From: Greg KH <gregkh@linuxfoundation.org>
To: zhiyong tao <zhiyong.tao@mediatek.com>
Cc: timur@kernel.org, linux@armlinux.org.uk, alcooperx@gmail.com,
tklauser@distanz.ch, sean.wang@kernel.org,
srv_heupstream@mediatek.com, hui.liu@mediatek.com,
yuchen.huang@mediatek.com, huihui.wang@mediatek.com,
eddie.huang@mediatek.com, sean.wang@mediatek.com,
devicetree@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org, linux-serial@vger.kernel.org
Subject: Re: [PATCH] uart: mediatek: fix memory corruption issue
Date: Thu, 22 Jul 2021 12:12:30 +0200 [thread overview]
Message-ID: <YPlEjlKn5Hav/GNH@kroah.com> (raw)
In-Reply-To: <1626948212.29611.47.camel@mhfsdcap03>
On Thu, Jul 22, 2021 at 06:03:32PM +0800, zhiyong tao wrote:
> On Wed, 2021-07-21 at 12:46 +0200, Greg KH wrote:
> > On Sat, Jul 10, 2021 at 05:01:03PM +0800, Zhiyong Tao wrote:
> > > This patch is used to fix memory corruption issue when rx power off.
> > > 1. add spin lock in mtk8250_dma_rx_complete function in APDMA mode.
> >
> > What does a lock protect from? Please be explicit and detailed.
>
> ==> Hi Gregkh,
>
> when uart is used as a communication port with external device(GPS).
> when external device(GPS) power off, the power of rx pin is also from
> 1.8v to 0v. Even if there is not any data in rx. But uart rx pin can
> capture the data "0".
That sounds like a broken hardware design.
> If uart don't receive any data in specified cycle, uart will generates
> BI(Break interrupt) interrupt.
> If external device(GPS) power off, we found that BI interrupt appeared
> continuously and very frequently.
> When uart interrupt type is BI, uart IRQ handler(8250 framwork
> API:serial8250_handle_irq) will push data to tty buffer.
> The code path:
> https://elixir.bootlin.com/linux/latest/source/drivers/tty/serial/8250/8250_port.c#L1917
>
> mtk8250_dma_rx_complete is a task of mtk_uart_apdma_rx_handler.
> mtk8250_dma_rx_complete priority is lower than uart irq
> handler(serial8250_handle_irq).
> if we are in process of mtk8250_dma_rx_complete, uart appear BI
> interrupt:1)serial8250_handle_irq will priority execution.2)it may cause
> write tty buffer conflict in mtk8250_dma_rx_complete.
> So the spin lock protect the rx receive data process is not break.
Then put something like this in the changelog text, as it is, it is not
descriptive at all.
> > > 2. add processing mechanism which count value is 0
> >
> > What does this do? And why is it needed?
>
> ==> when count value is 0, we don't need push data to tty buffer.
> so we add it.
But that does not actually do anything different from what it does
today. And it has nothing to do with the lock, so this should be 2
different patches, right?
> > > Signed-off-by: Zhiyong Tao <zhiyong.tao@mediatek.com>
> >
> > What commit does this fix? Does this need to go to stable kernel trees?
> > If so, how far back?
> >
> > > ---
> > > drivers/tty/serial/8250/8250_mtk.c | 15 +++++++++++----
> > > 1 file changed, 11 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/drivers/tty/serial/8250/8250_mtk.c b/drivers/tty/serial/8250/8250_mtk.c
> > > index f7d3023f860f..09f7d2166315 100644
> > > --- a/drivers/tty/serial/8250/8250_mtk.c
> > > +++ b/drivers/tty/serial/8250/8250_mtk.c
> > > @@ -91,12 +91,15 @@ static void mtk8250_dma_rx_complete(void *param)
> > > struct mtk8250_data *data = up->port.private_data;
> > > struct tty_port *tty_port = &up->port.state->port;
> > > struct dma_tx_state state;
> > > - int copied, total, cnt;
> > > + unsigned int copied, total, cnt;
> > > unsigned char *ptr;
> > > + unsigned long flags;
> > >
> > > if (data->rx_status == DMA_RX_SHUTDOWN)
> > > return;
> > >
> > > + spin_lock_irqsave(&up->port.lock, flags);
> > > +
> > > dmaengine_tx_status(dma->rxchan, dma->rx_cookie, &state);
> > > total = dma->rx_size - state.residue;
> > > cnt = total;
> > > @@ -104,9 +107,11 @@ static void mtk8250_dma_rx_complete(void *param)
> > > if ((data->rx_pos + cnt) > dma->rx_size)
> > > cnt = dma->rx_size - data->rx_pos;
> > >
> > > - ptr = (unsigned char *)(data->rx_pos + dma->rx_buf);
> > > - copied = tty_insert_flip_string(tty_port, ptr, cnt);
> > > - data->rx_pos += cnt;
> > > + if (cnt != 0) {
> >
> > Why does cnt matter here? If cnt is 0, the code above should not do
> > anything at all, right?
