[#5559] Read ITEST_COMMAND via debugfs mmrs will cause kernel crash
Submitted By: Vivi Li
Open Date
2009-09-26 23:35:19 Close Date
2010-07-11 23:41:06
Priority:
Medium Assignee:
Vivi Li
Status:
Closed Fixed In Release:
N/A
Found In Release:
2010R1 Release:
Category:
N/A Board:
N/A
Processor:
BF537 Silicon Revision:
Is this bug repeatable?:
Yes Resolution:
Fixed
Uboot version or rev.:
Toolchain version or rev.:
gcc4.1-09r1-rc9
App binary format:
N/A
Summary: Read ITEST_COMMAND via debugfs mmrs will cause kernel crash
Details:
Read file on folder /sys/kernel/debug/blackfin/ will cause kernel crash.
Bellow is the steps and log on bf537-STAMP:
--
root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\ Registers/ITEST_COMMAND
Undefined instruction
<5> - May be used to emulate instructions that are not defined for
<5> a particular processor implementation.
Kernel OOPS in progress
Deferred Exception context
CURRENT PROCESS:
COMM=cat PID=148
CPU = 0
TEXT = 0x02800040-0x0284c160 DATA = 0x0284c164-0x0285fca4
BSS = 0x0285fca4-0x02861684 USER-STACK = 0x02869f40
return address: [0x024ddc60]; contents of:
0x024ddc40: 0f40 08e2 14aa b0e0 4bd8 409a 0a1c c0d1
0x024ddc50: 6428 0922 3ab3 34f2 1300 ffe0 fd28 0012
0x024ddc60: [0001] 0000 dc64 024d dc64 024d 8b11 c868
0x024ddc70: f270 0002 0000 0000 c6d4 0247 940c 45a9
ADSP-BF537-0.2 500(MHz CCLK) 125(MHz SCLK) (mpu off)
Linux version 2.6.31-ADI-2010R1-pre-svn7464 (test@uclinux50-bf537-ad9960-ad1836) (gcc version 4.1.2 (ADI svn)) #4 Sun Sep 27 09:9
SEQUENCER STATUS: Not tainted
SEQSTAT: 00000021 IPEND: 8008 IMASK: ffff SYSCFG: 0006
EXCAUSE : 0x21
physical IVG3 asserted : <0xffa00800> { _trap + 0x0 }
physical IVG15 asserted : <0xffa010d0> { _evt_system_call + 0x0 }
logical irq 6 mapped : <0xffa0047c> { _timer_interrupt + 0x0 }
logical irq 10 mapped : <0x000b16c4> { _bfin_rtc_interrupt + 0x0 }
logical irq 18 mapped : <0x000a1b68> { _bfin_serial_dma_rx_int + 0x0 }
logical irq 19 mapped : <0x000a1f3c> { _bfin_serial_dma_tx_int + 0x0 }
logical irq 24 mapped : <0x000aa9f0> { _bfin_mac_interrupt + 0x0 }
RETE: <0x00000000> /* Maybe null pointer? */
RETN: <0x0276fe6c> /* kernel dynamic memory */
RETX: <0x00000480> /* Maybe fixed code section */
RETS: <0x024ddc60> /* kernel dynamic memory */
PC : <0x024ddc60> /* kernel dynamic memory */
DCPLB_FAULT_ADDR: <0x00001000> { _do_one_initcall + 0x0 }
ICPLB_FAULT_ADDR: <0x024ddc60> /* kernel dynamic memory */
PROCESSOR STATE:
R0 : 00000012 R1 : ffffffc0 R2 : 00000001 R3 : 00000002
R4 : 00000000 R5 : 00000000 R6 : 00000000 R7 : 00000000
P0 : 02868e62 P1 : 024ddc60 P2 : 00166108 P3 : 00000003
P4 : 00001000 P5 : 02868e50 FP : 02868e18 SP : 0276fd90
LB0: ffa015fc LT0: ffa015fa LC0: 00000000
LB1: 0008ed4a LT1: 0008ed3e LC1: 00000000
B0 : 0000001b L0 : 00000000 M0 : 00000001 I0 : 0000000f
B1 : 00000000 L1 : 00000000 M1 : 00000000 I1 : 024ddc38
B2 : 00000000 L2 : 00000000 M2 : 00000000 I2 : 00000000
