vc4-kms: Rework HPD #4716

6by9 · 2021-11-19T16:43:00Z

Patches 1 & 3 should probably be applied anyway, but patch 2 is for @popcornmix to test for his weird CEC/power cycling issue.

popcornmix · 2021-11-22T11:45:45Z

@6by9 tested at the weekend and cec was fine, and after switching off the TV, it (or receiver) didn't switch back on.

6by9 · 2021-11-22T12:03:12Z

As discussed with @mripard in #4371, reinstating the ddc_probe will break scrambling being reset after power off if the monitor still reports the EDID, therefore it is not a solution.

#4371 (comment)
Logs needed, and some information on what CEC actions (if any) userspace is taking on seeing the connection being re-established.

mripard · 2021-11-23T09:47:13Z

Yeah, I think we need to figure out what happens on the CEC bus in such a case to find a good solution

popcornmix · 2021-11-23T11:41:01Z

With default 5.10 kernel here are logs of:
dmesg, cec-ctl, and kodi.log
My AVR switches back on unwantedly here.

With this PR added, which avoids the AVR switching back on the logs look like:
dmesg, cec-ctl, and kodi.log

6by9 · 2021-11-23T12:32:11Z

Looking at those logs confirms that the AVR deasserts HPD, but the EDID is still readable.

[   21.453379] [drm:_drm_connector_helper_hpd_irq_event] [CONNECTOR:32:HDMI-A-1] status updated from connected to disconnected

in the 5.10 kernel logs, vs numerous

[drm:_drm_connector_helper_hpd_irq_event] [CONNECTOR:32:HDMI-A-1] status updated from connected to connected

messages in the normal log ie the IRQ has triggered, but no change has been reported, presumably as it read the EDID.

In both Kodi logs we have:
CecLogMessage - << powering on 'TV' (0)
but I'm guessing that's a start of day power on.

With PR

2021-11-23 11:36:00.136 T:836     DEBUG <general>: CecLogMessage - CLinuxCECAdapterCommunication::Process - ioctl CEC_RECEIVE - rx_status=01 len=8 addr=0f opcode=a0
2021-11-23 11:36:00.136 T:836     DEBUG <general>: CecLogMessage - >> 0f:a0:00:80:45:20:01:11
2021-11-23 11:36:00.136 T:836     DEBUG <general>: CecLogMessage - TV (0): power status changed from 'on' to 'standby'
2021-11-23 11:36:00.136 T:836     DEBUG <general>: CecLogMessage - >> TV (0) -> Broadcast (F): vendor command with id (A0)
2021-11-23 11:36:00.205 T:836     DEBUG <general>: CecLogMessage - CLinuxCECAdapterCommunication::Process - ioctl CEC_RECEIVE - rx_status=01 len=2 addr=0f opcode=36
2021-11-23 11:36:00.205 T:836     DEBUG <general>: CecLogMessage - >> 0f:36
2021-11-23 11:36:00.205 T:836     DEBUG <general>: CecLogMessage - >> TV (0) -> Broadcast (F): standby (36)
2021-11-23 11:36:00.659 T:833     DEBUG <general>: [plugin.video.youtube] send_notification: |check_settings| -> |{"use_httpd": true, "httpd_port": 50152, "whitelist": "", "httpd_address": "0.0.0.0"}|
2021-11-23 11:36:00.673 T:836     DEBUG <general>: CecLogMessage - CLinuxCECAdapterCommunication::Process - ioctl CEC_RECEIVE - rx_status=01 len=2 addr=0f opcode=36
2021-11-23 11:36:00.676 T:836     DEBUG <general>: CecLogMessage - >> 0f:36

