SKU295 one-off hang in Open Firmware after Linux reboot

[Quozl]

An SKU295 hung in Open Firmware after Linux reboot, just after printing releasing.

On pressing the keyboard interrupt key, a Data Abort was shown. The Data Abort was not shown until that.

Serial log:

http://dev.laptop.org/~quozl/z/1TtVYE.txt

Possibly related to #12183

Registers:

ok .registers
       r0       r1       r2       r3       r4       r5       r6       r7
       e0        1       1c ffffffff fdac2f86 fdac2810        0 fda00080

       r8    r9/up  r10/tos r11/rp/fp  r12/ip   r13/sp   r14/lr       pc
 fdb3aea0 fda000a0 fb3fa9f0 fd9ff308 fdac264c fd9ff148 fdac23d0 fda05088

       PSR = NzCvIFt_IRQ32
ok select /keyboard q . head @ . tail @ .
fd9fd280 63 63
ok 

[Quozl]

(edit description, dereferencing head and tail variables)

[Quozl]

The cause was corruption of heap when an allocation occurs, and the allocator is interrupted by an alarm handler which also makes an allocation. The allocator is apparently not re-entrant, and the results are either the same address returned to both callers, or corruption of the linked list.

http://dev.laptop.org/~quozl/q7b14ja.rom has a potential fix, which:

• allocates from heap during driver open rather than during an alarm handler, for the /ap-sp, /keyboard, and /usb/keyboard drivers,
• turns on the storage LED during the keyboard alarm handler,
• enters the debugger if a key is pressed on the serial port while the SDHCI driver is waiting for a command to complete.

[Quozl]

Tested on four units over several days. Fixed in svn 3533.

[Quozl]

Is in Q7B15.