[#5559] Read ITEST_COMMAND via debugfs mmrs will cause kernel crash

Document created by Aaronwu Employee on Sep 4, 2013
Version 1Show Document
  • View in full screen mode

[#5559] Read ITEST_COMMAND via debugfs mmrs will cause kernel crash

Submitted By: Vivi Li

Open Date

2009-09-26 23:35:19     Close Date

2010-07-11 23:41:06

Priority:

Medium     Assignee:

Vivi Li

Status:

Closed     Fixed In Release:

N/A

Found In Release:

2010R1     Release:

Category:

N/A     Board:

N/A

Processor:

BF537     Silicon Revision:

Is this bug repeatable?:

Yes     Resolution:

Fixed

Uboot version or rev.:

    Toolchain version or rev.:

gcc4.1-09r1-rc9

App binary format:

N/A     

Summary: Read ITEST_COMMAND via debugfs mmrs will cause kernel crash

Details:

 

Read file on folder /sys/kernel/debug/blackfin/ will cause kernel crash.

 

Bellow is the steps and log on bf537-STAMP:

--

root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\ Registers/ITEST_COMMAND

Undefined instruction

<5> - May be used to emulate instructions that are not defined for

<5>   a particular processor implementation.

Kernel OOPS in progress

Deferred Exception context

CURRENT PROCESS:

COMM=cat PID=148

CPU = 0

TEXT = 0x02800040-0x0284c160        DATA = 0x0284c164-0x0285fca4

BSS = 0x0285fca4-0x02861684  USER-STACK = 0x02869f40

 

return address: [0x024ddc60]; contents of:

0x024ddc40:  0f40  08e2  14aa  b0e0  4bd8  409a  0a1c  c0d1

0x024ddc50:  6428  0922  3ab3  34f2  1300  ffe0  fd28  0012

0x024ddc60: [0001] 0000  dc64  024d  dc64  024d  8b11  c868

0x024ddc70:  f270  0002  0000  0000  c6d4  0247  940c  45a9

 

ADSP-BF537-0.2 500(MHz CCLK) 125(MHz SCLK) (mpu off)

Linux version 2.6.31-ADI-2010R1-pre-svn7464 (test@uclinux50-bf537-ad9960-ad1836) (gcc version 4.1.2 (ADI svn)) #4 Sun Sep 27 09:9

 

SEQUENCER STATUS:               Not tainted

SEQSTAT: 00000021  IPEND: 8008  IMASK: ffff  SYSCFG: 0006

  EXCAUSE   : 0x21

  physical IVG3 asserted : <0xffa00800> { _trap + 0x0 }

  physical IVG15 asserted : <0xffa010d0> { _evt_system_call + 0x0 }

  logical irq   6 mapped  : <0xffa0047c> { _timer_interrupt + 0x0 }

  logical irq  10 mapped  : <0x000b16c4> { _bfin_rtc_interrupt + 0x0 }

  logical irq  18 mapped  : <0x000a1b68> { _bfin_serial_dma_rx_int + 0x0 }

  logical irq  19 mapped  : <0x000a1f3c> { _bfin_serial_dma_tx_int + 0x0 }

  logical irq  24 mapped  : <0x000aa9f0> { _bfin_mac_interrupt + 0x0 }

RETE: <0x00000000> /* Maybe null pointer? */

RETN: <0x0276fe6c> /* kernel dynamic memory */

RETX: <0x00000480> /* Maybe fixed code section */

RETS: <0x024ddc60> /* kernel dynamic memory */

PC  : <0x024ddc60> /* kernel dynamic memory */

DCPLB_FAULT_ADDR: <0x00001000> { _do_one_initcall + 0x0 }

ICPLB_FAULT_ADDR: <0x024ddc60> /* kernel dynamic memory */

PROCESSOR STATE:

R0 : 00000012    R1 : ffffffc0    R2 : 00000001    R3 : 00000002

R4 : 00000000    R5 : 00000000    R6 : 00000000    R7 : 00000000

P0 : 02868e62    P1 : 024ddc60    P2 : 00166108    P3 : 00000003

P4 : 00001000    P5 : 02868e50    FP : 02868e18    SP : 0276fd90

LB0: ffa015fc    LT0: ffa015fa    LC0: 00000000

LB1: 0008ed4a    LT1: 0008ed3e    LC1: 00000000

B0 : 0000001b    L0 : 00000000    M0 : 00000001    I0 : 0000000f

B1 : 00000000    L1 : 00000000    M1 : 00000000    I1 : 024ddc38

B2 : 00000000    L2 : 00000000    M2 : 00000000    I2 : 00000000

B3 : 00000000    L3 : 00000000    M3 : 00000000    I3 : 00105ca0

A0.w: 00000000   A0.x: 00000000   A1.w: 00000000   A1.x: 00000000

USP : 02868e0c  ASTAT: 00001004

 