Without PR

021-11-23 11:02:24.034 T:833     DEBUG <general>: CecLogMessage - >> 0f:a0:00:80:45:20:01:11
2021-11-23 11:02:24.034 T:833     DEBUG <general>: CecLogMessage - TV (0): power status changed from 'on' to 'standby'
2021-11-23 11:02:24.034 T:833     DEBUG <general>: CecLogMessage - >> TV (0) -> Broadcast (F): vendor command with id (A0)
2021-11-23 11:02:24.087 T:833     DEBUG <general>: CecLogMessage - CLinuxCECAdapterCommunication::Process - ioctl CEC_RECEIVE - rx_status=01 len=2 addr=0f opcode=36
2021-11-23 11:02:24.087 T:833     DEBUG <general>: CecLogMessage - >> 0f:36
2021-11-23 11:02:24.087 T:833     DEBUG <general>: CecLogMessage - >> TV (0) -> Broadcast (F): standby (36)
...
2021-11-23 11:02:24.277 T:833     DEBUG <general>: CecLogMessage - CLinuxCECAdapterCommunication::Process - ioctl CEC_RECEIVE - rx_status=01 len=7 addr=04 opcode=a0
2021-11-23 11:02:24.285 T:833     DEBUG <general>: CecLogMessage - >> 04:a0:00:80:45:06:05
2021-11-23 11:02:24.285 T:833     DEBUG <general>: CecLogMessage - >> TV (0) -> Playback 1 (4): vendor command with id (A0)
2021-11-23 11:02:24.286 T:833     DEBUG <general>: CecLogMessage - TV (0): power status changed from 'standby' to 'on'
2021-11-23 11:02:24.287 T:833     DEBUG <general>: CecLogMessage - << Playback 1 (4) -> broadcast (F): active source (2400)
2021-11-23 11:02:24.288 T:833     DEBUG <general>: CecLogMessage - << 4f:82:24:00
2021-11-23 11:02:24.390 T:833     DEBUG <general>: CecLogMessage - CLinuxCECAdapterCommunication::Write - ioctl CEC_TRANSMIT - tx_status=01 len=4 addr=4f opcode=82
2021-11-23 11:02:24.421 T:833     DEBUG <general>: CecLogMessage - CLinuxCECAdapterCommunication::Process - CEC_DQEVENT - CEC_EVENT_STATE_CHANGE - log_addr_mask=0000 phys_addr=ffff

Does the AVR turn back on if Kodi isn't running? Is it the kernel actions, or related to having CEC active?
HPD disconnect calls cec_phys_addr_invalidate, and connection calls cec_s_phys_addr_from_edid (although you appear to be using a static EDID - drm.edid_firmware=HDMI-A-1:edid/edid-HDMI-A-1.bin video=HDMI-A-1:D). cec_s_phys_addr_from_edid certainly triggers a notification to userspace.
Time to read the CEC spec to work out whether that is the correct behaviour.

If you disconnect the HDMI lead from the Pi, turn the AVR and TV off, then plug back in, does the AVR/TV wake up?

I'm definitely agreeing with mripard though - reinstating that ddc_probe is the wrong solution and will cause issues with scrambling. This looks to be a CEC connection issue that the ddc_probe was masking.

6by9 · 2021-11-23T14:54:18Z

Kodi has done it

2021-11-23 11:02:24.287 T:833     DEBUG <general>: CecLogMessage - << Playback 1 (4) -> broadcast (F): active source (2400)
2021-11-23 11:02:24.288 T:833     DEBUG <general>: CecLogMessage - << 4f:82:24:00
2021-11-23 11:02:24.390 T:833     DEBUG <general>: CecLogMessage - CLinuxCECAdapterCommunication::Write - ioctl CEC_TRANSMIT - tx_status=01 len=4 addr=4f opcode=82

HDMI 1.4 spec. Supplement 1. CEC Table 8 Message Descriptions for the One Touch Play Feature
Opcode:
Value: 0x82
Description: "Used by a new source to indicate that it has started to transmit a stream OR used in response to a "
Response: "A current active source should take appropriate action. TV should switch to the appropriate input. Any CEC switches between source and root shall switch to the appropriate input and come out of the Standby state if necessary"

The TV and CEC switch have therefore done the appropriate thing and come out of standby.

popcornmix · 2021-11-23T14:59:19Z

This will be libcec rather than kodi. I'm guessing it is thinking things have powered on (rather than off) and is sending the active source. But we weren't really powering on.

