[#5532] request PJx on BF537 will cause buffer overflow

Document created by Aaronwu Employee on Sep 4, 2013
Version 1Show Document
  • View in full screen mode

[#5532] request PJx on BF537 will cause buffer overflow

Submitted By: Barry Song

Open Date

2009-09-14 03:12:10     Close Date

2010-02-22 10:23:50

Priority:

Medium     Assignee:

Michael Hennerich

Status:

Closed     Fixed In Release:

N/A

Found In Release:

2010R1     Release:

Category:

N/A     Board:

N/A

Processor:

BF537     Silicon Revision:

Is this bug repeatable?:

Yes     Resolution:

Fixed

Uboot version or rev.:

    Toolchain version or rev.:

09R1_RC10

App binary format:

N/A     

Summary: request PJx on BF537 will cause buffer overflow

Details:

 

Except BF538/539, on BF537, requesting the following pins(including I2C/SPI/CAN/SPORT) will cause buffer overflow too since PORT_PJx is bigger than MAX_BLACKFIN_GPIOS 48.

#define P_MDC           (P_DEFINED | P_IDENT(PORT_PJ0) | P_FUNCT(0))

#define P_MDIO          (P_DEFINED | P_IDENT(PORT_PJ1) | P_FUNCT(0))

#define P_TWI0_SCL      (P_DEFINED | P_IDENT(PORT_PJ2) | P_FUNCT(0))

#define P_TWI0_SDA      (P_DEFINED | P_IDENT(PORT_PJ3) | P_FUNCT(0))

#define P_SPORT0_DRSEC  (P_DEFINED | P_IDENT(PORT_PJ4) | P_FUNCT(0))

#define P_SPORT0_DTSEC  (P_DEFINED | P_IDENT(PORT_PJ5) | P_FUNCT(0))

#define P_SPORT0_RSCLK  (P_DEFINED | P_IDENT(PORT_PJ6) | P_FUNCT(0))

#define P_SPORT0_RFS    (P_DEFINED | P_IDENT(PORT_PJ7) | P_FUNCT(0))

#define P_SPORT0_DRPRI  (P_DEFINED | P_IDENT(PORT_PJ8) | P_FUNCT(0))

#define P_SPORT0_TSCLK  (P_DEFINED | P_IDENT(PORT_PJ9) | P_FUNCT(0))

#define P_SPORT0_TFS    (P_DEFINED | P_IDENT(PORT_PJ10) | P_FUNCT(0))

#define P_SPORT0_DTPRI  (P_DEFINED | P_IDENT(PORT_PJ11) | P_FUNCT(0))

#define P_CAN0_RX       (P_DEFINED | P_IDENT(PORT_PJ4) | P_FUNCT(1))

#define P_CAN0_TX       (P_DEFINED | P_IDENT(PORT_PJ5) | P_FUNCT(1))

#define P_SPI0_SSEL3    (P_DEFINED | P_IDENT(PORT_PJ10) | P_FUNCT(1))

#define P_SPI0_SSEL2    (P_DEFINED | P_IDENT(PORT_PJ11) | P_FUNCT(1))

#define P_SPI0_SSEL7    (P_DEFINED | P_IDENT(PORT_PJ5) | P_FUNCT(2))

The problem exists on 09R1 release too.

 

Follow-ups

 

--- Yi Li                                                    2009-09-14 03:35:59

Using linux-kernel svn #7309, when bfin_mac driver call peripheral_request() for

PortJ (P_MDC, P_MIO), peripheral_request() will return failure and cause

exception. So either we need to change bfin_mac driver or to chagne

peripheral_request().

 

peripheral_request: the GPIO number 48 is bigger available GPIOs 48 !

bfin_mii_bus bfin_mii_bus.0: Requesting peripherals failed!

NULL pointer access

Kernel OOPS in progress

Deferred Exception context

CURRENT PROCESS:

COMM=swapper PID=1

CPU = 0

invalid mm

return address: [0x0010af76]; contents of:

0x0010af50:  5608  4340  0c00  1c48  3045  e3fd  1a6d  e53d

0x0010af60:  0015  0c45  1886  e12a  02c0  5bd4  3044  e52a

0x0010af70:  0014  e73a  001d [bd94] e3fd  1e78  0c00  3038

0x0010af80:  1444  3044  e3fe  5380  e140  0011  e100  4060

 

ADSP-BF537-0.2 500(MHz CCLK) 100(MHz SCLK) (mpu off)

Linux version 2.6.31-ADI-2010R1-pre-svn7309 (adam@adam-desktop) (gcc version

4.1.2 (ADI svn)) #134 Mon Sep 14 15:06:36 CST 2009

 

