I found a bug in the linux kernel code with rproc driver in ti_k3_dsp_remoteproc.c/ti_k3_r5_remoteproc.c when these drivers use mailbox to send messages.
I doubte why you didn't have this problem.
static void k3_dsp_rproc_kick(struct rproc *rproc, int vqid)
{
struct k3_dsp_rproc *kproc = rproc->priv;
struct device *dev = rproc->dev.parent;
mbox_msg_t msg = (mbox_msg_t)vqid;
int ret;
/* send the index of the triggered virtqueue in the mailbox payload */
ret = mbox_send_message(kproc->mbox, (void *)msg);
if (ret < 0)
dev_err(dev, "failed to send mailbox message, status = %d\n",
ret);
}
About the code with red color, the "msg" val is a pointer with the mailbox msg buffer.
When we send the msg , we put the pointer into the mailbox client's send buffer queue.
At this time, if we config the mailbox send with NON-BLOCK mode, just like your code:
client->rx_callback = k3_dsp_rproc_mbox_callback;
client->tx_block = false;
then something happen, after the mbox_send_message function call return, buf the buf still in the mailbox clent's send buf and
not send out, then becasue the "msg" val is a local val, it will be free after the kick function finish. But the buf is still in the
mailbox clent's sendbuf, but this buf is freed and not right. so trample happen.
AS the log show, we want to use mailbox to send VQID, first data send is OK, the vqid is 1, then error get ,the vqid is a big data. 0x95178c10.
i used the arm pl320 mailbox , my code in rproc driver to use the mailbox is :
static void xx_rpu_rproc_kick(struct rproc *rproc, int vqid)
{
struct xx_rpu_rproc *kproc = rproc->priv;
struct device *dev = rproc->dev.parent;
uint32_t msg[7] = {0};
int ret;
msg[0] = vqid;
/* send the index of the triggered virtqueue in the mailbox payload */
ret = mbox_send_message(kproc->mbox[vqid],
(void *)msg);
if (ret < 0)
dev_err(dev, "failed to send mailbox message, status = %d\n", ret);
TI中文支持网