6by9 · 2021-11-23T15:17:20Z

A backtrace in CCECBusDevice::SetPowerStatus to see why we get
CecLogMessage - TV (0): power status changed from 'standby' to 'on'
logged would tell us a lot.

The log lines just before the are

2021-11-23 11:02:24.277 T:833     DEBUG <general>: CecLogMessage - CLinuxCECAdapterCommunication::Process - ioctl CEC_RECEIVE - rx_status=01 len=7 addr=04 opcode=a0
2021-11-23 11:02:24.285 T:833     DEBUG <general>: CecLogMessage - >> 04:a0:00:80:45:06:05
2021-11-23 11:02:24.285 T:833     DEBUG <general>: CecLogMessage - >> TV (0) -> Playback 1 (4): vendor command with id (A0)
2021-11-23 11:02:24.286 T:833     DEBUG <general>: CecLogMessage - TV (0): power status changed from 'standby' to 'on'
2021-11-23 11:02:24.287 T:833     DEBUG <general>: CecLogMessage - << Playback 1 (4) -> broadcast (F): active source (2400)
2021-11-23 11:02:24.288 T:833     DEBUG <general>: CecLogMessage - << 4f:82:24:00

I don't see that vendor command triggering an message or power status change, but it's also not easy to follow the flow from just reading the source.

popcornmix · 2021-11-24T10:41:18Z

Does the AVR turn back on if Kodi isn't running?

No.

If you disconnect the HDMI lead from the Pi, turn the AVR and TV off, then plug back in, does the AVR/TV wake up?

TV and AVR on. Disconnected HDMI lead. Switched off TV (AVR switched off automatically). Plugged back in hdmi and TV and AVR came on automatically.

popcornmix · 2021-11-24T11:18:34Z

CCECBusDevice::SetPowerStatus gets called very frequently, without a change.
Just breakpointing within the if ( changed ) code it gets called twice when I power off TV

Thread 79 "CECAdapter" hit Breakpoint 2, CEC::CCECBusDevice::SetPowerStatus (this=0xede2cc70, powerStatus=CEC::CEC_POWER_STATUS_STANDBY) at ../src/libcec/devices/CECBusDevice.cpp:699
699	in ../src/libcec/devices/CECBusDevice.cpp
#0  CEC::CCECBusDevice::SetPowerStatus (this=0xede2cc70, powerStatus=CEC::CEC_POWER_STATUS_STANDBY) at ../src/libcec/devices/CECBusDevice.cpp:699
#1  0xf7d6e8c4 in CEC::CVLCommandHandler::HandleDeviceVendorCommandWithId (this=0xee8b1e40, command=...) at ../src/libcec/implementations/VLCommandHandler.cpp:165
#2  0xf7d6a0d8 in CEC::CCECCommandHandler::HandleCommand (command=..., this=<optimized out>) at ../src/libcec/implementations/CECCommandHandler.cpp:188
#3  CEC::CCECCommandHandler::HandleCommand (this=0xee8b1e40, command=...) at ../src/libcec/implementations/CECCommandHandler.cpp:71
#4  0xf7d65734 in CEC::CCECBusDevice::HandleCommand (this=0xede2cc70, command=...) at ../src/libcec/devices/CECBusDevice.cpp:269
#5  0xf7d55000 in CEC::CCECProcessor::Process (this=0xc907b360) at ../src/libcec/CECProcessor.cpp:278
#6  0xf7d51ad4 in P8PLATFORM::CThread::ThreadHandler (_thread=0xc907b360) at /home/dom/projects/LibreELEC.tv/build.LibreELEC-RPi4.arm-10.0-devel-debug/toolchain/armv8a-libreelec-linux-gnueabihf/sysroot/usr/include/p8-platform/threads/threads.h:65
#7  0xf7e89d64 in start_thread (arg=0xea309200) at pthread_create.c:463

