OMAP 4430 SDP: rather sick with recent kernels

Russell King - ARM Linux linux at arm.linux.org.uk
Thu Dec 18 02:16:18 PST 2014 

On Wed, Dec 17, 2014 at 11:08:06PM +0200, Jyri Sarha wrote:
> I tried booting my 4460 Panda - which is the closest thing to 4430SDP that
> I've got - on next-20141217, but I could not get it to the point where the
> omap-abe-twl6040 probed. It probably is the problem you are talking about as
> the hang does not happen if I disable ASoC ABE all together, right?
> 
> I'll take a deeper look at it tomorrow, as Peter is not working ATM.

Digging into this at my end:

[<c02c8698>] (snd_soc_instantiate_card) from [<c02c95f0>] (snd_soc_register_card+0x344/0x424)
 r10:0000005c r9:00000000 r8:00000620 r7:ce437630 r6:ce437630 r5:00000002
 r4:c05cae58

c02c95e8:       e1a00004        mov     r0, r4
c02c95ec:       ebfffc29        bl      c02c8698 <snd_soc_instantiate_card>

So 'card' is 0xc05cae58, which is correct: c05cae58 d omap_abe_card

[<c02cc0ec>] (snd_soc_dapm_add_routes) from [<c02c8f40>] (snd_soc_instantiate_card+0x8a8/0xc14)
 r10:00000000 r9:00000000 r8:ce437010 r7:ce437630 r6:00000002 r5:c05cb0bc
 r4:c05cae58

c02c8f28:       e594110c        ldr     r1, [r4, #268]  ; 0x10c
c02c8f2c:       e3510000        cmp     r1, #0
c02c8f30:       0a000002        beq     c02c8f40 <snd_soc_instantiate_card+0x8a8>
c02c8f34:       e51b0044        ldr     r0, [fp, #-68]  ; 0x44
c02c8f38:       e5942110        ldr     r2, [r4, #272]  ; 0x110
c02c8f3c:       eb000c6a        bl      c02cc0ec <snd_soc_dapm_add_routes>

This corresponds with:

        if (card->dapm_routes)
                snd_soc_dapm_add_routes(&card->dapm, card->dapm_routes,
                                        card->num_dapm_routes);

Again, we see r4 is the omap_abe_card, and the code is loading dapm_routes
and num_dapm_routes.  The dump of this in the vmlinux file gives:

c05cae58 <omap_abe_card>:
        ...
c05caf5c:       c045d098        umaalgt sp, r5, r8, r0
c05caf60:       0000000a        andeq   r0, r0, sl
c05caf64:       c045d6a4        subgt   sp, r5, r4, lsr #13
c05caf68:       00000011        andeq   r0, r0, r1, lsl r0

and 0x10c/0x110 gives 0xc045d6a4  / 17.  c045d6a4 r audio_map
So that looks fine.

[<c02cbf08>] (snd_soc_dapm_add_route) from [<c02cc134>] (snd_soc_dapm_add_routes+0x48/0xac)
 r10:c0458801 r9:00000000 r8:00000037 r7:00000000 r6:00000000 r5:c05cafb8
 r4:ce57b420

c02cc0ec <snd_soc_dapm_add_routes>:
c02cc0fc:       e1a05000        mov     r5, r0
c02cc104:       e1a04001        mov     r4, r1
c02cc108:       e3a07000        mov     r7, #0
c02cc114:       e1a08002        mov     r8, r2
c02cc118:       e2844010        add     r4, r4, #16
c02cc120:       e1a06007        mov     r6, r7
c02cc128:       ea00000f        b       c02cc16c <snd_soc_dapm_add_routes+0x80>

c02cc12c:       e1a00005        mov     r0, r5
c02cc130:       ebffff74        bl      c02cbf08 <snd_soc_dapm_add_route>
c02cc134:       e2509000        subs    r9, r0, #0
c02cc138:       aa000009        bge     c02cc164 <snd_soc_dapm_add_routes+0x78>
...
c02cc168:       e2844010        add     r4, r4, #16
c02cc16c:       e1560008        cmp     r6, r8
c02cc170:       e2441010        sub     r1, r4, #16
c02cc174:       baffffec        blt     c02cc12c <snd_soc_dapm_add_routes+0x40>

Here, r5 is &card->dapm.  r4 should be card->dapm_routes, possibly
incremented by 16 up to 17 times, which should be in the range of
0xc045d6a4 - 0xc045d7b4, but it isn't, it's 0xce57b420.

Also, r8 is card->num_dapm_routes, which should be 17, but it's 0x37
(55).  The index is r6, and at least that's sensibly at zero.

Now, we have this call to snd_soc_of_parse_audio_routing(), which
allocates some memory, copies the old routes into it, and then adds
to them from DT.  That explains why the pointer and number of routes
are different - there's 19 routes in omap4-sdp.dts - 17 + 19 = 36.
So that doesn't work - but importantly, it does point towards a
possible culpret - snd_soc_of_parse_audio_routing().

This is obvious when you stop and think about what it's doing, this is
truely where this bug lies, and it /is/ in generic ASoC code.

The problem is that this function doesn't consider the implications of
deferred probing.  Let's see what happens if we defer, and re-do the
ABE initialisation, including calling this function:

17 + 19 = 36. - first probe
17 + 19 + 19 = 55. - second probe

Oh - that works in terms of the number, and it would also explain why
the table has been screwed - because the second time we memcpy(), we're
memcpy()ing from data which was allocated via devm_kzalloc(), and thus
would have been freed after the first failed probe.

Mark - this is a core ASoC problem.

-- 
FTTC broadband for 0.8mile line: currently at 9.5Mbps down 400kbps up
according to speedtest.net.

More information about the linux-arm-kernel mailing list