Re: [PATCH 5.4 160/344] dmaengine: imx-sdma: Fix memory leak

[Andreas Tobler]

Hi all,

On 21.02.20 08:39, Greg Kroah-Hartman wrote:
> From: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
> 
> [ Upstream commit 02939cd167095f16328a1bd5cab5a90b550606df ]
> 
> The current descriptor is not on any list of the virtual DMA channel.
> Once sdma_terminate_all() is called when a descriptor is currently
> in flight then this one is forgotten to be freed. We have to call
> vchan_terminate_vdesc() on this descriptor to re-add it to the lists.
> Now that we also free the currently running descriptor we can (and
> actually have to) remove the current descriptor from its list also
> for the cyclic case.
> 
> Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
> Reviewed-by: Robin Gong <yibin.gong@xxxxxxx>
> Tested-by: Robin Gong <yibin.gong@xxxxxxx>
> Link: https://lore.kernel.org/r/20191216105328.15198-10-s.hauer@xxxxxxxxxxxxxx
> Signed-off-by: Vinod Koul <vkoul@xxxxxxxxxx>
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> ---
>   drivers/dma/imx-sdma.c | 19 +++++++++++--------
>   1 file changed, 11 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c
> index c27e206a764c3..66f1b2ac5cde4 100644
> --- a/drivers/dma/imx-sdma.c
> +++ b/drivers/dma/imx-sdma.c
> @@ -760,12 +760,8 @@ static void sdma_start_desc(struct sdma_channel *sdmac)
>   		return;
>   	}
>   	sdmac->desc = desc = to_sdma_desc(&vd->tx);
> -	/*
> -	 * Do not delete the node in desc_issued list in cyclic mode, otherwise
> -	 * the desc allocated will never be freed in vchan_dma_desc_free_list
> -	 */
> -	if (!(sdmac->flags & IMX_DMA_SG_LOOP))
> -		list_del(&vd->node);
> +
> +	list_del(&vd->node);
>   
>   	sdma->channel_control[channel].base_bd_ptr = desc->bd_phys;
>   	sdma->channel_control[channel].current_bd_ptr = desc->bd_phys;
> @@ -1071,7 +1067,6 @@ static void sdma_channel_terminate_work(struct work_struct *work)
>   
>   	spin_lock_irqsave(&sdmac->vc.lock, flags);
>   	vchan_get_all_descriptors(&sdmac->vc, &head);
> -	sdmac->desc = NULL;
>   	spin_unlock_irqrestore(&sdmac->vc.lock, flags);
>   	vchan_dma_desc_free_list(&sdmac->vc, &head);
>   	sdmac->context_loaded = false;
> @@ -1080,11 +1075,19 @@ static void sdma_channel_terminate_work(struct work_struct *work)
>   static int sdma_disable_channel_async(struct dma_chan *chan)
>   {
>   	struct sdma_channel *sdmac = to_sdma_chan(chan);
> +	unsigned long flags;
> +
> +	spin_lock_irqsave(&sdmac->vc.lock, flags);
>   
>   	sdma_disable_channel(chan);
>   
> -	if (sdmac->desc)
> +	if (sdmac->desc) {
> +		vchan_terminate_vdesc(&sdmac->desc->vd);
> +		sdmac->desc = NULL;
>   		schedule_work(&sdmac->terminate_worker);
> +	}
> +
> +	spin_unlock_irqrestore(&sdmac->vc.lock, flags);
>   
>   	return 0;
>   }
> 

This patch breaks our imx6 board with the attached trace.  Reverting the 
patch makes it boot again.
I tried also 5.6-rc3 and it booted too. A closer look into imx-sdma.c 
from 5.6-rc3 showed me some details which might have to be backported as 
well to make this patch work.
I tried a1ff6a07f5a3951fcac84f064a76d1ad79c10e40 and was somehow 
successful. I still have one trace but the board boots now.

Any insights from the experts?
TIA,
Andreas





klog: ------------[ cut here ]------------
klog: WARNING: CPU: 0 PID: 307 at kernel/dma/mapping.c:335 dma_free_attrs+0xc4/0xc8
klog: Modules linked in: nf_defrag_ipv4
klog: CPU: 0 PID: 307 Comm: gina Not tainted 5.4.22 #4
klog: Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
klog: [<c0110328>] (unwind_backtrace) from [<c010b7ec>] (show_stack+0x10/0x14)
klog: [<c010b7ec>] (show_stack) from [<c08dd7f8>] (dump_stack+0x90/0xa4)
klog: [<c08dd7f8>] (dump_stack) from [<c012bea0>] (__warn+0xbc/0xd8)
klog: [<c012bea0>] (__warn) from [<c012bf20>] (warn_slowpath_fmt+0x64/0xc4)
klog: [<c012bf20>] (warn_slowpath_fmt) from [<c0181a68>] (dma_free_attrs+0xc4/0xc8)
klog: [<c0181a68>] (dma_free_attrs) from [<c04631c8>] (sdma_free_bd+0x30/0x38)
klog: [<c04631c8>] (sdma_free_bd) from [<c04631dc>] (sdma_desc_free+0xc/0x18)
klog: [<c04631dc>] (sdma_desc_free) from [<c0464f70>] (sdma_channel_synchronize+0x48/0x88)
klog: [<c0464f70>] (sdma_channel_synchronize) from [<c0495fac>] (imx_uart_shutdown+0x16c/0x2a8)
klog: [<c0495fac>] (imx_uart_shutdown) from [<c04857b8>] (uart_port_shutdown+0x34/0x40)
klog: [<c04857b8>] (uart_port_shutdown) from [<c0485814>] (uart_tty_port_shutdown+0x50/0xb8)
klog: [<c0485814>] (uart_tty_port_shutdown) from [<c048144c>] (tty_port_shutdown+0x90/0x9c)
klog: [<c048144c>] (tty_port_shutdown) from [<c0481c2c>] (tty_port_close+0x3c/0x74)
klog: [<c0481c2c>] (tty_port_close) from [<c0478458>] (tty_release+0xf0/0x48c)
klog: [<c0478458>] (tty_release) from [<c02425ec>] (__fput+0x88/0x218)
klog: [<c02425ec>] (__fput) from [<c0147798>] (task_work_run+0xa4/0xc4)
klog: [<c0147798>] (task_work_run) from [<c010b310>] (do_work_pending+0x550/0x55c)
klog: [<c010b310>] (do_work_pending) from [<c010106c>] (slow_work_pending+0xc/0x20)
klog: Exception stack(0xee723fb0 to 0xee723ff8)
klog: 3fa0:                                     00000000 00005402 bea6ab64 00000000
klog: 3fc0: 00000000 b6f124d0 bea6aba4 00000006 0000000d 00000001 00084ff8 00000000
klog: 3fe0: 0004822c bea6ab88 00034780 b6d08c34 600b0010 00000006
klog: ---[ end trace 86fea4e74a267f57 ]---