Thread 79 "CECAdapter" hit Breakpoint 2, CEC::CCECBusDevice::SetPowerStatus (this=0xede2cc70, powerStatus=CEC::CEC_POWER_STATUS_ON) at ../src/libcec/devices/CECBusDevice.cpp:699
699	in ../src/libcec/devices/CECBusDevice.cpp
#0  CEC::CCECBusDevice::SetPowerStatus (this=0xede2cc70, powerStatus=CEC::CEC_POWER_STATUS_ON) at ../src/libcec/devices/CECBusDevice.cpp:699
#1  0xf7d6e768 in CEC::CVLCommandHandler::HandleDeviceVendorCommandWithId (this=0xee8b1e40, command=...) at ../src/libcec/implementations/VLCommandHandler.cpp:126
#2  0xf7d6a0d8 in CEC::CCECCommandHandler::HandleCommand (command=..., this=<optimized out>) at ../src/libcec/implementations/CECCommandHandler.cpp:188
#3  CEC::CCECCommandHandler::HandleCommand (this=0xee8b1e40, command=...) at ../src/libcec/implementations/CECCommandHandler.cpp:71
#4  0xf7d65734 in CEC::CCECBusDevice::HandleCommand (this=0xede2cc70, command=...) at ../src/libcec/devices/CECBusDevice.cpp:269
#5  0xf7d55000 in CEC::CCECProcessor::Process (this=0xc907b360) at ../src/libcec/CECProcessor.cpp:278
#6  0xf7d51ad4 in P8PLATFORM::CThread::ThreadHandler (_thread=0xc907b360) at /home/dom/projects/LibreELEC.tv/build.LibreELEC-RPi4.arm-10.0-devel-debug/toolchain/armv8a-libreelec-linux-gnueabihf/sysroot/usr/include/p8-platform/threads/threads.h:65
#7  0xf7e89d64 in start_thread (arg=0xea309200) at pthread_create.c:463

6by9 · 2021-11-24T12:15:45Z

HandleDeviceVendorCommandWithId looks weird.
Analysing the command 04:a0:00:80:45:06:05. 4 payload bytes, opcode 0xa0 (vendor command with ID).
CEC_VENDOR_PANASONIC = 0x008045,
0x06 then appears to be VL_UNKNOWN1, and 0x05 some parameter.

Why libcec has specific handling for this Panasonic specific vendor command is odd, but it seems to date back to
Pulse-Eight/libcec@b78b4e3,
Pulse-Eight/libcec@344cddb, Pulse-Eight/libcec@9ee5e8f and
Pulse-Eight/libcec@a085bea ("vendor command 06:05 was commented out for panasonic because it was reported to be sent on power off too. i don't see that in the field, and it prevented resume from standby from working correctly.")

I'll hook the LG up again with a LibreElec image and see what it does.

6by9 · 2021-11-24T18:32:25Z

So the LG uses a different command handler in the src/libcec/implementations directory - these appear to be the vendor specific implementations, and https://github.com/Pulse-Eight/libcec/blob/master/src/libcec/devices/CECBusDevice.cpp#L198 chooses which one based on the vendor.

Looking at the cec-ctl logs when connecting a powered off TV and AVR to the Pi, the LibCEC powers both up immediately without receiving any messages from either.

Initial Event: State Change: PA: f.f.f.f, LA mask: 0x0000, Conn Info: yes



Event: State Change: PA: 1.1.0.0, LA mask: 0x0000, Conn Info: yes
Transmitted by Recording Device 1 to Recording Device 1 (1 to 1): POLL
Tx, Not Acknowledged (4), Max Retries

