tty: serial: msm_geni_serial: Fix TX infinite loop

The GENI serial driver handled transmit by leaving stuff in the common circular buffer until it had completely caught up to the head, then clearing it out all at once. This is a suboptimal way to do transmit, as it leaves data in the circular buffer that could be freed. Moreover, the logic implementing it is wrong, and it is easy to get into a situation where the UART infinitely writes out the same buffer. I could reproduce infinite serial output of the same buffer by running dmesg, then hitting Ctrl-C. I believe what happened is xmit_size was something large, marching towards a larger value. Then the generic OS code flushed out the buffer and replaced it with two characters. Now the xmit_size is a large value marching towards a small value, which it wasn't expecting. The driver subtracts xmit_size (very large) from uart_circ_chars_pending (2), underflows, and repeats ad nauseum. The locking isn't wrong here, as the locks are held whenever the buffer is manipulated, it's just that the driver wasn't expecting the buffer to be flushed out from underneath it in between transmits. This change reworks transmit to grab what it can from the circular buffer, and then update ->tail, both fixing the underflow and freeing up space for a smoother circular experience. Signed-off-by: Evan Green <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
pop-os · May 14, 2018 · 638a6f4 · 638a6f4
1 parent d76c743
commit 638a6f4
Showing 1 changed file with 7 additions and 10 deletions.
diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c
@@ -98,7 +98,6 @@ struct qcom_geni_serial_port {
 	enum geni_se_xfer_mode xfer_mode;
 	bool setup;
 	int (*handle_rx)(struct uart_port *uport, u32 bytes, bool drop);
-	unsigned int xmit_size;
 	unsigned int baud;
 	unsigned int tx_bytes_pw;
 	unsigned int rx_bytes_pw;
@@ -462,7 +461,6 @@ static void qcom_geni_serial_stop_tx(struct uart_port *uport)
 		writel_relaxed(0, uport->membase +
 				     SE_GENI_TX_WATERMARK_REG);
 	}
-	port->xmit_size = 0;
 	writel_relaxed(irq_en, uport->membase + SE_GENI_M_IRQ_EN);
 	status = readl_relaxed(uport->membase + SE_GENI_STATUS);
 	/* Possible stop tx is called multiple times. */
@@ -592,16 +590,13 @@ static void qcom_geni_serial_handle_tx(struct uart_port *uport)
 	chunk = uart_circ_chars_pending(xmit);
 	status = readl_relaxed(uport->membase + SE_GENI_TX_FIFO_STATUS);
 	/* Both FIFO and framework buffer are drained */
-	if (chunk == port->xmit_size && !status) {
-		port->xmit_size = 0;
-		uart_circ_clear(xmit);
+	if (!chunk && !status) {
 		qcom_geni_serial_stop_tx(uport);
 		goto out_write_wakeup;
 	}
-	chunk -= port->xmit_size;
 
 	avail = (port->tx_fifo_depth - port->tx_wm) * port->tx_bytes_pw;
-	tail = (xmit->tail + port->xmit_size) & (UART_XMIT_SIZE - 1);
+	tail = xmit->tail;
 	chunk = min3((size_t)chunk, (size_t)(UART_XMIT_SIZE - tail), avail);
 	if (!chunk)
 		goto out_write_wakeup;
@@ -622,14 +617,16 @@ static void qcom_geni_serial_handle_tx(struct uart_port *uport)
 		iowrite32_rep(uport->membase + SE_GENI_TX_FIFOn, buf, 1);
 
 		i += tx_bytes;
-		tail = (tail + tx_bytes) & (UART_XMIT_SIZE - 1);
+		tail += tx_bytes;
 		uport->icount.tx += tx_bytes;
 		remaining -= tx_bytes;
 	}
+
+	xmit->tail = tail & (UART_XMIT_SIZE - 1);
 	qcom_geni_serial_poll_tx_done(uport);
-	port->xmit_size += chunk;
 out_write_wakeup:
-	uart_write_wakeup(uport);
+	if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
+		uart_write_wakeup(uport);
 }
 
 static irqreturn_t qcom_geni_serial_isr(int isr, void *dev)