On 5/23/2023 2:47 AM, Thinh Nguyen wrote:
On Sun, May 21, 2023, Krishna Kurapati wrote:
In the current implementation, the check_event_buf call reads the
GEVNTCOUNT register to determine the amount of event data generated
and copies it from ev->buf to ev->cache after masking interrupt.
During copy if the amount of data to be copied is more than
(length - lpos), we fill the ev->cache till the end of 4096 byte
buffer allocated and then start filling from the top (lpos = 0).
In one instance of SMMU crash it is observed that GEVNTCOUNT register
reads more than 4096 bytes:
dwc3_readl base=0xffffffc0091dc000 offset=50188 value=63488
(offset = 50188 -> 0xC40C) -> reads 63488 bytes
As per crash dump:
dwc->lpos = 2056
and evt->buf is at 0xFFFFFFC009185000 and the crash is at
0xFFFFFFC009186000. The diff which is exactly 0x1000 bytes.
We first memcpy 2040 bytes from (buf + lpos) to (buf + 0x1000).
And then we copy the rest of the data (64388 - 2040) from beginning
of dwc->ev_buf. While doing so we go beyond bounds as we are trying
to memcpy 62348 bytes into a 4K buffer resulting in crash.
Fix this by limiting the total data being copied to ev->length to
avoid copying data beyond bounds. Moreover this is logical because if
the controller generated events more than the size of ring buffer,
some of them might have been overwritten by the controller.
Signed-off-by: Krishna Kurapati <quic_kriskura@xxxxxxxxxxx>
---
Only one instance of this crash was observed so far. As per the
databook:
"The controller always leaves one entry free in each Event Buffer.
When the Event Buffer is almost full, hardware writes the Event
Buffer Overflow event and the USB eventually gets stalled when
endpoints start responding NRDY or the link layer stops returning
credits (in SuperSpeed). This event is an indication to software that
it is not processing events quickly enough. During this time, events
are queued up internally. When software frees up Event Buffer space,
the queued up events are written out and the USB returns to normal
operation"
I didn't see any overflow event in the event buffer after parsing
crash dump. Although this could be some HW issue, I thought we can
include this fix in software as well to avoid such scenario.
What's the GEVNTSIZ at the point of the crash? That's where the driver
tells the controller how much it allocated for the event buffer.
Check to make sure that it wasn't reset during operation (not cleanup).
Hi Thinh,
The last 3 RW traces were as follows:
<idle>-0 [001] 5834.471640: dwc3_writel base=0xffffffc0091dc000
offset=50184 value=4096
<idle>-0 [001] 5834.471799: dwc3_readl base=0xffffffc0091dc000
offset=50188 value=63488
<idle>-0 [001] 5834.471803: dwc3_writel base=0xffffffc0091dc000
offset=50184 value=2147487744
The first one was at the end of previous process_event_entry call where
we unmasked the interrupt.
The second one was the read of GEVTCOUNT.
The third one was where we wrote 31st bit of the GEVTSIZ register to
mask interrupt along with 4096 bytes to [15:0] bits.
There is only 100-150us gap between each of these read writes and if you
are referring to whether the GEVTSIZ got modified in between, I am not
sure of that.
Regards,
Krishna,