Event: State Change: PA: 1.1.0.0, LA mask: 0x0002, Conn Info: yes
Transmitted by Recording Device 1 to all (1 to 15): REPORT_PHYSICAL_ADDR (0x84):
phys-addr: 1.1.0.0
prim-devtype: record (0x01)
Transmitted by Recording Device 1 to all (1 to 15): DEVICE_VENDOR_ID (0x87):
vendor-id: 5506 (0x00001582)
Transmitted by Recording Device 1 to all (1 to 15): REPORT_PHYSICAL_ADDR (0x84):
phys-addr: 1.1.0.0
prim-devtype: record (0x01)
Transmitted by Recording Device 1 to TV (1 to 0): IMAGE_VIEW_ON (0x04)
Transmitted by Recording Device 1 to all (1 to 15): ACTIVE_SOURCE (0x82):
phys-addr: 1.1.0.0

(warn: State Change events were lost)
Event: State Change: PA: f.f.f.f, LA mask: 0x0000, Conn Info: yes

Event: State Change: PA: 1.1.0.0, LA mask: 0x0000, Conn Info: yes
Transmitted by Recording Device 1 to Recording Device 1 (1 to 1): POLL
Tx, Aborted, Max Retries

(warn: State Change events were lost)
Event: State Change: PA: f.f.f.f, LA mask: 0x0000, Conn Info: yes

IMAGE_VIEW_ON and ACTIVE_SOURCE oblige the TV to wake up.
Knowing why libCEC sends those commands needs extra logging or a debugger connected to libcec.

There is a Kodi option called something like "Wake devices up on startup", which may be what is causing libcec to be tricked by the HPD signal.

The existing logic was flawed in that it could try reading the 2711 specific registers for HPD on a CM1/3 where the HPD GPIO hadn't been defined in DT. Ensure we don't do the 2711 register read on invalid hardware, and then Signed-off-by: Dave Stevenson <[email protected]>

6by9 · 2021-11-26T12:21:37Z

Rebased and dropped patch 2 (adding back the ddc_probe).

@mripard could you give a quick review to ensure you agree with these?

mripard · 2021-11-26T13:19:59Z

The code looks good to me

Your second patch is going to conflict with https://lore.kernel.org/dri-devel/[email protected]/

Both are serving a similar purpose, but the upstream one is probably going to be easier to deal with when rebasing? Anyway, your call :)

6by9 · 2021-11-26T14:22:06Z

OK, I'll drop patch 2 as your version (which it looks like I still need to review!) does do the same job. It was only a cleanup anyway.

6by9 · 2021-11-26T14:24:59Z

Patch 2 dropped. Good to go it seems.

See: raspberrypi/linux#4736 kernel: vc4-kms: Rework HPD See: raspberrypi/linux#4716 kernel: drm/vc4: Add support for composite syncs to vc4_dpi See: raspberrypi/linux#4733 kernel: Pass V4L2_CID_MPEG_VIDEO_H264_MIN_QP/MAX_QP to bcm2835-v4l2-codec See: raspberrypi/linux#4705 kernel: media: i2c: ov5647: Support HFLIP and VFLIP See: raspberrypi/linux#4731 kernel: drivers: bcm2835_isp: Fix div by 0 bug See: raspberrypi/linux#4732 kernel: drivers: bcm2835_isp: Allow multiple users for the ISP driver. See: raspberrypi/linux#4709 kernel: ARM: dts: Update rpi-400 and cm4 dts to match 4-b kernel: ARM: dts: gpio-ranges property is now required See: https://forums.raspberrypi.com/viewtopic.php?t=324585 kernel: ARM: dts: bcm2711: Fix PCIe interrupts See: raspberrypi/linux#4666

