Re: [PATCH v5 09/11] macio: Add dummy screamer register area

[BALATON Zoltan]

On Sun, 28 Jun 2020, BALATON Zoltan wrote:
> Here it is with --enable-debug and additional screamer debug:
>
> SCREAMER: screamer_read: addr 0000000000000000 -> 0
> SCREAMER: screamer_write: addr 0000000000000000 val 11
> SCREAMER: screamer_control_write: val 17
> SCREAMER: basic rate: 44100
> DBDMA[10]: writel 0x000000000000080c <= 0x00000010
> DBDMA[10]: channel 0x10 reg 0x3
> DBDMA[10]: dbdma_cmdptr_load 0x00000010
> DBDMA[10]: writel 0x0000000000000800 <= 0xf0000000
> DBDMA[10]: channel 0x10 reg 0x0
> DBDMA[10]:  Clearing RUN !
> DBDMA[10]:  clearing PAUSE !
> DBDMA[10]:   -> ACTIVE down !
> DBDMA[10]:  new status=0x00000000
> SCREAMER: DMA TX flush!
> DBDMA[10]: readl 0x0000000000000804 => 0x00000000
> DBDMA[10]: channel 0x10 reg 0x1
> DBDMA[10]: writel 0x0000000000000800 <= 0xf0008000
> DBDMA[10]: channel 0x10 reg 0x0
> DBDMA[10]:  Setting RUN !
> DBDMA[10]:  clearing PAUSE !
> DBDMA[10]:  -> ACTIVE up !
> DBDMA[10]:  new status=0x00008400
> DBDMA[10]: readl 0x0000000000000804 => 0x00008400
> DBDMA[10]: channel 0x10 reg 0x1
> DBDMA: -> DBDMA_run_bh
> DBDMA[10]: channel_run
> DBDMA[10]: dbdma_cmd 0x555556aac340
> DBDMA[10]:     req_count 0x8000
> DBDMA[10]:     command 0x0000
> DBDMA[10]:     phy_addr 0x00000100
> DBDMA[10]:     cmd_dep 0x00000000
> DBDMA[10]:     res_count 0x0000
> DBDMA[10]:     xfer_status 0x0000
> DBDMA[10]: * OUTPUT_MORE *
> DBDMA[10]: start_output
> DBDMA[10]: addr 0x100 key 0x0
> SCREAMER: DMA TX defer interrupt!
> DBDMA: <- DBDMA_run_bh
> SCREAMER: Processing deferred buffer
> SCREAMER: DMA TX transfer: addr 100 len: 8000  bpos: 0
>
> Thread 1 "qemu-system-ppc" received signal SIGSEGV, Segmentation fault.
> 0x0000000094ff7c19 in ?? ()
>
> (gdb) bt
> #0  0x0000000094ff7c19 in  ()
> #1  0x0000555555acb1e2 in pmac_screamer_tx_transfer (io=0x555556ab1a98) at 
> hw/audio/screamer.c:79
> #2  0x0000555555acb4dd in screamerspk_callback (opaque=0x555556aad630, 
> avail=16384) at hw/audio/screamer.c:155
> #3  0x0000555555a6af3d in audio_run_out (s=0x555556b12bd0) at 
> audio/audio.c:1181
> #4  0x0000555555a6b886 in audio_run (s=0x555556b12bd0, msg=0x55555609d4a9 
> "alsa run (prepared)") at audio/audio.c:1372
> #5  0x0000555555d00ce9 in alsa_poll_handler (opaque=0x555557959c60) at 
> audio/alsaaudio.c:199
> #6  0x0000555555e57079 in aio_dispatch_handler (ctx=0x5555567257f0, 
> node=0x555557a0c6b0) at util/aio-posix.c:328
> #7  0x0000555555e57232 in aio_dispatch_handlers (ctx=0x5555567257f0) at 
> util/aio-posix.c:371
> #8  0x0000555555e57288 in aio_dispatch (ctx=0x5555567257f0) at 
> util/aio-posix.c:381
> #9  0x0000555555e6d373 in aio_ctx_dispatch (source=0x5555567257f0, 
> callback=0x0, user_data=0x0) at util/async.c:306
> #10 0x00007ffff7cc6665 in g_main_context_dispatch () at 
> /lib64/libglib-2.0.so.0
> #11 0x0000555555e74898 in glib_pollfds_poll () at util/main-loop.c:219
> #12 0x0000555555e74912 in os_host_main_loop_wait (timeout=28915159) at 
> util/main-loop.c:242
> #13 0x0000555555e74a17 in main_loop_wait (nonblocking=0) at 
> util/main-loop.c:518
> #14 0x0000555555981d35 in qemu_main_loop () at qemu/softmmu/vl.c:1664
> #15 0x0000555555df59dc in main (argc=17, argv=0x7fffffffdf28, 
> envp=0x7fffffffdfb8) at qemu/softmmu/main.c:49
> (gdb) up
> #1  0x0000555555acb1e2 in pmac_screamer_tx_transfer (io=0x555556ab1a98) at 
> hw/audio/screamer.c:79
> 79          io->dma_end(io);
> (gdb) p/x *io
> $1 = {opaque = 0xa2140923, channel = 0x79130821, addr = 0x14137e1f, len = 
> 0x0, is_last = 0x0, is_dma_out = 0x3408f81a, dma_end = 0x94ff7c19, processing 
> = 0x19,  dma_mem = 0x53f5351b, dma_len = 0xc7f99f1e, dir = 0x21fbe921}
>
> Looks like dma_end is not pointing to the expected end procedure. Maybe 
> something has overwritten it?

