From: Jeffrey Hugo <quic_jhugo@quicinc.com>
To: Hemant Kumar <hemantk@codeaurora.org>,
Loic Poulain <loic.poulain@linaro.org>,
Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>,
Bhaumik Bhatt <bbhatt@codeaurora.org>
Cc: "linux-arm-msm@vger.kernel.org" <linux-arm-msm@vger.kernel.org>,
"Paul Davey" <Paul.Davey@alliedtelesis.co.nz>
Subject: Re: bus: mhi: parse_xfer_event running transfer completion callbacks more than once for a given buffer
Date: Mon, 16 Aug 2021 07:48:29 -0600 [thread overview]
Message-ID: <aee4fa28-76e8-8897-8abb-e6161c864577@quicinc.com> (raw)
In-Reply-To: <9ad7faea-544a-a070-cc00-9a24f237f4c1@codeaurora.org>
On 8/13/2021 5:10 PM, Hemant Kumar wrote:
> One more thing to add
>
> On 8/13/2021 3:55 PM, Hemant Kumar wrote:
>> Hi Paul,
>>
>> On 8/6/2021 2:43 AM, Loic Poulain wrote:
>>> + MHI people
>>>
>>> On Fri, 6 Aug 2021 at 06:20, Paul Davey
>>> <Paul.Davey@alliedtelesis.co.nz> wrote:
>>>>
>>>> Hi linux-arm-msm list,
>>>>
>>>> We have been using the mhi driver with a Sierra EM9191 5G modem module
>>>> and have seen an occasional issue where the kernel would crash with
>>>> messages showing "BUG: Bad page state" which we debugged further and
>>>> found it was due to mhi_net_ul_callback freeing the same skb multiple
>>>> times, further debugging tracked this down to a case where
>>>> parse_xfer_event computed a dev_rp from the passed event's ev_tre
>>>> which does not lie within the region of valid "in flight" transfers
>>>> for the tre_ring. See the patch below for how this was detected.
>>>>
>>>> I believe that receiving such an event results in the loop which runs
>>>> completion events for the transfers to re-run some completion
>>>> callbacks as it walks all the way around the ring again to reach the
>>>> invalid dev_rp position.
>> Do you have a log which prints the TRE being processed? Basically i am
>> trying understand this : by the time you get double free issue, is
>> there any pattern with respect to the TRE that is being processed. For
>> example
>> when host processed the given TRE for the first time with RP1, stale
>> TRE was posted by Event RP2 right after RP1
>>
>> ->RP1 [TRE1]
>> ->RP2 [TRE1]
>>
>> or occurrence of stale TRE event is random?
> If you can log all the events you are processing, so that we can check
> when second event arrives for already processed TRE, is the transfer
> length same as originally processed TRE or it is different. In case it
> is different length, is the length matching to the TRE which was queue
> but not processed yet. You can print the mhi_queue_skb TRE content while
> queuing skb. How easy to reproduce this issue ? Is this showing up in
> high throughput use case or it is random? any specific step to reproduce
> this issue?
I would wonder, what is the codebase being testing? Are the latest MHI
patches included? When we saw something similar on AIC100, it was
addressed by the sanity check changes I upstreamed.
next prev parent reply other threads:[~2021-08-16 13:48 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-06 4:20 bus: mhi: parse_xfer_event running transfer completion callbacks more than once for a given buffer Paul Davey
2021-08-06 9:43 ` Loic Poulain
2021-08-13 22:55 ` Hemant Kumar
2021-08-13 23:10 ` Hemant Kumar
2021-08-16 13:48 ` Jeffrey Hugo [this message]
2021-08-15 23:30 ` Paul Davey
2021-08-23 6:47 ` Paul Davey
2021-08-26 15:54 ` Jeffrey Hugo
2021-08-27 4:51 ` Paul Davey
2021-09-01 5:17 ` Paul Davey
2021-09-02 21:49 ` Hemant Kumar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aee4fa28-76e8-8897-8abb-e6161c864577@quicinc.com \
--to=quic_jhugo@quicinc.com \
--cc=Paul.Davey@alliedtelesis.co.nz \
--cc=bbhatt@codeaurora.org \
--cc=hemantk@codeaurora.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=loic.poulain@linaro.org \
--cc=manivannan.sadhasivam@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox