Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp100568ybm; Wed, 27 May 2020 20:44:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy00e8HWwBmKn0oI15dofjDDFlAJ8UCaxE9zV2rY+OFNQtIBMsou4iHxLj7tBrO84sraAxi X-Received: by 2002:a17:906:3901:: with SMTP id f1mr892331eje.526.1590637485079; Wed, 27 May 2020 20:44:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590637485; cv=none; d=google.com; s=arc-20160816; b=iPMpI3FBRq0nIPax8QL+Wkf7CpDxZ/ICTc3IRsnWNDmhSMODqTTjdLc6/NKZ+H/JM5 EzWFp/Ia8J41Oz61ekAva2NHF60B2bXvC0GcP7DRkGCGiBfweHQxF/V8aJHhv8i40iRW J/ML5fJoJxeAIJS28BinPTNSG6JeI+LGI1NPXaIUcg9ILZ62RzuY44+24u5KRryHXB4d 1Zv//8doLrj7eSA4iFj6mh3PjK2HPfkhZShQNkV5uyOHuA9dmV6GAts1Xp8PKDwPFpnc 3fZpQr2vnTevJdBdSo2h8QW7VQqYqmHL04kzrc7HTOeeo5B0edwtn8zCv9hyiNjllVCZ xpvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=bPaEtIz9pymnQ3zlLT7ky3GdzrpI5LZJGnrujJgXsc0=; b=m+FJF/u4/ea99c2YIUbCbEMqWZ5HVK3KJgWnT4iNgF6Tfgv7cpYbF+utVh+SBMZGR0 8U9pqmbYlW219py1BGdrt/+6SFba8mj1qXI030RsddT/wQuSUWWhGUtwxzT+4m03Qi5h piayVQe8zRM+BFiQaNkp2OzE+kaeSWfl11JnRoyu8etpxBpJOZ+6VNqq3H9nVbuQgcCL weRSXS3JkRlzBEjbJbFOP3VWBNCrwmBVWSGmUHS/StPzZoHKCvZsTlkL/p7CPuvM+sb5 L561Vx10MkHz0CtFuIfDdX+LJgcqOlv+xZvgj4whscRpXvr18EL0f2ASfi/N4HfTSrh4 IoBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=c9KdapEU; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id fi8si2199392ejb.641.2020.05.27.20.44.01; Wed, 27 May 2020 20:44:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=c9KdapEU; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727012AbgE1DnC (ORCPT + 99 others); Wed, 27 May 2020 23:43:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54716 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726530AbgE1DnB (ORCPT ); Wed, 27 May 2020 23:43:01 -0400 Received: from mail-vs1-xe41.google.com (mail-vs1-xe41.google.com [IPv6:2607:f8b0:4864:20::e41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 388D3C08C5C2 for ; Wed, 27 May 2020 20:43:00 -0700 (PDT) Received: by mail-vs1-xe41.google.com with SMTP id v26so15012653vsa.1 for ; Wed, 27 May 2020 20:43:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bPaEtIz9pymnQ3zlLT7ky3GdzrpI5LZJGnrujJgXsc0=; b=c9KdapEUJSPKNZeQyNnqiFrr6KubgXJeNvxUNO3s2hHeydiVxTVWyJmV7sGy63xdHL 5u8E+yrHjREHQPMLEuL2E3UkkkAQbONyrSQsVq8l/EpwP4xCYD2wzPXrZia+25uAnH0U iBmmbZYYjcBr0vV5SVG54wPyyE8aX9epXx750= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bPaEtIz9pymnQ3zlLT7ky3GdzrpI5LZJGnrujJgXsc0=; b=RAdxeKIlz3HqVwyRIN7Z0sI6kbTOVLR1tJ2Ha/4TrAFpHQbwZtsxEUvk1jwCB8mOgE ycMXTJTPo1EeDWU6S3AfiFOYX9tTkLl25u6Ou0EFcLrt0NL4+2ucYik5EzbmibbRLsmr V3UCrN8dJLWaO5tJJKTfiYhVj7OwnUJW2FCYqoWFLhDc7QPVDT3ESe7m8j2fb8OTH7hs 91vwZLjT1RkdCkZf0cKsNK0zoSFoRPiYXeJWe2fy5FOcKE8ipENpVkLSzIDIHQilVZRb RXvW6l0KESZOt1w28N5PrkwXahSyctAViHqVO1JijEILL/r9T1EIfdAERV9A83/3wTZX LVMA== X-Gm-Message-State: AOAM5314KFXLgGN6iXZ0LToaUaUELL53dWoUEd53VZ0iHmzwZMBiTp+A 5qFQbmqUWEJyU8iP4hck1NsQ6qRfsp2AlnW3N56dIw== X-Received: by 2002:a67:8d48:: with SMTP id p69mr617029vsd.86.1590637379005; Wed, 27 May 2020 20:42:59 -0700 (PDT) MIME-Version: 1.0 References: <1590550627-24618-1-git-send-email-zijuhu@codeaurora.org> In-Reply-To: <1590550627-24618-1-git-send-email-zijuhu@codeaurora.org> From: Abhishek Pandit-Subedi Date: Wed, 27 May 2020 20:42:46 -0700 Message-ID: Subject: Re: [PATCH v2] bluetooth: hci_qca: Fix QCA6390 memdump failure To: Zijun Hu Cc: Marcel Holtmann , Johan Hedberg , LKML , Bluez mailing list , linux-arm-msm@vger.kernel.org, bgodavar@codeaurora.org, c-hbandi@codeaurora.org, hemantg@codeaurora.org, Matthias Kaehlcke , rjliao@codeaurora.org Content-Type: text/plain; charset="UTF-8" Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Zijun, On Tue, May 26, 2020 at 8:37 PM Zijun Hu wrote: > > QCA6390 memdump VSE sometimes come to bluetooth driver > with wrong sequence number as illustrated as follows: > frame # in DEC: frame data in HEX > 1396: ff fd 01 08 74 05 00 37 8f 14 > 1397: ff fd 01 08 75 05 00 ff bf 38 > 1414: ff fd 01 08 86 05 00 fb 5e 4b > 1399: ff fd 01 08 77 05 00 f3 44 0a > 1400: ff fd 01 08 78 05 00 ca f7 41 > it is mistook for controller missing packets, so results > in page fault after overwriting memdump buffer allocated. > > it is fixed by ignoring QCA6390 sequence number error > and checking buffer space before writing. > > Signed-off-by: Zijun Hu > --- > drivers/bluetooth/hci_qca.c | 45 ++++++++++++++++++++++++++++++++++++++------- > 1 file changed, 38 insertions(+), 7 deletions(-) > > diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c > index e4a6823..388fe01b 100644 > --- a/drivers/bluetooth/hci_qca.c > +++ b/drivers/bluetooth/hci_qca.c > @@ -114,6 +114,7 @@ struct qca_memdump_data { > char *memdump_buf_tail; > u32 current_seq_no; > u32 received_dump; > + u32 ram_dump_size; > }; > > struct qca_memdump_event_hdr { > @@ -976,6 +977,8 @@ static void qca_controller_memdump(struct work_struct *work) > char nullBuff[QCA_DUMP_PACKET_SIZE] = { 0 }; > u16 seq_no; > u32 dump_size; > + u32 rx_size; > + enum qca_btsoc_type soc_type = qca_soc_type(hu); > > while ((skb = skb_dequeue(&qca->rx_memdump_q))) { > > @@ -1029,6 +1032,7 @@ static void qca_controller_memdump(struct work_struct *work) > > skb_pull(skb, sizeof(dump_size)); > memdump_buf = vmalloc(dump_size); > + qca_memdump->ram_dump_size = dump_size; > qca_memdump->memdump_buf_head = memdump_buf; > qca_memdump->memdump_buf_tail = memdump_buf; > } > @@ -1052,25 +1056,52 @@ static void qca_controller_memdump(struct work_struct *work) > * packets in the buffer. > */ > while ((seq_no > qca_memdump->current_seq_no + 1) && > + (soc_type != QCA_QCA6390) && This probably shouldn't be SOC specific. > seq_no != QCA_LAST_SEQUENCE_NUM) { > bt_dev_err(hu->hdev, "QCA controller missed packet:%d", > qca_memdump->current_seq_no); > + rx_size = qca_memdump->received_dump; > + rx_size += QCA_DUMP_PACKET_SIZE; > + if (rx_size > qca_memdump->ram_dump_size) { > + bt_dev_err(hu->hdev, > + "QCA memdump received %d, no space for missed packet", > + qca_memdump->received_dump); > + break; > + } > memcpy(memdump_buf, nullBuff, QCA_DUMP_PACKET_SIZE); > memdump_buf = memdump_buf + QCA_DUMP_PACKET_SIZE; > qca_memdump->received_dump += QCA_DUMP_PACKET_SIZE; > qca_memdump->current_seq_no++; > } You can replace this loop with a memset(memdump_buf, 0, (seq_no - qca_memdump->current_seq_no) * QCA_DUMP_PACKET_SIZE). This simplifies the ram_dump_size check as well because it won't zero fill until the end anymore (meaning a single bad seq_no doesn't make the rest of the dump incorrect). > > - memcpy(memdump_buf, (unsigned char *) skb->data, skb->len); > - memdump_buf = memdump_buf + skb->len; > - qca_memdump->memdump_buf_tail = memdump_buf; > - qca_memdump->current_seq_no = seq_no + 1; > - qca_memdump->received_dump += skb->len; > + rx_size = qca_memdump->received_dump + skb->len; > + if (rx_size <= qca_memdump->ram_dump_size) { > + if ((seq_no != QCA_LAST_SEQUENCE_NUM) && > + (seq_no != qca_memdump->current_seq_no)) > + bt_dev_err(hu->hdev, > + "QCA memdump unexpected packet %d", > + seq_no); > + bt_dev_dbg(hu->hdev, > + "QCA memdump packet %d with length %d", > + seq_no, skb->len); > + memcpy(memdump_buf, (unsigned char *)skb->data, > + skb->len); > + memdump_buf = memdump_buf + skb->len; > + qca_memdump->memdump_buf_tail = memdump_buf; > + qca_memdump->current_seq_no = seq_no + 1; > + qca_memdump->received_dump += skb->len; > + } else { > + bt_dev_err(hu->hdev, > + "QCA memdump received %d, no space for packet %d", > + qca_memdump->received_dump, seq_no); > + } > qca->qca_memdump = qca_memdump; > kfree_skb(skb); > if (seq_no == QCA_LAST_SEQUENCE_NUM) { > - bt_dev_info(hu->hdev, "QCA writing crash dump of size %d bytes", > - qca_memdump->received_dump); > + bt_dev_info(hu->hdev, > + "QCA memdump Done, received %d, total %d", > + qca_memdump->received_dump, > + qca_memdump->ram_dump_size); > memdump_buf = qca_memdump->memdump_buf_head; > dev_coredumpv(&hu->serdev->dev, memdump_buf, > qca_memdump->received_dump, GFP_KERNEL); > -- > The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative Project >