>
> ==> yes, if the counter value is 0, we don't need push data to the tty
> buffer.
But this does not change the logic as if cnt is 0, nothing gets pushed
with the current code either, right?
> > Or if it does, should we change tty_insert_flip_string() to always check
> > for cnt != 0 before it does the first loop? Hm, it looks like it will
> > abort if cnt is 0, so what is this change really doing? Why do you need
> > it? What is it "fixing"?
> >
> ==> It is not fix anything, we just think if count value is 0, we don't
> need do anything.
Then make it a separate patch, independant from the lock patch, and we
can discuss it there. Do NOT have patches do multiple things.
thanks,
greg k-h
_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@linuxfoundation.org>
To: zhiyong tao <zhiyong.tao@mediatek.com>
Cc: timur@kernel.org, linux@armlinux.org.uk, alcooperx@gmail.com,
tklauser@distanz.ch, sean.wang@kernel.org,
srv_heupstream@mediatek.com, hui.liu@mediatek.com,
yuchen.huang@mediatek.com, huihui.wang@mediatek.com,
eddie.huang@mediatek.com, sean.wang@mediatek.com,
devicetree@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org, linux-serial@vger.kernel.org
Subject: Re: [PATCH] uart: mediatek: fix memory corruption issue
Date: Thu, 22 Jul 2021 12:12:30 +0200 [thread overview]
Message-ID: <YPlEjlKn5Hav/GNH@kroah.com> (raw)
In-Reply-To: <1626948212.29611.47.camel@mhfsdcap03>
On Thu, Jul 22, 2021 at 06:03:32PM +0800, zhiyong tao wrote:
> On Wed, 2021-07-21 at 12:46 +0200, Greg KH wrote:
> > On Sat, Jul 10, 2021 at 05:01:03PM +0800, Zhiyong Tao wrote:
> > > This patch is used to fix memory corruption issue when rx power off.
> > > 1. add spin lock in mtk8250_dma_rx_complete function in APDMA mode.
> >
> > What does a lock protect from? Please be explicit and detailed.
>
> ==> Hi Gregkh,
>
> when uart is used as a communication port with external device(GPS).
> when external device(GPS) power off, the power of rx pin is also from
> 1.8v to 0v. Even if there is not any data in rx. But uart rx pin can
> capture the data "0".
That sounds like a broken hardware design.
> If uart don't receive any data in specified cycle, uart will generates
> BI(Break interrupt) interrupt.
> If external device(GPS) power off, we found that BI interrupt appeared
> continuously and very frequently.
> When uart interrupt type is BI, uart IRQ handler(8250 framwork
> API:serial8250_handle_irq) will push data to tty buffer.
> The code path:
> https://elixir.bootlin.com/linux/latest/source/drivers/tty/serial/8250/8250_port.c#L1917
>
> mtk8250_dma_rx_complete is a task of mtk_uart_apdma_rx_handler.
> mtk8250_dma_rx_complete priority is lower than uart irq
> handler(serial8250_handle_irq).
> if we are in process of mtk8250_dma_rx_complete, uart appear BI
> interrupt:1)serial8250_handle_irq will priority execution.2)it may cause
> write tty buffer conflict in mtk8250_dma_rx_complete.
> So the spin lock protect the rx receive data process is not break.
Then put something like this in the changelog text, as it is, it is not
descriptive at all.
> > > 2. add processing mechanism which count value is 0
> >
> > What does this do? And why is it needed?
>
> ==> when count value is 0, we don't need push data to tty buffer.
> so we add it.
But that does not actually do anything different from what it does
today. And it has nothing to do with the lock, so this should be 2
different patches, right?
> > > Signed-off-by: Zhiyong Tao <zhiyong.tao@mediatek.com>
> >
> > What commit does this fix? Does this need to go to stable kernel trees?
> > If so, how far back?
