port-evbarm/53503: dwctwo(4) panic triggered by usmsc(4) only in aarch64 mode

[rokuyama%rk.phys.keio.ac.jp@localhost]

>Number:         53503
>Category:       port-evbarm
>Synopsis:       dwctwo(4) panic triggered by usmsc(4) only in aarch64 mode
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-evbarm-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Aug 06 12:05:00 +0000 2018
>Originator:     Rin Okuyama
>Release:        8.99.23
>Organization:
School of Science and Technology, Meiji University
>Environment:
NetBSD rpi3b 8.99.23 NetBSD 8.99.23 (RPI3-64) #2: Mon Aug  6 20:36:22 JST 2018  rin@latipes:/var/build/obj/sys/arch/evbarm/compile.evbarm-aarch64/RPI3-64 evbarm aarch64
>Description:
On Raspberry Pi 3 Model B running in aarch64 mode, reproducible
diagnostic assertion failure occurs in dwctwo(4) code:

    % ifconfig usmsc0 up
    panic: kernel diagnostic assertion "len > 0 && offset + len <= map->dm_mapsize" failed: file "/var/build/src/sys/arch/arm/arm32/bus_dma.c", line 1054 len 0 offset 0 mapsize 20480
    cpu0: Begin traceback...
    trace fp ffffffc047bfa980
    fp ffffffc047bfa9a0 vpanic() at ffffffc0003354e0 netbsd:vpanic+0x190
    fp ffffffc047bfaa00 kern_assert() at ffffffc000445840 netbsd:kern_assert+0x58
    fp ffffffc047bfaa90 _bus_dmamap_sync() at ffffffc000013714 netbsd:_bus_dmamap_sync+0x10c
    fp ffffffc047bfab10 dwc2_host_complete() at ffffffc0002056b4 netbsd:dwc2_host_complete+0x13c
    fp ffffffc047bfab50 dwc2_hc_xfercomp_intr() at ffffffc00020e718 netbsd:dwc2_hc_xfercomp_intr+0x3a8
    fp ffffffc047bfaba0 dwc2_handle_hcd_intr() at ffffffc00020f324 netbsd:dwc2_handle_hcd_intr+0x4a4
    fp ffffffc047bfac20 dwc2_intr() at ffffffc00020526c netbsd:dwc2_intr+0xfc
    fp ffffffc047bfac50 pic_dispatch() at ffffffc0000026bc netbsd:pic_dispatch+0x84
    fp ffffffc047bfac80 pic_do_pending_ints() at ffffffc000002b50 netbsd:pic_do_pending_ints+0x380
    fp ffffffc047bfae28 cpu_idle() at ffffffc000023aa8 netbsd:cpu_idle+0x3c
    fp ffffffc047bfae70 idle_loop() at ffffffc0002e8594 netbsd:idle_loop+0x194
    cpu0: End traceback...
    rebooting...

This panic does not take place in aarch32 mode (evbearmv7hf-el)
on the same h/w.

The followings are full dmesg's as well as kernel config files:

http://www.netbsd.org/~rin/dmesg-aarch64-20180806
http://www.netbsd.org/~rin/RPI3-64

http://www.netbsd.org/~rin/dmesg-aarch32-20180806
http://www.netbsd.org/~rin/RPI3
>How-To-Repeat:
Boot RPI3 Model B in aarch64 mode, then "ifconfig usmsc0 up"
triggers panic. In aarch32 mode (evbearmv7hf-el), the panic
does not occur in the same procedure. Also, axen(4) works fine
both in aarch64 and 32 modes.
>Fix:
A straightforward workaround should be:

Index: sys/external/bsd/dwc2/dwc2.c
===================================================================
RCS file: /home/netbsd/src/sys/external/bsd/dwc2/dwc2.c,v
retrieving revision 1.49
diff -p -u -r1.49 dwc2.c
--- sys/external/bsd/dwc2/dwc2.c	9 Apr 2018 16:21:11 -0000	1.49
+++ sys/external/bsd/dwc2/dwc2.c	6 Aug 2018 11:35:38 -0000
@@ -1475,7 +1475,8 @@ void dwc2_host_complete(struct dwc2_hsot
 		 * everything else does.
 		 */
 		if (!(xfertype == UE_CONTROL &&
-		    UGETW(xfer->ux_request.wLength) == 0)) {
+		    UGETW(xfer->ux_request.wLength) == 0) &&
+		    xfer->ux_actlen > 0) {
 			int rd = usbd_xfer_isread(xfer);
 
 			usb_syncmem(&xfer->ux_dmabuf, 0, xfer->ux_actlen,

This works for me; usmsc(4) and other USB devices work fine,
and it does not harm aarch32 mode, as far as I can see.
Although I'm not sure whether this is the right fix...