[Qemu-devel] [PATCH for-3.0 0/1] Fix the Nokia N810 tablet MMC

[Qemu-devel] [PATCH for-3.0 0/1] Fix the Nokia N810 tablet MMC

[Philippe Mathieu-Daudé]

Hi Peter,

This bug was previously reported here:
http://lists.nongnu.org/archive/html/qemu-devel/2018-06/msg01824.html

Diff before/after ecd219f7abb using -append "console=ttyS1 printk.time=0"
option to boot http://people.linaro.org/~peter.maydell/n8x0-images.tgz

 mmci-omap mmci-omap.0: command timeout (CMD5)
 mmc0: host does not support reading read-only switch. assuming
write-enable.
 mmc0: new SDHC card at address 4567
-Waiting for root device /dev/mmcblk0p1...
 mmcblk0: mmc0:4567 QEMU! 1.81 GiB
  mmcblk0: p1 p2
-EXT3-fs: barriers not enabled
-EXT3-fs (mmcblk0p1): mounted filesystem with writeback data mode
-VFS: Mounted root (ext3 filesystem) readonly on device 179:1.
-kjournald starting.  Commit interval 5 seconds
-devtmpfs: mounted
-Freeing init memory: 132K
-mmci-omap mmci-omap.0: command timeout (CMD52)
-mmci-omap mmci-omap.0: command timeout (CMD52)
-mmci-omap mmci-omap.0: command timeout (CMD8)
-mmci-omap mmci-omap.0: command timeout (CMD5)
-mmci-omap mmci-omap.0: command timeout (CMD5)
-mmci-omap mmci-omap.0: command timeout (CMD5)
-mmci-omap mmci-omap.0: command timeout (CMD5)
-mmci-omap mmci-omap.0: command timeout (CMD55)
-mmci-omap mmci-omap.0: command timeout (CMD55)
-mmci-omap mmci-omap.0: command timeout (CMD55)
-mmci-omap mmci-omap.0: command timeout (CMD55)
-mmci-omap mmci-omap.0: command timeout (CMD1)
-lcd_mipid spi1.1: performing LCD ESD recovery
-lcd_mipid spi1.1: performing LCD ESD recovery
+mmci-omap mmci-omap.0: command timeout (CMD18)
+mmcblk0: retrying using single block read
+mmci-omap mmci-omap.0: command timeout (CMD17)
+Unable to handle kernel NULL pointer dereference at virtual address
00000018
+pgd = c0004000
+[00000018] *pgd=00000000
+Internal error: Oops: 5 [#1] PREEMPT
+last sysfs file:
+Modules linked in:
+CPU: 0    Tainted: G        W    (2.6.35~rc4-129.1-n8x0 #1)
+PC is at mmc_omap_dma_cb+0xb8/0x174
+LR is at omap2_dma_irq_handler+0x240/0x294
+pc : [<c0219504>]    lr : [<c003c3ac>]    psr: 20000193
+sp : c7d49db8  ip : c7c4c800  fp : 00000001
+r10: 00000060  r9 : c7c4c950  r8 : 00000001
+r7 : 0000032c  r6 : 00000007  r5 : 00000150  r4 : c7d4ba00
+r3 : 00000000  r2 : 00000007  r1 : 00000060  r0 : 00000007
+Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
+Control: 00c5387d  Table: 80004008  DAC: 00000017
+Process mmcqd (pid: 462, stack limit = 0xc7d48268)
+Stack: (0xc7d49db8 to 0xc7d4a000)
+9da0:                                                       c03baed4
00000150
+9dc0: 00000007 0000032c 00000001 c003c3ac 0000000c 00000000 c7d49e18
c0399a20
+9de0: 00000000 00000000 0000000c 00000000 c7d48000 00000001 00000001
c0081318
+9e00: c039ccc8 0000000c c0399a20 00000001 00000000 c00834c8 0000000c
00000000
+9e20: 00000001 c002906c ffffffff fa0fe000 00000001 c0029ac8 c7d5ed24
c7d5ed24
+9e40: c7d49e68 00000001 c7d57320 c7d64400 00000001 c7d5ed24 c7d49e90
c7d48000
+9e60: 00000001 00000001 00000ffe c7d49e80 c0215fa8 c0215ffc 60000013
ffffffff
+9e80: 00000001 29e8d608 c7d57320 c7d49ea4 c7d49ea4 c7d49efc 00000000
c7d49e64
+9ea0: c0210128 00000011 00000022 00000000 00000000 00000000 00000000
000000b5
+9ec0: 00000000 ffffff92 c7d49efc c7d49e90 0000000c 00000000 00000000
00000000
+9ee0: 00000000 00000000 0000049d 00000000 00000000 00000000 00000000
05f5e100
+9f00: 00000000 00000200 00000001 00000000 00000200 00000000 00000000
c7d49e90
+9f20: 00000001 c7d64800 c7eca800 c7d60980 c7d57320 c0171dc4 c7eca800
c7d60980
+9f40: c7d57320 00000000 000001b1 c01729a0 c7ec4e40 00000000 00000000
c7d48000
+9f60: c7ec4e40 00000000 c7d48000 c7ec4e40 00000000 c7d49f84 c7d57320
c0167680
+9f80: c7ec4e40 c7d48000 c7d5ed24 c7d5ed2c c7ec4e40 00000000 c7ec4fb0
00000001
+9fa0: c7d57320 c02169b8 00000000 c7c6be28 c7d49fd4 c02168c0 c7d5ed24
00000000
+9fc0: 00000000 00000000 00000000 c00692dc 00000000 00000000 c7d49fd8
c7d49fd8
+9fe0: 00000000 00000000 00000000 00000000 00000000 c002af04 00000000
00000000
+[<c0219504>] (mmc_omap_dma_cb+0xb8/0x174) from [<c003c3ac>]
(omap2_dma_irq_handler+0x240/0x294)
+[<c003c3ac>] (omap2_dma_irq_handler+0x240/0x294) from [<c0081318>]
(handle_IRQ_event+0x24/0xe4)
+[<c0081318>] (handle_IRQ_event+0x24/0xe4) from [<c00834c8>]
(handle_level_irq+0xd4/0x16c)
+[<c00834c8>] (handle_level_irq+0xd4/0x16c) from [<c002906c>]
(asm_do_IRQ+0x6c/0x8c)
+[<c002906c>] (asm_do_IRQ+0x6c/0x8c) from [<c0029ac8>] (__irq_svc+0x48/0xac)
+Exception stack(0xc7d49e38 to 0xc7d49e80)
+9e20:                                                       c7d5ed24
c7d5ed24
+9e40: c7d49e68 00000001 c7d57320 c7d64400 00000001 c7d5ed24 c7d49e90
c7d48000
+9e60: 00000001 00000001 00000ffe c7d49e80 c0215fa8 c0215ffc 60000013
ffffffff
+[<c0029ac8>] (__irq_svc+0x48/0xac) from [<c0215ffc>]
(mmc_blk_issue_rq+0x240/0x590)
+[<c0215ffc>] (mmc_blk_issue_rq+0x240/0x590) from [<c02169b8>]
(mmc_queue_thread+0xf8/0xfc)
+[<c02169b8>] (mmc_queue_thread+0xf8/0xfc) from [<c00692dc>]
(kthread+0x78/0x80)
+[<c00692dc>] (kthread+0x78/0x80) from [<c002af04>]
(kernel_thread_exit+0x0/0x8)
+Code: e59f00c0 eafffff0 e3110020 08bd81f0 (e5931018)
+---[ end trace 1b75b31a2719ed20 ]---
+Kernel panic - not syncing: Fatal exception in interrupt