Looks like the dma op itself corrupts the struct:

(gdb) b pmac_screamer_tx_transfer
Breakpoint 1 at 0x555555acb12c: file hw/audio/screamer.c, line 66.
[...]
DBDMA: -> DBDMA_run_bh
DBDMA[10]: channel_run
DBDMA[10]: dbdma_cmd 0x555556aac340
DBDMA[10]:     req_count 0x8000
DBDMA[10]:     command 0x0000
DBDMA[10]:     phy_addr 0x00000100
DBDMA[10]:     cmd_dep 0x00000000
DBDMA[10]:     res_count 0x0000
DBDMA[10]:     xfer_status 0x0000
DBDMA[10]: * OUTPUT_MORE *
DBDMA[10]: start_output
DBDMA[10]: addr 0x100 key 0x0
SCREAMER: DMA TX defer interrupt!
DBDMA: <- DBDMA_run_bh
SCREAMER: Processing deferred buffer

Thread 1 "qemu-system-ppc" hit Breakpoint 1, pmac_screamer_tx_transfer 
(io=0x555556ab1a98) at hw/audio/screamer.c:66
66          ScreamerState *s = io->opaque;
(gdb) p/x *io
$4 = {opaque = 0x555556aad630, channel = 0x555556aac290, addr = 0x100, len = 
0x8000, is_last = 0x0, is_dma_out = 0x1, dma_end = 0x555555b7d2aa, processing = 
0x1, dma_mem = 0x0, dma_len = 0x0, dir = 0x0}
(gdb) p dbdma_end
$5 = {void (DBDMA_io *)} 0x555555b7d2aa <dbdma_end>
(gdb) n
68          SCREAMER_DPRINTF("DMA TX transfer: addr %" HWADDR_PRIx
(gdb)
SCREAMER: DMA TX transfer: addr 100 len: 8000  bpos: 0
71	    dma_memory_read(&address_space_memory, io->addr, 
&s->buf[s->bpos], io->len);
(gdb) n
73          s->bpos += io->len;
(gdb) p/x *io
$6 = {opaque = 0xa2140923, channel = 0x79130821, addr = 0x14137e1f, len = 
0x60f3d1d, is_last = 0x0, is_dma_out = 0x3408f81a, dma_end = 0x94ff7c19, 
processing = 0x19, dma_mem = 0x53f5351b, dma_len = 0xc7f99f1e, dir = 0x21fbe921}

Regards,
BALATON Zoltan