B3 : 00000000 L3 : 00000000 M3 : 00000000 I3 : 00105ca0
A0.w: 00000000 A0.x: 00000000 A1.w: 00000000 A1.x: 00000000
USP : 02868e0c ASTAT: 00001004
Hardware Trace:
0 Target : <0x00004fa8> { _trap_c + 0x0 }
Source : <0xffa00794> { _exception_to_level5 + 0xa4 } CALL pcrel
1 Target : <0xffa006f0> { _exception_to_level5 + 0x0 }
Source : <0xffa005a4> { _bfin_return_from_exception + 0x20 } RTX
2 Target : <0xffa00584> { _bfin_return_from_exception + 0x0 }
Source : <0xffa00648> { _ex_trap_c + 0x74 } JUMP.S
3 Target : <0xffa005d4> { _ex_trap_c + 0x0 }
Source : <0xffa00868> { _trap + 0x68 } JUMP (P4)
4 Target : <0xffa00820> { _trap + 0x20 }
Source : <0xffa0081c> { _trap + 0x1c } IF !CC JUMP
5 Target : <0xffa00800> { _trap + 0x0 }
Source : <0x00054020> { _simple_attr_read + 0x68 } RTS
6 Target : <0x00054018> { _simple_attr_read + 0x60 }
Source : <0xffa02256> { _mutex_unlock + 0x26 } RTS
7 Target : <0xffa02230> { _mutex_unlock + 0x0 }
Source : <0x00054014> { _simple_attr_read + 0x5c } CALL pcrel
8 Target : <0x00054010> { _simple_attr_read + 0x58 }
Source : <0x00053eb8> { _simple_read_from_buffer + 0x68 } RTS
9 Target : <0x00053e9e> { _simple_read_from_buffer + 0x4e }
Source : <0xffa015fe> { _memcpy + 0x5a } RTS
10 Target : <0xffa015f4> { _memcpy + 0x50 }
Source : <0xffa015f0> { _memcpy + 0x4c } IF !CC JUMP
11 Target : <0xffa015d4> { _memcpy + 0x30 }
Source : <0xffa015c6> { _memcpy + 0x22 } IF !CC JUMP
12 Target : <0xffa015a4> { _memcpy + 0x0 }
Source : <0x00053e9a> { _simple_read_from_buffer + 0x4a } CALL pcrel
13 Target : <0x00053e8e> { _simple_read_from_buffer + 0x3e }
Source : <0xffa0030e> { __access_ok + 0x1ae } RTS
14 Target : <0xffa00306> { __access_ok + 0x1a6 }
Source : <0xffa00194> { __access_ok + 0x34 } IF CC JUMP
15 Target : <0xffa00160> { __access_ok + 0x0 }
Source : <0x00053e8a> { _simple_read_from_buffer + 0x3a } CALL pcrel
Kernel Stack
Stack info:
SP: [0x0276ff24] <0x0276ff24> /* kernel dynamic memory */
Memory from 0x0276ff20 to 02770000
0276ff20: 00000003 [02802a12] 00008000 00000000 00000000 02770000 02802a12 02802a12
0276ff40:<0281b5ac><ffa01134> 02003024 026930dd 0280d1bf 026930d6 0280d1b6 00000000
0276ff60: 0000000e 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0276ff80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0276ffa0: 00000000 00000000 00000000 ffffffff 02869fed 02868e0c 02868e18 02860c28
0276ffc0: 00000001 00000003 0286116c ffffeff4 00000003 00001000 02868e50 00000003
0276ffe0: 00000001 02869f69 00001000 02868e50 00000003 00000003 00000003 00000006
Return addresses in stack:
address : <0x0281b5ac> [ cat + 0x1b56c ]
address : <0xffa01134> { _evt_system_call + 0x64 }
Modules linked in:
Kernel panic - not syncing: Kernel exception
Hardware Trace:
Stack info:
SP: [0x0276fca8] <0x0276fca8> /* kernel dynamic memory */
FP: (0x0276fcfc)
Memory from 0x0276fca0 to 02770000
0276fca0: 0276fca8 00000003 [0012b408]<0000fbb0> 0015fd90 0012b408 001593c2 001593c2