This fixes the following trace: ================================================================== BUG: KASAN: slab-use-after-free in hci_conn_del+0xba/0x3a0 Write of size 8 at addr ffff88800208e9c8 by task iso-tester/31 CPU: 0 PID: 31 Comm: iso-tester Not tainted 6.3.0-rc2-g991aa4a69a47 #4716 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc36 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x1d/0x70 print_report+0xce/0x610 ? __virt_addr_valid+0xd4/0x150 ? hci_conn_del+0xba/0x3a0 kasan_report+0xdd/0x110 ? hci_conn_del+0xba/0x3a0 hci_conn_del+0xba/0x3a0 hci_conn_hash_flush+0xf2/0x120 hci_dev_close_sync+0x388/0x920 hci_unregister_dev+0x122/0x260 vhci_release+0x4f/0x90 __fput+0x102/0x430 task_work_run+0xf1/0x160 ? __pfx_task_work_run+0x10/0x10 ? mark_held_locks+0x24/0x90 exit_to_user_mode_prepare+0x170/0x180 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x4e/0x90 entry_SYSCALL_64_after_hwframe+0x70/0xda Fixes: 0f00cd3 ("Bluetooth: Free potentially unfreed SCO connection") Link: https://syzkaller.appspot.com/bug?extid=8bb72f86fc823817bc5d Cc: <[email protected]> Signed-off-by: Luiz Augusto von Dentz <[email protected]>

commit 5dc7d23 upstream. This fixes the following trace: ================================================================== BUG: KASAN: slab-use-after-free in hci_conn_del+0xba/0x3a0 Write of size 8 at addr ffff88800208e9c8 by task iso-tester/31 CPU: 0 PID: 31 Comm: iso-tester Not tainted 6.3.0-rc2-g991aa4a69a47 #4716 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc36 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x1d/0x70 print_report+0xce/0x610 ? __virt_addr_valid+0xd4/0x150 ? hci_conn_del+0xba/0x3a0 kasan_report+0xdd/0x110 ? hci_conn_del+0xba/0x3a0 hci_conn_del+0xba/0x3a0 hci_conn_hash_flush+0xf2/0x120 hci_dev_close_sync+0x388/0x920 hci_unregister_dev+0x122/0x260 vhci_release+0x4f/0x90 __fput+0x102/0x430 task_work_run+0xf1/0x160 ? __pfx_task_work_run+0x10/0x10 ? mark_held_locks+0x24/0x90 exit_to_user_mode_prepare+0x170/0x180 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x4e/0x90 entry_SYSCALL_64_after_hwframe+0x70/0xda Fixes: 0f00cd3 ("Bluetooth: Free potentially unfreed SCO connection") Link: https://syzkaller.appspot.com/bug?extid=8bb72f86fc823817bc5d Cc: <[email protected]> Signed-off-by: Luiz Augusto von Dentz <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

6by9 force-pushed the rpi-5.10.y-kms branch from d315d67 to 48904c9 Compare November 26, 2021 12:20

6by9 changed the title ~~WIP: vc4-kms: Rework HPD~~ vc4-kms: Rework HPD Nov 26, 2021

6by9 force-pushed the rpi-5.10.y-kms branch from 48904c9 to 72dfa57 Compare November 26, 2021 14:23

pelwell merged commit 6a58cb8 into raspberrypi:rpi-5.10.y Nov 26, 2021

vc4-kms: Rework HPD #4716

vc4-kms: Rework HPD #4716

Uh oh!

Conversation

6by9 commented Nov 19, 2021

Uh oh!

popcornmix commented Nov 22, 2021

Uh oh!

6by9 commented Nov 22, 2021

Uh oh!

mripard commented Nov 23, 2021

Uh oh!

popcornmix commented Nov 23, 2021

Uh oh!

6by9 commented Nov 23, 2021

Uh oh!

6by9 commented Nov 23, 2021

Uh oh!

popcornmix commented Nov 23, 2021

Uh oh!

6by9 commented Nov 23, 2021

Uh oh!

popcornmix commented Nov 24, 2021

Uh oh!

popcornmix commented Nov 24, 2021

Uh oh!

6by9 commented Nov 24, 2021

Uh oh!

6by9 commented Nov 24, 2021

Uh oh!

6by9 commented Nov 26, 2021

Uh oh!

mripard commented Nov 26, 2021

Uh oh!

6by9 commented Nov 26, 2021

Uh oh!

6by9 commented Nov 26, 2021

Uh oh!

Uh oh!