Trace diff:

@@ -245,6 +247,7 @@
  16-bit register 0x000004
  16-bit register 0x000003
  16-bit register 0x000004
+sdcard_reset
  Read-only register 0x0002c8
  Read-only register 0x0002c8
  Read-only register 0x0002c8
@@ -308,10 +311,6 @@
 sdcard_response RESP#1 (normal cmd) (sz:4)
 sdcard_app_command SD           SET_BUS_WIDTH/ACMD06 arg 0x00000002
(state transfer)
 sdcard_response RESP#1 (normal cmd) (sz:4)
- Bad register 0x000034
- Bad register 0x000034
- Bad register 0x000034
- Bad register 0x000034
 sdcard_normal_command SD  READ_MULTIPLE_BLOCK/ CMD18 arg 0x00000000
(state transfer)
 sdcard_response RESP#1 (normal cmd) (sz:4)
 sdcard_read_block addr 0x0 size 0x200
@@ -325,532 +324,17 @@
 sdcard_read_block addr 0xe00 size 0x200
 sdcard_normal_command SD    STOP_TRANSMISSION/ CMD12 arg 0x00000000
(state sendingdata)
 sdcard_response RESP#1 (normal cmd) (sz:4)
+ Bad register 0x000034
+ Bad register 0x000034
+ Bad register 0x000034
+ Bad register 0x000034
 sdcard_normal_command SD          SEND_STATUS/ CMD13 arg 0x45670000
(state transfer)
 sdcard_response RESP#1 (normal cmd) (sz:4)
-sdcard_normal_command SD  READ_MULTIPLE_BLOCK/ CMD18 arg 0x00000022
(state transfer)
-sdcard_response RESP#1 (normal cmd) (sz:4)
-sdcard_read_block addr 0x4400 size 0x200
- Read-only register 0x000038
-sdcard_read_block addr 0x4600 size 0x200
-sdcard_normal_command SD    STOP_TRANSMISSION/ CMD12 arg 0x00000000
(state sendingdata)
-sdcard_response RESP#1 (normal cmd) (sz:4)
-sdcard_normal_command SD  READ_MULTIPLE_BLOCK/ CMD18 arg 0x00000020
(state transfer)
-sdcard_response RESP#1 (normal cmd) (sz:4)
-sdcard_read_block addr 0x4000 size 0x200
...

With this patch the N810 boots.

Regards,

Phil.

Philippe Mathieu-Daudé (1):
  hw/sd/omap_mmc: Split 'pseudo-reset' from 'power-on-reset'

 hw/sd/omap_mmc.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

-- 
2.18.0

[Qemu-devel] [PATCH for-3.0 1/1] hw/sd/omap_mmc: Split 'pseudo-reset' from 'power-on-reset'

[Philippe Mathieu-Daudé]

DeviceClass::reset models a "cold power-on" reset which can
also be use to powercycle a device; but there is no "hot reset"
(a.k.a. soft-reset) method available.

The OMAP MMC Power-Up Control bit is not designed to powercycle
a card, but to disable it without powering it off (pseudo-reset):

  Multimedia Card (MMC/SD/SDIO) Interface [SPRU765A]

  MMC_CON[11] Power-Up Control (POW)
  This bit must be set to 1 before any valid transaction to either
  MMC/SD or SPI memory cards.
  When 1, the card is considered powered-up and the controller core
  is enabled.
  When 0, the card is considered powered-down (system dependent),
  and the controller core logic is in pseudo-reset state. This is,
  the MMC_STAT flags and the FIFO pointers are reset, any access to
  MMC_DATA[DATA] has no effect, a write into the MMC.CMD register
  is ignored, and a setting of MMC_SPI[STR] to 1 is ignored.

By spliting the 'pseudo-reset' code out of the 'power-on' reset
function, this patch fixes a latent bug in omap_mmc_write(MMC_CON)i
recently exposed by ecd219f7abb.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
---
 hw/sd/omap_mmc.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/hw/sd/omap_mmc.c b/hw/sd/omap_mmc.c
index 671264b650..d0c98ca021 100644
--- a/hw/sd/omap_mmc.c
+++ b/hw/sd/omap_mmc.c
@@ -1,6 +1,8 @@
 /*
  * OMAP on-chip MMC/SD host emulation.
  *
+ * Datasheet: TI Multimedia Card (MMC/SD/SDIO) Interface (SPRU765A)
+ *
  * Copyright (C) 2006-2007 Andrzej Zaborowski  <balrog@zabor.org>
  *
  * This program is free software; you can redistribute it and/or
@@ -278,6 +280,12 @@ static void omap_mmc_update(void *opaque)
     omap_mmc_interrupts_update(s);
 }
 
+static void omap_mmc_pseudo_reset(struct omap_mmc_s *host)
+{
+    host->status = 0;
+    host->fifo_len = 0;
+}
+
 void omap_mmc_reset(struct omap_mmc_s *host)
 {
     host->last_cmd = 0;
@@ -286,11 +294,9 @@ void omap_mmc_reset(struct omap_mmc_s *host)
     host->dw = 0;
     host->mode = 0;
     host->enable = 0;
-    host->status = 0;
     host->mask = 0;
     host->cto = 0;
     host->dto = 0;
-    host->fifo_len = 0;
     host->blen = 0;
     host->blen_counter = 0;
     host->nblk = 0;
@@ -305,6 +311,8 @@ void omap_mmc_reset(struct omap_mmc_s *host)
     qemu_set_irq(host->coverswitch, host->cdet_state);
     host->clkdiv = 0;
 
+    omap_mmc_pseudo_reset(host);
+
     /* Since we're still using the legacy SD API the card is not plugged
      * into any bus, and we must reset it manually. When omap_mmc is
      * QOMified this must move into the QOM reset function.
@@ -459,7 +467,7 @@ static void omap_mmc_write(void *opaque, hwaddr offset,
         if (s->dw != 0 && s->lines < 4)
             printf("4-bit SD bus enabled\n");
         if (!s->enable)
-            omap_mmc_reset(s);
+            omap_mmc_pseudo_reset(s);
         break;
 
     case 0x10:	/* MMC_STAT */
-- 
2.18.0

Re: [Qemu-devel] [PATCH for-3.0 1/1] hw/sd/omap_mmc: Split 'pseudo-reset' from 'power-on-reset'

[Peter Maydell]

On 6 July 2018 at 17:21, Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
> DeviceClass::reset models a "cold power-on" reset which can
> also be use to powercycle a device; but there is no "hot reset"
> (a.k.a. soft-reset) method available.
>
> The OMAP MMC Power-Up Control bit is not designed to powercycle
> a card, but to disable it without powering it off (pseudo-reset):
>
>   Multimedia Card (MMC/SD/SDIO) Interface [SPRU765A]
>
>   MMC_CON[11] Power-Up Control (POW)
>   This bit must be set to 1 before any valid transaction to either
>   MMC/SD or SPI memory cards.
>   When 1, the card is considered powered-up and the controller core
>   is enabled.
>   When 0, the card is considered powered-down (system dependent),
>   and the controller core logic is in pseudo-reset state. This is,
>   the MMC_STAT flags and the FIFO pointers are reset, any access to
>   MMC_DATA[DATA] has no effect, a write into the MMC.CMD register
>   is ignored, and a setting of MMC_SPI[STR] to 1 is ignored.

This text says that the card "is considered powered-down (system
dependent)", so it's not entirely invalid to reset the card here.
Still, if the guests get confused by it I guess that the n8x0
systems didn't do that, and certainly resetting the other parts
of the controller state is wrong.

Strictly I guess we should also check the enable flag for the other
things this text calls out:
 * accesses to MMC_DATA[DATA]
 * writes to MMC.CMD (we already do this)
 * setting MMC_SPI[STR] to 1 (we don't emulate MMC_SPI)

but we should probably consider that a separate bug. (And the
n8x0 boards are pretty much unmaintained currently, so I don't
care very much whether we fix it or not. I don't have any working
test images -- I have one of uncertain vintage which seems to
be flaky when it gets to the mmc card init, but I think it
makes a bit more progress with this patch now.)

Applied to target-arm.next, thanks.

thanks
-- PMM

Re: [Qemu-devel] [PATCH for-3.0 0/1] Fix the Nokia N810 tablet MMC

[Peter Maydell]

On 6 July 2018 at 17:21, Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
> Hi Peter,
>
> This bug was previously reported here:
> http://lists.nongnu.org/archive/html/qemu-devel/2018-06/msg01824.html
>
> Diff before/after ecd219f7abb using -append "console=ttyS1 printk.time=0"
> option to boot http://people.linaro.org/~peter.maydell/n8x0-images.tgz
>
>  mmci-omap mmci-omap.0: command timeout (CMD5)
>  mmc0: host does not support reading read-only switch. assuming
> write-enable.
>  mmc0: new SDHC card at address 4567
> -Waiting for root device /dev/mmcblk0p1...
>  mmcblk0: mmc0:4567 QEMU! 1.81 GiB
>   mmcblk0: p1 p2
> -EXT3-fs: barriers not enabled
> -EXT3-fs (mmcblk0p1): mounted filesystem with writeback data mode
> -VFS: Mounted root (ext3 filesystem) readonly on device 179:1.
> -kjournald starting.  Commit interval 5 seconds
> -devtmpfs: mounted
> -Freeing init memory: 132K
> -mmci-omap mmci-omap.0: command timeout (CMD52)
> -mmci-omap mmci-omap.0: command timeout (CMD52)
> -mmci-omap mmci-omap.0: command timeout (CMD8)
> -mmci-omap mmci-omap.0: command timeout (CMD5)
> -mmci-omap mmci-omap.0: command timeout (CMD5)
> -mmci-omap mmci-omap.0: command timeout (CMD5)
> -mmci-omap mmci-omap.0: command timeout (CMD5)
> -mmci-omap mmci-omap.0: command timeout (CMD55)
> -mmci-omap mmci-omap.0: command timeout (CMD55)
> -mmci-omap mmci-omap.0: command timeout (CMD55)
> -mmci-omap mmci-omap.0: command timeout (CMD55)
> -mmci-omap mmci-omap.0: command timeout (CMD1)

FWIW my n8x0 image still produces these command timeout complaints
even with your patch (and it doesn't oops either way). Probably
just a different kernel version.

thanks
-- PMM