> >
> > > ---
> > > drivers/tty/serial/8250/8250_mtk.c | 15 +++++++++++----
> > > 1 file changed, 11 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/drivers/tty/serial/8250/8250_mtk.c b/drivers/tty/serial/8250/8250_mtk.c
> > > index f7d3023f860f..09f7d2166315 100644
> > > --- a/drivers/tty/serial/8250/8250_mtk.c
> > > +++ b/drivers/tty/serial/8250/8250_mtk.c
> > > @@ -91,12 +91,15 @@ static void mtk8250_dma_rx_complete(void *param)
> > > struct mtk8250_data *data = up->port.private_data;
> > > struct tty_port *tty_port = &up->port.state->port;
> > > struct dma_tx_state state;
> > > - int copied, total, cnt;
> > > + unsigned int copied, total, cnt;
> > > unsigned char *ptr;
> > > + unsigned long flags;
> > >
> > > if (data->rx_status == DMA_RX_SHUTDOWN)
> > > return;
> > >
> > > + spin_lock_irqsave(&up->port.lock, flags);
> > > +
> > > dmaengine_tx_status(dma->rxchan, dma->rx_cookie, &state);
> > > total = dma->rx_size - state.residue;
> > > cnt = total;
> > > @@ -104,9 +107,11 @@ static void mtk8250_dma_rx_complete(void *param)
> > > if ((data->rx_pos + cnt) > dma->rx_size)
> > > cnt = dma->rx_size - data->rx_pos;
> > >
> > > - ptr = (unsigned char *)(data->rx_pos + dma->rx_buf);
> > > - copied = tty_insert_flip_string(tty_port, ptr, cnt);
> > > - data->rx_pos += cnt;
> > > + if (cnt != 0) {
> >
> > Why does cnt matter here? If cnt is 0, the code above should not do
> > anything at all, right?
>
> ==> yes, if the counter value is 0, we don't need push data to the tty
> buffer.
But this does not change the logic as if cnt is 0, nothing gets pushed
with the current code either, right?
> > Or if it does, should we change tty_insert_flip_string() to always check
> > for cnt != 0 before it does the first loop? Hm, it looks like it will
> > abort if cnt is 0, so what is this change really doing? Why do you need
> > it? What is it "fixing"?
> >
> ==> It is not fix anything, we just think if count value is 0, we don't
> need do anything.
Then make it a separate patch, independant from the lock patch, and we
can discuss it there. Do NOT have patches do multiple things.
thanks,
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@linuxfoundation.org>
To: zhiyong tao <zhiyong.tao@mediatek.com>
Cc: timur@kernel.org, linux@armlinux.org.uk, alcooperx@gmail.com,
tklauser@distanz.ch, sean.wang@kernel.org,
srv_heupstream@mediatek.com, hui.liu@mediatek.com,
yuchen.huang@mediatek.com, huihui.wang@mediatek.com,
eddie.huang@mediatek.com, sean.wang@mediatek.com,
devicetree@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org, linux-serial@vger.kernel.org
Subject: Re: [PATCH] uart: mediatek: fix memory corruption issue
Date: Thu, 22 Jul 2021 12:12:30 +0200 [thread overview]
Message-ID: <YPlEjlKn5Hav/GNH@kroah.com> (raw)
In-Reply-To: <1626948212.29611.47.camel@mhfsdcap03>
On Thu, Jul 22, 2021 at 06:03:32PM +0800, zhiyong tao wrote:
> On Wed, 2021-07-21 at 12:46 +0200, Greg KH wrote:
> > On Sat, Jul 10, 2021 at 05:01:03PM +0800, Zhiyong Tao wrote:
> > > This patch is used to fix memory corruption issue when rx power off.
> > > 1. add spin lock in mtk8250_dma_rx_complete function in APDMA mode.
> >
> > What does a lock protect from? Please be explicit and detailed.
>
> ==> Hi Gregkh,
>
> when uart is used as a communication port with external device(GPS).
> when external device(GPS) power off, the power of rx pin is also from
> 1.8v to 0v. Even if there is not any data in rx. But uart rx pin can
> capture the data "0".
That sounds like a broken hardware design.
> If uart don't receive any data in specified cycle, uart will generates
> BI(Break interrupt) interrupt.
> If external device(GPS) power off, we found that BI interrupt appeared
> continuously and very frequently.
> When uart interrupt type is BI, uart IRQ handler(8250 framwork
> API:serial8250_handle_irq) will push data to tty buffer.
> The code path:
> https://elixir.bootlin.com/linux/latest/source/drivers/tty/serial/8250/8250_port.c#L1917
>
> mtk8250_dma_rx_complete is a task of mtk_uart_apdma_rx_handler.
> mtk8250_dma_rx_complete priority is lower than uart irq
> handler(serial8250_handle_irq).
> if we are in process of mtk8250_dma_rx_complete, uart appear BI
> interrupt:1)serial8250_handle_irq will priority execution.2)it may cause
> write tty buffer conflict in mtk8250_dma_rx_complete.
> So the spin lock protect the rx receive data process is not break.
Then put something like this in the changelog text, as it is, it is not
descriptive at all.
> > > 2. add processing mechanism which count value is 0
> >
> > What does this do? And why is it needed?
>
> ==> when count value is 0, we don't need push data to tty buffer.
> so we add it.