Hardware Trace:

   0 Target : <0x00004fa8> { _trap_c + 0x0 }

     Source : <0xffa00794> { _exception_to_level5 + 0xa4 } CALL pcrel

   1 Target : <0xffa006f0> { _exception_to_level5 + 0x0 }

     Source : <0xffa005a4> { _bfin_return_from_exception + 0x20 } RTX

   2 Target : <0xffa00584> { _bfin_return_from_exception + 0x0 }

     Source : <0xffa00648> { _ex_trap_c + 0x74 } JUMP.S

   3 Target : <0xffa005d4> { _ex_trap_c + 0x0 }

     Source : <0xffa00868> { _trap + 0x68 } JUMP (P4)

   4 Target : <0xffa00820> { _trap + 0x20 }

     Source : <0xffa0081c> { _trap + 0x1c } IF !CC JUMP

   5 Target : <0xffa00800> { _trap + 0x0 }

     Source : <0x00054020> { _simple_attr_read + 0x68 } RTS

   6 Target : <0x00054018> { _simple_attr_read + 0x60 }

     Source : <0xffa02256> { _mutex_unlock + 0x26 } RTS

   7 Target : <0xffa02230> { _mutex_unlock + 0x0 }

     Source : <0x00054014> { _simple_attr_read + 0x5c } CALL pcrel

   8 Target : <0x00054010> { _simple_attr_read + 0x58 }

     Source : <0x00053eb8> { _simple_read_from_buffer + 0x68 } RTS

   9 Target : <0x00053e9e> { _simple_read_from_buffer + 0x4e }

     Source : <0xffa015fe> { _memcpy + 0x5a } RTS

  10 Target : <0xffa015f4> { _memcpy + 0x50 }

     Source : <0xffa015f0> { _memcpy + 0x4c } IF !CC JUMP

  11 Target : <0xffa015d4> { _memcpy + 0x30 }

     Source : <0xffa015c6> { _memcpy + 0x22 } IF !CC JUMP

  12 Target : <0xffa015a4> { _memcpy + 0x0 }

     Source : <0x00053e9a> { _simple_read_from_buffer + 0x4a } CALL pcrel

  13 Target : <0x00053e8e> { _simple_read_from_buffer + 0x3e }

     Source : <0xffa0030e> { __access_ok + 0x1ae } RTS

  14 Target : <0xffa00306> { __access_ok + 0x1a6 }

     Source : <0xffa00194> { __access_ok + 0x34 } IF CC JUMP

  15 Target : <0xffa00160> { __access_ok + 0x0 }

     Source : <0x00053e8a> { _simple_read_from_buffer + 0x3a } CALL pcrel

Kernel Stack

Stack info:

SP: [0x0276ff24] <0x0276ff24> /* kernel dynamic memory */

Memory from 0x0276ff20 to 02770000

0276ff20: 00000003 [02802a12] 00008000  00000000  00000000  02770000  02802a12  02802a12

0276ff40:<0281b5ac><ffa01134> 02003024  026930dd  0280d1bf  026930d6  0280d1b6  00000000

0276ff60: 0000000e  00000000  00000000  00000000  00000000  00000000  00000000  00000000

0276ff80: 00000000  00000000  00000000  00000000  00000000  00000000  00000000  00000000

0276ffa0: 00000000  00000000  00000000  ffffffff  02869fed  02868e0c  02868e18  02860c28

0276ffc0: 00000001  00000003  0286116c  ffffeff4  00000003  00001000  02868e50  00000003

0276ffe0: 00000001  02869f69  00001000  02868e50  00000003  00000003  00000003  00000006

Return addresses in stack:

    address : <0x0281b5ac> [ cat + 0x1b56c ]

    address : <0xffa01134> { _evt_system_call + 0x64 }

Modules linked in:

Kernel panic - not syncing: Kernel exception

Hardware Trace:

Stack info:

SP: [0x0276fca8] <0x0276fca8> /* kernel dynamic memory */

FP: (0x0276fcfc)

Memory from 0x0276fca0 to 02770000

0276fca0: 0276fca8  00000003 [0012b408]<0000fbb0> 0015fd90  0012b408  001593c2  001593c2

0276fcc0: 001593c2  0276fce4  0276fce4 <0000531a> 0276fd90  ffe02014  00000003  0012ac0c

0276fce0: 00000001  0000003f  ffffffff  00000100 <00013ea4> 00030001  00000000 (00000000)

0276fd00:<00045efc><0002d390> 00169134  02868e18 <ffa0042a> 0016d4e8  0276fef0  00000003

0276fd20: 00000006  00000000  02868e50  00001000  0276fd64  00000008  00077041  ffa00c20

0276fd40: 00000000  00000010  ffffffff  37396230  30323365  66656630  00323736  00008050

0276fd60: 00000000  00000000  02770000 <ffa00798> 00156000 <00008008> 00000021  00000000

0276fd80: 00000000  0280d1bf  026930d6  00000480  00000480 <00008008> 00000021  00000000

0276fda0: 0276fe6c  00000480  024ddc60  024ddc60  00000012  00001004  0008ed4a  ffa015fc

0276fdc0: 0008ed3e  ffa015fa  00000000  00000000  00000000  00000000  00000000  00000000

0276fde0: 00000000  00000000  00000000  0000001b  00000000  00000000  00000000  00000000

0276fe00: 00000000  00000000  00000000  00000001  00105ca0  00000000  024ddc38  0000000f

0276fe20: 02868e0c  02868e18  02868e50  00001000  00000003  00166108  024ddc60  02868e62

0276fe40: 00000000  00000000  00000000  00000000  00000002  00000001  ffffffc0  00000012

0276fe60: 00000012  02868e62  00000006  00000000  023e79b0  00000006  00000001  00000000

0276fe80: 02090640  0276ff24  00000000  00000000  00000000 <00040190> 02090640  00000003

0276fea0: 0276fef0  02868e50  00001000  00000001  00000020  00000000 <0000b218> 0276fef0

0276fec0: 02096140  00000002 <000403fc> 02090640  00000003  02868e50  00001000  00000003

0276fee0: 00000006  00000000  ffffe000  0276fef0  00000012  00000000  00000000 <ffa009a0>

0276ff00: 000403cc  00000000  ffffe000  ffffe000  026eeff6  0000fffe  02869f69  00000001

0276ff20: 00000003  02802a12  00008000  00000000  00000000  02770000  02802a12  02802a12

0276ff40:<0281b5ac><ffa01134> 02003024  026930dd  0280d1bf  026930d6  0280d1b6  00000000

0276ff60: 0000000e  00000000  00000000  00000000  00000000  00000000  00000000  00000000

0276ff80: 00000000  00000000  00000000  00000000  00000000  00000000  00000000  00000000

0276ffa0: 00000000  00000000  00000000  ffffffff  02869fed  02868e0c  02868e18  02860c28

0276ffc0: 00000001  00000003  0286116c  ffffeff4  00000003  00001000  02868e50  00000003

0276ffe0: 00000001  02869f69  00001000  02868e50  00000003  00000003  00000003  00000006

Return addresses in stack:

    address : <0x0000fbb0> { _panic + 0x4c }

    address : <0x0000531a> { _trap_c + 0x372 }

    address : <0x00013ea4> { ___do_softirq + 0x7c }

   frame  1 : <0x00045efc> { ___follow_mount + 0x1c }

    address : <0x0002d390> { _handle_simple_irq + 0x68 }

    address : <0xffa0042a> { _asm_do_IRQ + 0x36 }

    address : <0xffa00798> { _exception_to_level5 + 0xa8 }

    address : <0x00008008> { _l2_sram_zalloc + 0xc }

    address : <0x00008008> { _l2_sram_zalloc + 0xc }

    address : <0x00040190> { _vfs_read + 0x68 }

    address : <0x0000b218> { _pick_next_task_fair + 0x28 }

    address : <0x000403fc> { _sys_read + 0x30 }

    address : <0xffa009a0> { _system_call + 0x68 }

    address : <0x0281b5ac> [ cat + 0x1b56c ]

    address : <0xffa01134> { _evt_system_call + 0x64 }

--

 

Follow-ups

 

--- Barry Song                                               2009-11-08 22:21:12

Yes. ITEST_COMMAND is the only address which can cause this problem. The

addresses before and after it are all ok:

root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\

Registers/ICPLB_DATA9 

0x00000000

root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\

Registers/ICPLB_FAULT_A

DDR

0x0294d97a

root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\

Registers/ICPLB_STATUS

0x00000003

root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\

Registers/ITEST_DATA0

0xe10affe0

root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\

Registers/ITEST_DATA1

0x7fff3bff

root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\

Registers/ITEST_COMMAND

 

Data access CPLB miss

<5> - Used by the MMU to signal a CPLB miss on a data access.

