From: Hemant Kumar <hemantk@codeaurora.org>
To: Loic Poulain <loic.poulain@linaro.org>,
Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>,
Bhaumik Bhatt <bbhatt@codeaurora.org>
Cc: "linux-arm-msm@vger.kernel.org" <linux-arm-msm@vger.kernel.org>,
Paul Davey <Paul.Davey@alliedtelesis.co.nz>
Subject: Re: bus: mhi: parse_xfer_event running transfer completion callbacks more than once for a given buffer
Date: Fri, 13 Aug 2021 16:10:58 -0700 [thread overview]
Message-ID: <9ad7faea-544a-a070-cc00-9a24f237f4c1@codeaurora.org> (raw)
In-Reply-To: <544b3db2-b135-d870-8dd8-ec4450576cb7@codeaurora.org>
One more thing to add
On 8/13/2021 3:55 PM, Hemant Kumar wrote:
> Hi Paul,
>
> On 8/6/2021 2:43 AM, Loic Poulain wrote:
>> + MHI people
>>
>> On Fri, 6 Aug 2021 at 06:20, Paul Davey
>> <Paul.Davey@alliedtelesis.co.nz> wrote:
>>>
>>> Hi linux-arm-msm list,
>>>
>>> We have been using the mhi driver with a Sierra EM9191 5G modem module
>>> and have seen an occasional issue where the kernel would crash with
>>> messages showing "BUG: Bad page state" which we debugged further and
>>> found it was due to mhi_net_ul_callback freeing the same skb multiple
>>> times, further debugging tracked this down to a case where
>>> parse_xfer_event computed a dev_rp from the passed event's ev_tre
>>> which does not lie within the region of valid "in flight" transfers
>>> for the tre_ring. See the patch below for how this was detected.
>>>
>>> I believe that receiving such an event results in the loop which runs
>>> completion events for the transfers to re-run some completion
>>> callbacks as it walks all the way around the ring again to reach the
>>> invalid dev_rp position.
> Do you have a log which prints the TRE being processed? Basically i am
> trying understand this : by the time you get double free issue, is there
> any pattern with respect to the TRE that is being processed. For example
> when host processed the given TRE for the first time with RP1, stale TRE
> was posted by Event RP2 right after RP1
>
> ->RP1 [TRE1]
> ->RP2 [TRE1]
>
> or occurrence of stale TRE event is random?
If you can log all the events you are processing, so that we can check
when second event arrives for already processed TRE, is the transfer
length same as originally processed TRE or it is different. In case it
is different length, is the length matching to the TRE which was queue
but not processed yet. You can print the mhi_queue_skb TRE content while
queuing skb. How easy to reproduce this issue ? Is this showing up in
high throughput use case or it is random? any specific step to reproduce
this issue?
Thanks,
Hemant
--
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora
Forum, a Linux Foundation Collaborative Project
next prev parent reply other threads:[~2021-08-13 23:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-06 4:20 bus: mhi: parse_xfer_event running transfer completion callbacks more than once for a given buffer Paul Davey
2021-08-06 9:43 ` Loic Poulain
2021-08-13 22:55 ` Hemant Kumar
2021-08-13 23:10 ` Hemant Kumar [this message]
2021-08-16 13:48 ` Jeffrey Hugo
2021-08-15 23:30 ` Paul Davey
2021-08-23 6:47 ` Paul Davey
2021-08-26 15:54 ` Jeffrey Hugo
2021-08-27 4:51 ` Paul Davey
2021-09-01 5:17 ` Paul Davey
2021-09-02 21:49 ` Hemant Kumar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9ad7faea-544a-a070-cc00-9a24f237f4c1@codeaurora.org \
--to=hemantk@codeaurora.org \
--cc=Paul.Davey@alliedtelesis.co.nz \
--cc=bbhatt@codeaurora.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=loic.poulain@linaro.org \
--cc=manivannan.sadhasivam@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox