From patchwork Thu Aug 11 20:19:06 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Doug Anderson <dianders@chromium.org>
X-Patchwork-Id: 1058732
Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134])
	by demeter2.kernel.org (8.14.4/8.14.4) with ESMTP id p7BKKf4k010367
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Thu, 11 Aug 2011 20:21:03 GMT
Received: from canuck.infradead.org ([2001:4978:20e::1])
	by merlin.infradead.org with esmtps (Exim 4.76 #1 (Red Hat Linux))
	id 1Qrbjq-0006IX-KH; Thu, 11 Aug 2011 20:20:23 +0000
Received: from localhost ([127.0.0.1] helo=canuck.infradead.org)
	by canuck.infradead.org with esmtp (Exim 4.76 #1 (Red Hat Linux))
	id 1Qrbjq-00059I-3a; Thu, 11 Aug 2011 20:20:22 +0000
Received: from smtp-out.google.com ([74.125.121.67])
	by canuck.infradead.org with esmtps (Exim 4.76 #1 (Red Hat Linux))
	id 1Qrbjn-00058y-72 for linux-arm-kernel@lists.infradead.org;
	Thu, 11 Aug 2011 20:20:20 +0000
Received: from hpaq6.eem.corp.google.com (hpaq6.eem.corp.google.com
	[172.25.149.6]) by smtp-out.google.com with ESMTP id p7BKK1Pk011257;
	Thu, 11 Aug 2011 13:20:01 -0700
Received: from peppermint.mtv.corp.google.com (peppermint.mtv.corp.google.com
	[172.22.73.61])
	by hpaq6.eem.corp.google.com with ESMTP id p7BKJwOG003519;
	Thu, 11 Aug 2011 13:19:58 -0700
Received: by peppermint.mtv.corp.google.com (Postfix, from userid 121310)
	id C8D4C19AA42; Thu, 11 Aug 2011 13:19:57 -0700 (PDT)
From: Doug Anderson <dianders@chromium.org>
To: Ben Dooks <ben-linux@fluff.org>, Stephen Warren <swarren@nvidia.com>,
	Vincent Palatin <vpalatin@chromium.org>,
	Rhyland Klein <rklein@nvidia.com>
Subject: [PATCH] i2c: tegra: fix possible race condition after tx
Date: Thu, 11 Aug 2011 13:19:06 -0700
Message-Id: <1313093946-24559-1-git-send-email-dianders@chromium.org>
X-Mailer: git-send-email 1.7.3.1
X-System-Of-Record: true
X-CRM114-Version: 20090807-BlameThorstenAndJenny ( TRE 0.7.6 (BSD) )
	MR-646709E3
X-CRM114-CacheID: sfid-20110811_162019_547396_7D183C78 
X-CRM114-Status: GOOD (  16.30  )
X-Spam-Score: -3.1 (---)
X-Spam-Report: SpamAssassin version 3.3.1 on canuck.infradead.org summary:
	Content analysis details:   (-3.1 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.8 RP_MATCHES_RCVD Envelope sender domain matches handover relay
	domain
	-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
	medium trust [74.125.121.67 listed in list.dnswl.org]
Cc: Lucas De Marchi <lucas.demarchi@profusion.mobi>,
	Doug Anderson <dianders@chromium.org>, linux-kernel@vger.kernel.org,
	linux-tegra@vger.kernel.org, Rakesh Iyer <riyer@nvidia.com>,
	linux-i2c@vger.kernel.org, Jean Delvare <khali@linux-fr.org>,
	linux-arm-kernel@lists.infradead.org
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
MIME-Version: 1.0
Sender: linux-arm-kernel-bounces@lists.infradead.org
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.6 (demeter2.kernel.org [140.211.167.43]);
	Thu, 11 Aug 2011 20:21:03 +0000 (UTC)

In tegra_i2c_fill_tx_fifo, once we have finished pushing all the bytes
to the I2C hardware controller, the interrupt might happen before we
have updated i2c_dev->msg_buf_remaining at the end of the function.
Then, in tegra_i2c_isr, we will call again tegra_i2c_fill_tx_fifo
triggering weird behaviour. This has been shown to happen under real
conditions.

Signed-off-by: Doug Anderson <dianders@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Acked-by: Rhyland Klein <rklein@nvidia.com>
Acked-by: Stephen Warren <swarren@nvidia.com>
---
 drivers/i2c/busses/i2c-tegra.c |   46 +++++++++++++++++++++++++++------------
 1 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c
index 2440b74..9c5fb75 100644
--- a/drivers/i2c/busses/i2c-tegra.c
+++ b/drivers/i2c/busses/i2c-tegra.c
@@ -270,14 +270,30 @@ static int tegra_i2c_fill_tx_fifo(struct tegra_i2c_dev *i2c_dev)
 
 	/* Rounds down to not include partial word at the end of buf */
 	words_to_transfer = buf_remaining / BYTES_PER_FIFO_WORD;
-	if (words_to_transfer > tx_fifo_avail)
-		words_to_transfer = tx_fifo_avail;
 
-	i2c_writesl(i2c_dev, buf, I2C_TX_FIFO, words_to_transfer);
-
-	buf += words_to_transfer * BYTES_PER_FIFO_WORD;
-	buf_remaining -= words_to_transfer * BYTES_PER_FIFO_WORD;
-	tx_fifo_avail -= words_to_transfer;
+	/* It's very common to have < 4 bytes, so optimize that case. */
+	if (words_to_transfer) {
+		if (words_to_transfer > tx_fifo_avail)
+			words_to_transfer = tx_fifo_avail;
+
+		/*
+		 * Update state before writing to FIFO.  If this casues us
+		 * to finish writing all bytes (AKA buf_remaining goes to 0) we
+		 * have a potential for an interrupt (PACKET_XFER_COMPLETE is
+		 * not maskable).  We need to make sure that the isr sees
+		 * buf_remaining as 0 and doesn't call us back re-entrantly.
+		 */
+		buf_remaining -= words_to_transfer * BYTES_PER_FIFO_WORD;
+		tx_fifo_avail -= words_to_transfer;
+		i2c_dev->msg_buf_remaining = buf_remaining;
+		i2c_dev->msg_buf = buf +
+			words_to_transfer * BYTES_PER_FIFO_WORD;
+		barrier();
+
+		i2c_writesl(i2c_dev, buf, I2C_TX_FIFO, words_to_transfer);
+
+		buf += words_to_transfer * BYTES_PER_FIFO_WORD;
+	}
 
 	/*
 	 * If there is a partial word at the end of buf, handle it manually to
@@ -287,14 +303,15 @@ static int tegra_i2c_fill_tx_fifo(struct tegra_i2c_dev *i2c_dev)
 	if (tx_fifo_avail > 0 && buf_remaining > 0) {
 		BUG_ON(buf_remaining > 3);
 		memcpy(&val, buf, buf_remaining);
+
+		/* Again update before writing to FIFO to make sure isr sees. */
+		i2c_dev->msg_buf_remaining = 0;
+		i2c_dev->msg_buf = NULL;
+		barrier();
+
 		i2c_writel(i2c_dev, val, I2C_TX_FIFO);
-		buf_remaining = 0;
-		tx_fifo_avail--;
 	}
 
-	BUG_ON(tx_fifo_avail > 0 && buf_remaining > 0);
-	i2c_dev->msg_buf_remaining = buf_remaining;
-	i2c_dev->msg_buf = buf;
 	return 0;
 }
 
@@ -411,9 +428,10 @@ static irqreturn_t tegra_i2c_isr(int irq, void *dev_id)
 			tegra_i2c_mask_irq(i2c_dev, I2C_INT_TX_FIFO_DATA_REQ);
 	}
 
-	if ((status & I2C_INT_PACKET_XFER_COMPLETE) &&
-			!i2c_dev->msg_buf_remaining)
+	if (status & I2C_INT_PACKET_XFER_COMPLETE) {
+		BUG_ON(i2c_dev->msg_buf_remaining);
 		complete(&i2c_dev->msg_complete);
+	}
 
 	i2c_writel(i2c_dev, status, I2C_INT_STATUS);
 	if (i2c_dev->is_dvc)