Kernel OOPS in progress

Deferred Exception context

CURRENT PROCESS:

COMM=cat PID=212 CPU=0

TEXT = 0x02a80000-0x02acd854        DATA = 0x02b28854-0x02b2c1f4

BSS = 0x02b2c1f4-0x02b40000  USER-STACK = 0x02b5fe70

 

return address: [0x02a0c004]; contents of:

0x02a0bfe0:  0000  0000  68cc  0294  1000  0000  ecf8  02b5

 

 

Then continue to figure out the reason.

 

--- Robin Getz                                               2009-11-08 22:40:11

The act of writing ITEST_COMMAND can trigger reads/writes in the cache - dending

on the value.

 

-------

When the Instruction Test Command register (ITEST_COMMAND) is written

to, the L1 cache data or tag arrays are accessed, and the data is transferred

through the Instruction Test Data registers (ITEST_DATA[1:0]).

-------

 

It could be that this is a bug -- and that no one should be reading

ITEST_COMMAND either. (there isn't much point)...

 

I'll check with design

 

-Robin

 

--- Barry Song                                               2009-12-11 04:59:20

The problem disappeared in trunk head:

root:/> uname -a

Linux blackfin 2.6.32-ADI-2010R1-pre-svn7960 #2738 Fri Dec 11 17:26:43 CST 2009

blackfin GNU/Linux

root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\

Registers/ITEST_COMMAND

0x00000000

root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\

Registers/ICPLB_STATUS

0x00000003

root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\

Registers/ITEST_DATA0

0x93086001

root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\

Registers/ITEST_DATA1

0x3fbff5d2

root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\

Registers/IMEM_CONTROL

0x00000007

 

--- Mike Frysinger                                           2009-12-11 11:23:43

you simply got lucky, just like in the original bug, you simply got unlucky

 

--- Robin Getz                                               2010-07-08 11:04:16

This is anomaly was added to the most recent version of the anomaly sheets.

 

05000481 - Reads of ITEST_COMMAND and ITEST_DATA Registers Cause Cache

Corruption

 

Workaround:

1) Never read ITEST_COMMAND or ITEST_DATA

2) when performing the read, atomically and immediately after, write the same

data to the same register.

 

So, unless anyone has any objections, I'm going to change

arch/blackfin/include/asm/cdef_LPBlackfin.h to something like:

 

bfin_read_ITEST_COMMAND()

{

       u32 val;

       unsigned long flags;

       local_irq_save_hw(flags);

       val = bfin_read32(ITEST_COMMAND);

       bfin_write32(val, ITEST_COMMAND);

       local_irq_restore_hw(flags);

       return val;

}

 

I think that should fix things.

 

--- Mike Frysinger                                           2010-07-08 12:43:16

it wont fix debugmmrs because that reads/writes addresses directly.  you'll have

to tweak the file to use the helper.

 

--- Robin Getz                                               2010-07-08 14:10:46

Quick discussion on the phone with Mike - we came to the agreement to do the

first anomaly workaround - remove this from

arch/blackfin/include/asm/cdef_LPBlackfin.h, and from the xml file/debugmmrs.

 

-Robin

 

--- Robin Getz                                               2010-07-09 13:31:14

Fixed by removing the register from everywhere...

 

Assign back to Vivi for test (to make sure nothing broke).

 

-Robin

 

--- Vivi Li                                                  2010-07-11 23:41:06

It's pass now on bf537-stamp. So close this bug.

 

I find that on other platform this test fail at other different files. So open

new bugs 6108/6109/6110/6111.

 

 

 

    Files

    Changes

    Commits

    Dependencies

    Duplicates

    Associations

    Tags

 

File Name     File Type     File Size     Posted By

No Files Were Found

Attachments

    Outcomes