SEQUENCER STATUS:        Not tainted

SEQSTAT: 00000027  IPEND: 8008  IMASK: ffff  SYSCFG: 0006

  EXCAUSE   : 0x27

  physical IVG3 asserted : <0xffa006f8> { _trap + 0x0 }

  physical IVG15 asserted : <0xffa00fc8> { _evt_system_call + 0x0 }

  logical irq   6 mapped  : <0xffa00374> { _timer_interrupt + 0x0 }

RETE: <0x00000000> /* Maybe null pointer? */

RETN: <0x0201bea4> /* kernel dynamic memory */

RETX: <0x00000480> /* Maybe fixed code section */

RETS: <0x0010af5e> { _bfin_mac_probe + 0xf6 }

PC  : <0x0010af76> { _bfin_mac_probe + 0x10e }

DCPLB_FAULT_ADDR: <0x00000018> /* Maybe null pointer? */

ICPLB_FAULT_ADDR: <0x0010af76> { _bfin_mac_probe + 0x10e }

PROCESSOR STATE:

R0 : 02081000    R1 : ffff96bf    R2 : ffffff96    R3 : 00000000

R4 : 00000000    R5 : 0017f62c    R6 : 0201bf20    R7 : 00177580

P0 : 0292de88    P1 : 0292de68    P2 : 00000000    P3 : 0017754c

P4 : 02081000    P5 : 00177488    FP : 020812c0    SP : 0201bdc8

LB0: ffa016ae    LT0: ffa016ae    LC0: 00000000

LB1: 00092820    LT1: 00092820    LC1: 00000000

B0 : 00000000    L0 : 00000000    M0 : 00000000    I0 : 0201beb0

B1 : 00000000    L1 : 00000000    M1 : 00000000    I1 : 0201be5c

B2 : 00000000    L2 : 00000000    M2 : 00000000    I2 : 00000000

B3 : 00000000    L3 : 00000000    M3 : 00000000    I3 : 00000000

A0.w: 00000000   A0.x: 00000000   A1.w: 00000000   A1.x: 00000000

USP : 00000000  ASTAT: 00003004

 

Hardware Trace:

   0 Target : <0x00004e34> { _trap_c + 0x0 }

     Source : <0xffa0068c> { _exception_to_level5 + 0xa4 } CALL pcrel

   1 Target : <0xffa005e8> { _exception_to_level5 + 0x0 }

     Source : <0xffa0049c> { _bfin_return_from_exception + 0x20 } RTX

   2 Target : <0xffa0047c> { _bfin_return_from_exception + 0x0 }

     Source : <0xffa00540> { _ex_trap_c + 0x74 } JUMP.S

   3 Target : <0xffa004cc> { _ex_trap_c + 0x0 }

     Source : <0xffa003a4> { _ex_workaround_261 + 0x1c } JUMP.S

   4 Target : <0xffa00388> { _ex_workaround_261 + 0x0 }

     Source : <0xffa00760> { _trap + 0x68 } JUMP (P4)

   5 Target : <0xffa00718> { _trap + 0x20 }

     Source : <0xffa00714> { _trap + 0x1c } IF !CC JUMP

   6 Target : <0xffa006f8> { _trap + 0x0 }

     Source : <0xffa0049c> { _bfin_return_from_exception + 0x20 } RTX

   7 Target : <0xffa0047c> { _bfin_return_from_exception + 0x0 }

     Source : <0xffa0039a> { _ex_workaround_261 + 0x12 } IF !CC JUMP

   8 Target : <0xffa00388> { _ex_workaround_261 + 0x0 }

     Source : <0xffa00760> { _trap + 0x68 } JUMP (P4)

   9 Target : <0xffa00718> { _trap + 0x20 }

     Source : <0xffa00714> { _trap + 0x1c } IF !CC JUMP

  10 Target : <0xffa006f8> { _trap + 0x0 }

     Source : <0x0010af72> { _bfin_mac_probe + 0x10a } 0xe73a

  11 Target : <0x0010af5e> { _bfin_mac_probe + 0xf6 }

     Source : <0x000ae448> { _setup_mac_addr + 0x14 } RTS

  12 Target : <0x000ae434> { _setup_mac_addr + 0x0 }

     Source : <0x0010af5a> { _bfin_mac_probe + 0xf2 } CALL pcrel

  13 Target : <0x0010aef4> { _bfin_mac_probe + 0x8c }

     Source : <0x0010aec2> { _bfin_mac_probe + 0x5a } IF !CC JUMP

  14 Target : <0x0010ae7a> { _bfin_mac_probe + 0x12 }

     Source : <0x000d5682> { _alloc_etherdev_mq + 0x1e } RTS

  15 Target : <0x000d567e> { _alloc_etherdev_mq + 0x1a }

     Source : <0x000cc3fe> { _alloc_netdev_mq + 0xba } RTS

Kernel Stack

Stack info:

