rpi_usb_host_drv: illegal READ at address with run/usb_hid_raw

chelmuth commented 9 months ago

As discovered in #4958, the test above fails on rpi like follows.

[init -> usb_drv -> usb_drv] usb 1-1.3: USB disconnect, device number 63
[init -> usb_hid_drv] usb usb-1-63: USB disconnect, device number 63
[init -> usb_hid_drv] Disconnected device: input118
[init -> usb_hid_drv] Disconnected device: input119
Error: illegal READ at address 0x148ab58 by pager_object: pd='init -> usb_drv -> usb_drv' thread='ep' ip=0x106dea4

Note, it may take quite a lot of unplug-plug cycles to reproduce (hinted by usb-device index 63).

   dwc_otg_hcd_clear_tt_buffer_complete():
   ../contrib/rpi_linux-9910b548f79f794c793cc0639c8a91cb324e2ab6/src/linux/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c:1073
    106de80:       e92d4030        push    {r4, r5, lr}
   ../contrib/rpi_linux-9910b548f79f794c793cc0639c8a91cb324e2ab6/src/linux/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c:1078
    106de84:       e5914020        ldr     r4, [r1, #32]
   ../contrib/rpi_linux-9910b548f79f794c793cc0639c8a91cb324e2ab6/src/linux/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c:1073
    106de88:       e24dd00c        sub     sp, sp, #12
   ../contrib/rpi_linux-9910b548f79f794c793cc0639c8a91cb324e2ab6/src/linux/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c:1079
    106de8c:       e3540000        cmp     r4, #0
    106de90:       0a00000c        beq     106dec8 <_ZN9Component9constructERN6Genode3EnvE+0x6dec8>
   hcd_to_dwc_otg_hcd():
   ../contrib/rpi_linux-9910b548f79f794c793cc0639c8a91cb324e2ab6/src/linux/drivers/usb/host/dwc_otg/dwc_otg_hcd.h:641
    106de94:       e5905148        ldr     r5, [r0, #328]  @ 0x148
   dwc_otg_hcd_clear_tt_buffer_complete():
   ../contrib/rpi_linux-9910b548f79f794c793cc0639c8a91cb324e2ab6/src/linux/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c:1082
    106de98:       e28d1004        add     r1, sp, #4
    106de9c:       e59500d0        ldr     r0, [r5, #208]  @ 0xd0
    106dea0:       ebff92d0        bl      10529e8 <_ZN9Component9constructERN6Genode3EnvE+0x529e8>
   ../contrib/rpi_linux-9910b548f79f794c793cc0639c8a91cb324e2ab6/src/linux/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c:1083
->  106dea4:       e5d43058        ldrb    r3, [r4, #88]   @ 0x58
    106dea8:       e3c33001        bic     r3, r3, #1
    106deac:       e5c43058        strb    r3, [r4, #88]   @ 0x58
   ../contrib/rpi_linux-9910b548f79f794c793cc0639c8a91cb324e2ab6/src/linux/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c:1085
    106deb0:       e595300c        ldr     r3, [r5, #12]
    106deb4:       e3130002        tst     r3, #2
    106deb8:       1a000004        bne     106ded0 <_ZN9Component9constructERN6Genode3EnvE+0x6ded0>

chelmuth commented 6 months ago

The error happened last 2024-05-06 in the CI, but I could not spot any relevant source-code change since then. I'll keep an eye on it.

chelmuth commented 2 months ago

It seems to be a race/corruption manifesting in drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c:1083.

   1071 static void dwc_otg_hcd_clear_tt_buffer_complete(struct usb_hcd *hcd,
   1072                                                                                                  struct usb_host_endpoint *ep)
   1073 {
   1074         dwc_otg_hcd_t *dwc_hcd = hcd_to_dwc_otg_hcd(hcd);
   1075         dwc_otg_qh_t *qh;
   1076         unsigned long flags;
   1077 
   1078         qh = ep->hcpriv;
   1079         if (!qh)
   1080                 return;
   1081 
   1082         DWC_SPINLOCK_IRQSAVE(dwc_hcd->lock, &flags);
-> 1083         qh->tt_buffer_dirty = 0;
   1084 
   1085         if (dwc_hcd->flags.b.port_connect_status)
   1086                 dwc_otg_hcd_queue_transactions(dwc_hcd, DWC_OTG_TRANSACTION_ALL);
   1087 
   1088         DWC_SPINUNLOCK_IRQRESTORE(dwc_hcd->lock, flags);
   1089 }

genodelabs / genode

rpi_usb_host_drv: illegal READ at address with run/usb_hid_raw #5126