* omap_hsmmc: race between omap_hsmmc_start_command() and DMA callback
@ 2013-07-18 16:06 Daniel Mack
2013-07-18 16:30 ` Balaji T K
0 siblings, 1 reply; 2+ messages in thread
From: Daniel Mack @ 2013-07-18 16:06 UTC (permalink / raw)
To: Balaji T K; +Cc: Linux MMC List, linux-omap@vger.kernel.org, Adrian Hunter
Hi,
I'm facing a NULL pointer dereference in omap_hsmmc_start_command() on
an AM33xx board running 3.11-rc1 (DMA enabled).
A quick debug session showed that DMA engine timing leads to a very
reproducable race condition. In omap_hsmmc_request(), we have:
host->mrq = req;
omap_hsmmc_prepare_data()
omap_hsmmc_start_dma_transfer()
tx->callback = omap_hsmmc_dma_callback;
[*]
omap_hsmmc_start_command()
if (cmd == host->mrq->stop) [<-- oops]
...
It turns out that omap_hsmmc_dma_callback() (which sets host->mrq =
NULL) is entered just after the DMA submission, and *before*
omap_hsmmc_start_command() is called, consequently leading to an Oops.
I can debug this in more depth, but maybe someone has an idea already?
Thanks,
Daniel
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: omap_hsmmc: race between omap_hsmmc_start_command() and DMA callback
2013-07-18 16:06 omap_hsmmc: race between omap_hsmmc_start_command() and DMA callback Daniel Mack
@ 2013-07-18 16:30 ` Balaji T K
0 siblings, 0 replies; 2+ messages in thread
From: Balaji T K @ 2013-07-18 16:30 UTC (permalink / raw)
To: Daniel Mack
Cc: Linux MMC List, linux-omap@vger.kernel.org, Adrian Hunter,
Mark Jackson, Joel Fernandes
On Thursday 18 July 2013 09:36 PM, Daniel Mack wrote:
> Hi,
>
> I'm facing a NULL pointer dereference in omap_hsmmc_start_command() on
> an AM33xx board running 3.11-rc1 (DMA enabled).
>
> A quick debug session showed that DMA engine timing leads to a very
> reproducable race condition. In omap_hsmmc_request(), we have:
>
> host->mrq = req;
> omap_hsmmc_prepare_data()
> omap_hsmmc_start_dma_transfer()
> tx->callback = omap_hsmmc_dma_callback;
>
> [*]
>
> omap_hsmmc_start_command()
> if (cmd == host->mrq->stop) [<-- oops]
> ...
>
> It turns out that omap_hsmmc_dma_callback() (which sets host->mrq =
> NULL) is entered just after the DMA submission, and *before*
> omap_hsmmc_start_command() is called, consequently leading to an Oops.
>
> I can debug this in more depth, but maybe someone has an idea already?
>
Can you check with this hack patch in addition to other dependent patch
for adding edma nodes to dt[1] and slave sg limit [2]
diff --git a/arch/arm/common/edma.c b/arch/arm/common/edma.c
index a432e6c..5a19164 100644
--- a/arch/arm/common/edma.c
+++ b/arch/arm/common/edma.c
@@ -1262,8 +1262,8 @@ int edma_start(unsigned channel)
if (test_bit(channel, edma_cc[ctlr]->edma_unused)) {
pr_debug("EDMA: ESR%d %08x\n", j,
edma_shadow0_read_array(ctlr, SH_ESR, j));
- edma_shadow0_write_array(ctlr, SH_ESR, j, mask);
- return 0;
+// edma_shadow0_write_array(ctlr, SH_ESR, j, mask);
+// return 0;
}
/* EDMA channel with event association */
--
[1] https://lkml.org/lkml/2013/6/18/49
[2] https://patchwork.kernel.org/patch/2228041/
>
> Thanks,
> Daniel
>
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-07-18 16:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-07-18 16:06 omap_hsmmc: race between omap_hsmmc_start_command() and DMA callback Daniel Mack
2013-07-18 16:30 ` Balaji T K
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox