> The pl330_update function will verify the thread running index and break the
> transaction, if the thread running index is not set.
>
As I suspected the locking seems screwed up. The following patch
should fix the race properly. Can you please test the attached patches
instead?

Thanks.
From 1c44fc936d05fef3259354da1574c536ed1691c7 Mon Sep 17 00:00:00 2001
From: Jassi Brar <jaswinder.singh@xxxxxxxxxx>
Date: Tue, 31 Mar 2015 10:16:46 +0530
Subject: [PATCH 1/2] dma: pl330: change busy marker for threads

Instead of a boolean flag to mark a thread busy, use the owner of
the thread as the marker. For free/available threads, the owner is
NULL. This will be useful in finding which channel owns a given
thread.

Signed-off-by: Jassi Brar <jaswinder.singh@xxxxxxxxxx>
---
 drivers/dma/pl330.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
index 0e1f567..d1f777e 100644
--- a/drivers/dma/pl330.c
+++ b/drivers/dma/pl330.c
@@ -369,8 +369,7 @@ struct _pl330_tbd {
 struct pl330_thread {
 	u8 id;
 	int ev;
-	/* If the channel is not yet acquired by any client */
-	bool free;
+	struct dma_pl330_chan *pch;
 	/* Parent DMAC */
 	struct pl330_dmac *dmac;
 	/* Only two at a time */
@@ -1648,7 +1647,8 @@ static bool _chan_ns(const struct pl330_dmac *pl330, int i)
 /* Upon success, returns IdentityToken for the
  * allocated channel, NULL otherwise.
  */
-static struct pl330_thread *pl330_request_channel(struct pl330_dmac *pl330)
+static struct pl330_thread *pl330_request_channel(struct pl330_dmac *pl330,
+						  struct dma_pl330_chan *pch)
 {
 	struct pl330_thread *thrd = NULL;
 	unsigned long flags;
@@ -1663,11 +1663,11 @@ static struct pl330_thread *pl330_request_channel(struct pl330_dmac *pl330)
 
 	for (i = 0; i < chans; i++) {
 		thrd = &pl330->channels[i];
-		if ((thrd->free) && (!_manager_ns(thrd) ||
+		if (!thrd->pch && (!_manager_ns(thrd) ||
 					_chan_ns(pl330, i))) {
 			thrd->ev = _alloc_event(thrd);
 			if (thrd->ev >= 0) {
-				thrd->free = false;
+				thrd->pch = pch;
 				thrd->lstenq = 1;
 				thrd->req[0].desc = NULL;
 				thrd->req[1].desc = NULL;
@@ -1699,7 +1699,7 @@ static void pl330_release_channel(struct pl330_thread *thrd)
 	struct pl330_dmac *pl330;
 	unsigned long flags;
 
-	if (!thrd || thrd->free)
+	if (!thrd || !thrd->pch)
 		return;
 
 	_stop(thrd);
@@ -1711,7 +1711,7 @@ static void pl330_release_channel(struct pl330_thread *thrd)
 
 	spin_lock_irqsave(&pl330->lock, flags);
 	_free_event(thrd, thrd->ev);
-	thrd->free = true;
+	thrd->pch = NULL;
 	spin_unlock_irqrestore(&pl330->lock, flags);
 }
 
@@ -1797,14 +1797,14 @@ static int dmac_alloc_threads(struct pl330_dmac *pl330)
 		thrd->id = i;
 		thrd->dmac = pl330;
 		_reset_thread(thrd);
-		thrd->free = true;
+		thrd->pch = NULL;
 	}
 
 	/* MANAGER is indexed at the end */
 	thrd = &pl330->channels[chans];
 	thrd->id = chans;
 	thrd->dmac = pl330;
-	thrd->free = false;
+	thrd->pch = NULL;
 	pl330->manager = thrd;
 
 	return 0;
@@ -2082,7 +2082,7 @@ static int pl330_alloc_chan_resources(struct dma_chan *chan)
 	dma_cookie_init(chan);
 	pch->cyclic = false;
 
-	pch->thread = pl330_request_channel(pl330);
+	pch->thread = pl330_request_channel(pl330, pch);
 	if (!pch->thread) {
 		spin_unlock_irqrestore(&pch->lock, flags);
 		return -ENOMEM;
-- 
1.9.1

From 2cd6bf6748f28008a1650dca57a8f14b27283803 Mon Sep 17 00:00:00 2001
From: Jassi Brar <jaswinder.singh@xxxxxxxxxx>
Date: Tue, 31 Mar 2015 10:21:14 +0530
Subject: [PATCH 2/2] dma: pl330: fix race between trigger and completion

We need to hold the lock on channel in ISR to prevent it
racing against the trigger call on the channel.

Reported-by: Scott Branden <sbranden@xxxxxxxxxxxx>
Signed-off-by: Jassi Brar <jaswinder.singh@xxxxxxxxxx>
---
 drivers/dma/pl330.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
index d1f777e..ce40677 100644
--- a/drivers/dma/pl330.c
+++ b/drivers/dma/pl330.c
@@ -1573,6 +1573,7 @@ static int pl330_update(struct pl330_dmac *pl330)
 		if (val & (1 << ev)) { /* Event occurred */
 			struct pl330_thread *thrd;
 			u32 inten = readl(regs + INTEN);
+			unsigned long flag;
 			int active;
 
 			/* Clear the event */
@@ -1584,10 +1585,13 @@ static int pl330_update(struct pl330_dmac *pl330)
 			id = pl330->events[ev];
 
 			thrd = &pl330->channels[id];
+			spin_lock_irqsave(&thrd->pch->lock, flag);
 
 			active = thrd->req_running;
-			if (active == -1) /* Aborted */
+			if (active == -1) { /* Aborted */
+				spin_unlock_irqrestore(&thrd->pch->lock, flag);
 				continue;
+			}
 
 			/* Detach the req */
 			descdone = thrd->req[active].desc;
@@ -1600,6 +1604,7 @@ static int pl330_update(struct pl330_dmac *pl330)
 
 			/* For now, just make a list of callbacks to be done */
 			list_add_tail(&descdone->rqd, &pl330->req_done);
+			spin_unlock_irqrestore(&thrd->pch->lock, flag);
 		}
 	}
 
-- 
1.9.1