But that does not actually do anything different from what it does
today. And it has nothing to do with the lock, so this should be 2
different patches, right?
> > > Signed-off-by: Zhiyong Tao <zhiyong.tao@mediatek.com>
> >
> > What commit does this fix? Does this need to go to stable kernel trees?
> > If so, how far back?
> >
> > > ---
> > > drivers/tty/serial/8250/8250_mtk.c | 15 +++++++++++----
> > > 1 file changed, 11 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/drivers/tty/serial/8250/8250_mtk.c b/drivers/tty/serial/8250/8250_mtk.c
> > > index f7d3023f860f..09f7d2166315 100644
> > > --- a/drivers/tty/serial/8250/8250_mtk.c
> > > +++ b/drivers/tty/serial/8250/8250_mtk.c
> > > @@ -91,12 +91,15 @@ static void mtk8250_dma_rx_complete(void *param)
> > > struct mtk8250_data *data = up->port.private_data;
> > > struct tty_port *tty_port = &up->port.state->port;
> > > struct dma_tx_state state;
> > > - int copied, total, cnt;
> > > + unsigned int copied, total, cnt;
> > > unsigned char *ptr;
> > > + unsigned long flags;
> > >
> > > if (data->rx_status == DMA_RX_SHUTDOWN)
> > > return;
> > >
> > > + spin_lock_irqsave(&up->port.lock, flags);
> > > +
> > > dmaengine_tx_status(dma->rxchan, dma->rx_cookie, &state);
> > > total = dma->rx_size - state.residue;
> > > cnt = total;
> > > @@ -104,9 +107,11 @@ static void mtk8250_dma_rx_complete(void *param)
> > > if ((data->rx_pos + cnt) > dma->rx_size)
> > > cnt = dma->rx_size - data->rx_pos;
> > >
> > > - ptr = (unsigned char *)(data->rx_pos + dma->rx_buf);
> > > - copied = tty_insert_flip_string(tty_port, ptr, cnt);
> > > - data->rx_pos += cnt;
> > > + if (cnt != 0) {
> >
> > Why does cnt matter here? If cnt is 0, the code above should not do
> > anything at all, right?
>
> ==> yes, if the counter value is 0, we don't need push data to the tty
> buffer.
But this does not change the logic as if cnt is 0, nothing gets pushed
with the current code either, right?
> > Or if it does, should we change tty_insert_flip_string() to always check
> > for cnt != 0 before it does the first loop? Hm, it looks like it will
> > abort if cnt is 0, so what is this change really doing? Why do you need
> > it? What is it "fixing"?
> >
> ==> It is not fix anything, we just think if count value is 0, we don't
> need do anything.
Then make it a separate patch, independant from the lock patch, and we
can discuss it there. Do NOT have patches do multiple things.
thanks,
greg k-h
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-07-22 10:16 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-10 9:01 [PATCH 0/1] Mediatek uart patch Zhiyong Tao
2021-07-10 9:01 ` Zhiyong Tao
2021-07-10 9:01 ` Zhiyong Tao
2021-07-10 9:01 ` [PATCH] uart: mediatek: fix memory corruption issue Zhiyong Tao
2021-07-10 9:01 ` Zhiyong Tao
2021-07-10 9:01 ` Zhiyong Tao
2021-07-21 10:46 ` Greg KH
2021-07-21 10:46 ` Greg KH
2021-07-21 10:46 ` Greg KH
2021-07-22 10:03 ` zhiyong tao
2021-07-22 10:03 ` zhiyong tao
2021-07-22 10:03 ` zhiyong tao
2021-07-22 10:12 ` Greg KH [this message]
2021-07-22 10:12 ` Greg KH
2021-07-22 10:12 ` Greg KH
2021-07-22 11:52 ` zhiyong tao
2021-07-22 11:52 ` zhiyong tao
2021-07-22 11:52 ` zhiyong tao
[not found] ` <CAHp75VeZL53VN0w3O160vMurmRT9ZJzJek6=4X6osqjJDuxD3g@mail.gmail.com>
2021-07-22 9:04 ` zhiyong tao
2021-07-22 9:04 ` zhiyong tao
2021-07-22 9:04 ` zhiyong tao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YPlEjlKn5Hav/GNH@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=alcooperx@gmail.com \
--cc=devicetree@vger.kernel.org \
--cc=eddie.huang@mediatek.com \
--cc=hui.liu@mediatek.com \
--cc=huihui.wang@mediatek.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-serial@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=sean.wang@kernel.org \
--cc=sean.wang@mediatek.com \
--cc=srv_heupstream@mediatek.com \
--cc=timur@kernel.org \
--cc=tklauser@distanz.ch \
--cc=yuchen.huang@mediatek.com \
--cc=zhiyong.tao@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.