SP: [0x0201bdf8] <0x0201bdf8> /* kernel dynamic memory */

FP: (0x0201bebc)

Memory from 0x0201bdf0 to 0201c000

0201bdf0: 00092820  ffa016ae [00092820] ffa016ae  00000000  00000000  00000000

00000000

0201be10: 00000000  00000000  00000000  00000000  00000000  00000000  00000000

00000000

0201be30: 00000000  00000000  00000000  00000000  00000000  00000000  00000000

00000000

0201be50: 0201be5c  0201beb0  00000000  020812c0  00177488  02081000  0017754c

00000000

0201be70: 0292de68  0292de88  00177580  0201bf20  0017f62c  00000000  00000000

ffffff96

0201be90: ffff96bf  02081000  02081000  0292de88  00000006 <00076092>

02931324  0017f62c

0201beb0: 00000001 <000a8232> 02919720 (00000000)<000a8390>

0017754c  001736b4  0017f62c

0201bed0: 00177580  02008b28  00000000 <0010a058> 0201bf60

<000a8454> 0017754c  0017f62c

0201bef0: 0017f0e4  00177580  0017f0e4  00000000  0201bf20 <000a7af4>

000a83f4  0017f62c

0201bf10: 00000000  02919720  00000000  00000000  020045d8  02037a10

<000a81ea> 02919720

0201bf30: 00000000  00000000  00000000  0201bf60  0201bf60 <000a7f88>

000a83f4 <000a7fa6>

0201bf50:<000a871c> 0017f5dc  00165148  001383f8  0013f97c

<000a8704> 0017f62c  00165148

0201bf70: 0016500c  00000000  0019fcd8  00000000  00165148 <0000102e>

0019fcd8  00000000

0201bf90: 00000000  02037ce0  00003739  00000000  00000000  00000000

<00186296> 0019fcd8

0201bfb0: 0019fd38  00000000  00000000  00000000  00000000  00000000  00198220

00000000

0201bfd0: 00001490 <0018649e> 00165018  00000000  00000000  00000000

00000000 <00001496>

0201bff0: 00000000  00000000  ffffffff  00000006

Return addresses in stack:

    address : <0x00076092> { _create_dir + 0x3a }

    address : <0x000a8232> { _driver_sysfs_add + 0x42 }

   frame  1 : <0x000a8390> { _really_probe + 0xdc }

    address : <0x0010a058> { _klist_next + 0x20 }

    address : <0x000a8454> { ___driver_attach + 0x60 }

    address : <0x000a7af4> { _bus_for_each_dev + 0x3c }

    address : <0x000a81ea> { _driver_attach + 0x1a }

    address : <0x000a7f88> { _bus_add_driver + 0x60 }

    address : <0x000a7fa6> { _bus_add_driver + 0x7e }

    address : <0x000a871c> { _driver_register + 0x64 }

    address : <0x000a8704> { _driver_register + 0x4c }

    address : <0x0000102e> { _do_one_initcall + 0x2e }

    address : <0x00186296> { _do_initcalls + 0x2a }

    address : <0x0018649e> { _kernel_init + 0x3e }

    address : <0x00001496> { _kernel_thread_helper + 0x6 }

Modules linked in:

Kernel panic - not syncing: Kernel exception

Hardware Trace:

Stack info:

SP: [0x0201bce0] <0x0201bce0> /* kernel dynamic memory */

FP: (0x0201bebc)

Memory from 0x0201bce0 to 0201c000

0201bce0:[0013ab58]<00010acc> 0016bdc8  0013ab58  0016a3d2  0016a3d2

0016a3d2  0201bd1c

0201bd00: 0201bd1c <000051a6> 0201bdc8  ffe02014  0017754c  0013a628

ffa016cc  0000003f

0201bd20: ffffffff <ffa00be2> ffc00014  0003000b  10624dd3  00000000

00000000  00000000

0201bd40: 000114e2  00008050  00000026  00000000  00000000  00000000  000114e2

04c4b400

0201bd60: 00000006  02003004  00000000  0201bd90 <0000b42a> 00000000

01312d00  0014ff97

0201bd80: 00000001  00000000  00000000  0201bdb0 <0000b470> ffffffff

0201bdf4 <0008d6a2>

0201bda0: 00000001 <ffa00690> 00167000  00008008  00000027  0017f62c

00000000  00171da4

0201bdc0: 0201bdc8  00000480  00000480  00008008  00000027  00000000  0201bea4

00000480

0201bde0: 0010af76 <0010af5e> 02081000  00003004  00092820  ffa016ae

00092820  ffa016ae

0201be00: 00000000  00000000  00000000  00000000  00000000  00000000  00000000

00000000

0201be20: 00000000  00000000  00000000  00000000  00000000  00000000  00000000

00000000

0201be40: 00000000  00000000  00000000  00000000  0201be5c  0201beb0  00000000

020812c0

0201be60: 00177488  02081000  0017754c  00000000  0292de68  0292de88  00177580

0201bf20

0201be80: 0017f62c  00000000  00000000  ffffff96  ffff96bf  02081000  02081000

0292de88

0201bea0: 00000006 <00076092> 02931324  0017f62c  00000001

<000a8232> 02919720 (00000000)

