dmaengine Archive on lore.kernel.org
 help / color / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Alexander Gordeev <a.gordeev.box@gmail.com>
Cc: linux-kernel@vger.kernel.org, devel@driverdev.osuosl.org,
	Michael Chen <micchen@altera.com>,
	dmaengine@vger.kernel.org
Subject: Re: [PATCH v2 1/2] dmaengine: avalon: Intel Avalon-MM DMA Interface for PCIe
Date: Thu, 10 Oct 2019 14:30:34 +0300
Message-ID: <20191010113034.GN13286@kadam> (raw)
In-Reply-To: <20191010085144.GA14197@AlexGordeev-DPT-VI0092>

On Thu, Oct 10, 2019 at 10:51:45AM +0200, Alexander Gordeev wrote:
> On Wed, Oct 09, 2019 at 09:53:23PM +0300, Dan Carpenter wrote:
> > > > > +	u32 *rd_flags = hw->dma_desc_table_rd.cpu_addr->flags;
> > > > > +	u32 *wr_flags = hw->dma_desc_table_wr.cpu_addr->flags;
> > > > > +	struct avalon_dma_desc *desc;
> > > > > +	struct virt_dma_desc *vdesc;
> > > > > +	bool rd_done;
> > > > > +	bool wr_done;
> > > > > +
> > > > > +	spin_lock(lock);
> > > > > +
> > > > > +	rd_done = (hw->h2d_last_id < 0);
> > > > > +	wr_done = (hw->d2h_last_id < 0);
> > > > > +
> > > > > +	if (rd_done && wr_done) {
> > > > > +		spin_unlock(lock);
> > > > > +		return IRQ_NONE;
> > > > > +	}
> > > > > +
> > > > > +	do {
> > > > > +		if (!rd_done && rd_flags[hw->h2d_last_id])
> > > > > +			rd_done = true;
> > > > > +
> > > > > +		if (!wr_done && wr_flags[hw->d2h_last_id])
> > > > > +			wr_done = true;
> > > > > +	} while (!rd_done || !wr_done);
> > > > 
> > > > This loop is very strange.  It feels like the last_id indexes needs
> > > > to atomic or protected from racing somehow so we don't do an out of
> > > > bounds read.
> 
> [...]
> 
> > You're missing my point.  When we set
> > hw->d2h_last_id = 1;
> [1]
> > ...
> > hw->d2h_last_id = 2;
> [2]
> 
> > There is a tiny moment where ->d2h_last_id is transitioning from 1 to 2
> > where its value is unknown.  We're in a busy loop here so we have a
> > decent chance of hitting that 1/1000,000th of a second.  If we happen to
> > hit it at exactly the right time then we're reading from a random
> > address and it will cause an oops.
> > 
> > We have to use atomic_t types or something to handle race conditions.
> 
> Err.. I am still missing the point :( In your example I do see a chance
> for a reader to read out 1 at point in time [2] - because of SMP race.
> But what could it be other than 1 or 2?
> 

The 1 to 2 transition was a poorly chosen example, but a -1 to 1
trasition is better.  The cpu could write a byte at a time.  So maybe
it only wrote the two highest bytes so now it's 0xffff.  It's not -1 and
it's not 1 and it's not a valid index.

> Anyways, all code paths dealing with h2d_last_id and d2h_last_id indexes
> are protected with a spinlock.

You have to protect both the writer and the reader.  (That's why this
bug is so easy to spot).  https://lwn.net/Articles/793253/

regards,
dan carpenter


  reply index

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-09 10:12 [PATCH v2 0/2] dmaengine: avalon: Support " Alexander Gordeev
2019-10-09 10:12 ` [PATCH v2 1/2] dmaengine: avalon: Intel " Alexander Gordeev
2019-10-09 12:14   ` Dan Carpenter
2019-10-09 14:58     ` Alexander Gordeev
2019-10-09 18:53       ` Dan Carpenter
2019-10-10  8:51         ` Alexander Gordeev
2019-10-10 11:30           ` Dan Carpenter [this message]
2019-10-15 11:24             ` Alexander Gordeev
2019-10-15 11:41               ` Dan Carpenter
2019-10-15 12:27                 ` Alexander Gordeev
2019-10-15 13:19               ` Dan Carpenter
2019-10-15 14:31                 ` Alexander Gordeev
2019-10-15 14:47                   ` Dan Carpenter
2019-10-09 13:07   ` Greg KH
2019-10-15 10:33   ` Vinod Koul
2019-10-15 13:11     ` Alexander Gordeev
2019-10-09 10:12 ` [PATCH RFC v2 2/2] dmaengine: avalon: Intel Avalon-MM DMA Interface for PCIe test Alexander Gordeev
2019-10-09 13:08   ` Greg KH
2019-10-09 13:46   ` Dan Carpenter

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191010113034.GN13286@kadam \
    --to=dan.carpenter@oracle.com \
    --cc=a.gordeev.box@gmail.com \
    --cc=devel@driverdev.osuosl.org \
    --cc=dmaengine@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=micchen@altera.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

dmaengine Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/dmaengine/0 dmaengine/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 dmaengine dmaengine/ https://lore.kernel.org/dmaengine \
		dmaengine@vger.kernel.org dmaengine@archiver.kernel.org
	public-inbox-index dmaengine

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.dmaengine


AGPL code for this site: git clone https://public-inbox.org/ public-inbox