Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / kernel / msm / b3a45d33b3b46853f3edcd5aea4bf56d7e97ec2e^! / .
commitb3a45d33b3b46853f3edcd5aea4bf56d7e97ec2e[log] [tgz]
authorEric Holmberg <eholmber@codeaurora.org>Tue Apr 24 17:26:05 2012 -0600
committerEric Holmberg <eholmber@codeaurora.org>Wed Apr 25 12:14:34 2012 -0600
tree96e358d68db20711f36ab402bf9d2f5b21f73e1c
parent52e66c3a6c8757a61b0b2199d13eabbfb6553db0 [diff]
msm: rmnet_sdio: Handle Network TX Queue Race Condition

The netif TX queue is started and stopped based upon the watermark state
maintained by SDIO DMUX.  The queue is checked after TX-enqueue
operations to disable the queue if the high watermark is hit and after
TX-dequeue operations to enable the queue if the low watermark is hit.

Without locking, this opens a race condition where the TX-dequeue check
and the call to stop the queue can happen after the write-done
completion has occurred which would restart the queue.  This results in
the queue being stopped indefinitely which results in a permanent data
stall.

CRs-Fixed: 354334
Change-Id: Id4d96c9216e921bf3179175bd1b1cfd39403a3d2
Signed-off-by: Eric Holmberg <eholmber@codeaurora.org>

diff --git a/drivers/net/msm_rmnet_sdio.c b/drivers/net/msm_rmnet_sdio.c
index 883c649..acdffd1 100644
--- a/drivers/net/msm_rmnet_sdio.c
+++ b/drivers/net/msm_rmnet_sdio.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2010-2011, Code Aurora Forum. All rights reserved.
+/* Copyright (c) 2010-2012, Code Aurora Forum. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -78,6 +78,7 @@
 #endif
 	struct sk_buff *skb;
 	spinlock_t lock;
+	spinlock_t tx_queue_lock;
 	struct tasklet_struct tsklt;
 	u32 operation_mode; /* IOCTL specified mode (protocol, QoS header) */
 	uint8_t device_up;
@@ -361,6 +362,7 @@
 static void sdio_write_done(void *dev, struct sk_buff *skb)
 {
 	struct rmnet_private *p = netdev_priv(dev);
+	unsigned long flags;
 
 	if (skb)
 		dev_kfree_skb_any(skb);
@@ -368,12 +370,14 @@
 	if (!p->in_reset) {
 		DBG1("%s: write complete skb=%p\n",	__func__, skb);
 
+		spin_lock_irqsave(&p->tx_queue_lock, flags);
 		if (netif_queue_stopped(dev) &&
 				msm_sdio_dmux_is_ch_low(p->ch_id)) {
 			DBG0("%s: Low WM hit, waking queue=%p\n",
 					__func__, skb);
 			netif_wake_queue(dev);
 		}
+		spin_unlock_irqrestore(&p->tx_queue_lock, flags);
 	} else {
 		DBG1("%s: write in reset skb=%p\n",	__func__, skb);
 	}
@@ -454,6 +458,7 @@
 static int rmnet_xmit(struct sk_buff *skb, struct net_device *dev)
 {
 	struct rmnet_private *p = netdev_priv(dev);
+	unsigned long flags;
 
 	if (netif_queue_stopped(dev)) {
 		pr_err("[%s]fatal: rmnet_xmit called when "
@@ -463,10 +468,12 @@
 
 	_rmnet_xmit(skb, dev);
 
+	spin_lock_irqsave(&p->tx_queue_lock, flags);
 	if (msm_sdio_dmux_is_ch_full(p->ch_id)) {
 		netif_stop_queue(dev);
 		DBG0("%s: High WM hit, stopping queue=%p\n",	__func__, skb);
 	}
+	spin_unlock_irqrestore(&p->tx_queue_lock, flags);
 
 	return 0;
 }
@@ -667,6 +674,7 @@
 		p->operation_mode = RMNET_MODE_LLP_ETH;
 		p->ch_id = n;
 		spin_lock_init(&p->lock);
+		spin_lock_init(&p->tx_queue_lock);
 #ifdef CONFIG_MSM_RMNET_DEBUG
 		p->timeout_us = timeout_us;
 		p->wakeups_xmit = p->wakeups_rcv = 0;