0201bec0:<000a8390> 0017754c  001736b4  0017f62c  00177580  02008b28

00000000 <0010a058>

0201bee0: 0201bf60 <000a8454> 0017754c  0017f62c  0017f0e4  00177580

0017f0e4  00000000

0201bf00: 0201bf20 <000a7af4> 000a83f4  0017f62c  00000000  02919720

00000000  00000000

0201bf20: 020045d8  02037a10 <000a81ea> 02919720  00000000  00000000

00000000  0201bf60

0201bf40: 0201bf60 <000a7f88> 000a83f4 <000a7fa6><000a871c>

0017f5dc  00165148  001383f8

0201bf60: 0013f97c <000a8704> 0017f62c  00165148  0016500c  00000000

0019fcd8  00000000

0201bf80: 00165148 <0000102e> 0019fcd8  00000000  00000000  02037ce0

00003739  00000000

0201bfa0: 00000000  00000000 <00186296> 0019fcd8  0019fd38  00000000

00000000  00000000

0201bfc0: 00000000  00000000  00198220  00000000  00001490 <0018649e>

00165018  00000000

0201bfe0: 00000000  00000000  00000000 <00001496> 00000000  00000000

ffffffff  00000006

Return addresses in stack:

    address : <0x00010acc> { _panic + 0x4c }

    address : <0x000051a6> { _trap_c + 0x372 }

    address : <0xffa00be2> { __common_int_entry + 0x72 }

    address : <0x0000b42a> { _wakeup_gran + 0x6a }

    address : <0x0000b470> { _wakeup_preempt_entity + 0x28 }

    address : <0x0008d6a2> { _idr_get_empty_slot + 0x86 }

    address : <0xffa00690> { _exception_to_level5 + 0xa8 }

    address : <0x0010af5e> { _bfin_mac_probe + 0xf6 }

    address : <0x00076092> { _create_dir + 0x3a }

    address : <0x000a8232> { _driver_sysfs_add + 0x42 }

   frame  1 : <0x000a8390> { _really_probe + 0xdc }

    address : <0x0010a058> { _klist_next + 0x20 }

    address : <0x000a8454> { ___driver_attach + 0x60 }

    address : <0x000a7af4> { _bus_for_each_dev + 0x3c }

    address : <0x000a81ea> { _driver_attach + 0x1a }

    address : <0x000a7f88> { _bus_add_driver + 0x60 }

    address : <0x000a7fa6> { _bus_add_driver + 0x7e }

    address : <0x000a871c> { _driver_register + 0x64 }

    address : <0x000a8704> { _driver_register + 0x4c }

    address : <0x0000102e> { _do_one_initcall + 0x2e }

    address : <0x00186296> { _do_initcalls + 0x2a }

    address : <0x0018649e> { _kernel_init + 0x3e }

    address : <0x00001496> { _kernel_thread_helper + 0x6 }

 

--- Barry Song                                               2009-09-14 03:40:39

Michael,

I can change P_DEFINED to P_DONTCARE for PJx and move BUG_ON(ident >=

MAX_BLACKFIN_GPIOS) behind the if (per & P_DONTCARE) check in

peripheral_request for fast fix since PJx can't work as GPIO on BF537 in fact.

But maybe it's better for you to make an overall fix for all related issues.

I am not sure whether I lost something too.

-Barry

 

--- Barry Song                                               2009-09-16 02:11:26

To fix the problem, change BUG_ON(ident >= MAX_BLACKFIN_GPIOS) to

BUG_ON(ident >= MAX_RESOURCES).

MAX_RESOURCES is bigger than MAX_BLACKFIN_GPIOS in BF537.  So pins between 48

and 63 can be reserverd by peripheral, but not by gpio.

 

 

--- Michael Hennerich                                        2010-02-22 10:23:01

close it

 

 

 

    Files

    Changes

    Commits

    Dependencies

    Duplicates

    Associations

    Tags

 

File Name     File Type     File Size     Posted By

No Files Were Found

Attachments

    Outcomes