0276fcc0: 001593c2 0276fce4 0276fce4 <0000531a> 0276fd90 ffe02014 00000003 0012ac0c
0276fce0: 00000001 0000003f ffffffff 00000100 <00013ea4> 00030001 00000000 (00000000)
0276fd00:<00045efc><0002d390> 00169134 02868e18 <ffa0042a> 0016d4e8 0276fef0 00000003
0276fd20: 00000006 00000000 02868e50 00001000 0276fd64 00000008 00077041 ffa00c20
0276fd40: 00000000 00000010 ffffffff 37396230 30323365 66656630 00323736 00008050
0276fd60: 00000000 00000000 02770000 <ffa00798> 00156000 <00008008> 00000021 00000000
0276fd80: 00000000 0280d1bf 026930d6 00000480 00000480 <00008008> 00000021 00000000
0276fda0: 0276fe6c 00000480 024ddc60 024ddc60 00000012 00001004 0008ed4a ffa015fc
0276fdc0: 0008ed3e ffa015fa 00000000 00000000 00000000 00000000 00000000 00000000
0276fde0: 00000000 00000000 00000000 0000001b 00000000 00000000 00000000 00000000
0276fe00: 00000000 00000000 00000000 00000001 00105ca0 00000000 024ddc38 0000000f
0276fe20: 02868e0c 02868e18 02868e50 00001000 00000003 00166108 024ddc60 02868e62
0276fe40: 00000000 00000000 00000000 00000000 00000002 00000001 ffffffc0 00000012
0276fe60: 00000012 02868e62 00000006 00000000 023e79b0 00000006 00000001 00000000
0276fe80: 02090640 0276ff24 00000000 00000000 00000000 <00040190> 02090640 00000003
0276fea0: 0276fef0 02868e50 00001000 00000001 00000020 00000000 <0000b218> 0276fef0
0276fec0: 02096140 00000002 <000403fc> 02090640 00000003 02868e50 00001000 00000003
0276fee0: 00000006 00000000 ffffe000 0276fef0 00000012 00000000 00000000 <ffa009a0>
0276ff00: 000403cc 00000000 ffffe000 ffffe000 026eeff6 0000fffe 02869f69 00000001
0276ff20: 00000003 02802a12 00008000 00000000 00000000 02770000 02802a12 02802a12
0276ff40:<0281b5ac><ffa01134> 02003024 026930dd 0280d1bf 026930d6 0280d1b6 00000000
0276ff60: 0000000e 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0276ff80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0276ffa0: 00000000 00000000 00000000 ffffffff 02869fed 02868e0c 02868e18 02860c28
0276ffc0: 00000001 00000003 0286116c ffffeff4 00000003 00001000 02868e50 00000003
0276ffe0: 00000001 02869f69 00001000 02868e50 00000003 00000003 00000003 00000006
Return addresses in stack:
address : <0x0000fbb0> { _panic + 0x4c }
address : <0x0000531a> { _trap_c + 0x372 }
address : <0x00013ea4> { ___do_softirq + 0x7c }
frame 1 : <0x00045efc> { ___follow_mount + 0x1c }
address : <0x0002d390> { _handle_simple_irq + 0x68 }
address : <0xffa0042a> { _asm_do_IRQ + 0x36 }
address : <0xffa00798> { _exception_to_level5 + 0xa8 }
address : <0x00008008> { _l2_sram_zalloc + 0xc }
address : <0x00008008> { _l2_sram_zalloc + 0xc }
address : <0x00040190> { _vfs_read + 0x68 }
address : <0x0000b218> { _pick_next_task_fair + 0x28 }
address : <0x000403fc> { _sys_read + 0x30 }
address : <0xffa009a0> { _system_call + 0x68 }
address : <0x0281b5ac> [ cat + 0x1b56c ]
address : <0xffa01134> { _evt_system_call + 0x64 }
--
Follow-ups
--- Barry Song 2009-11-08 22:21:12
Yes. ITEST_COMMAND is the only address which can cause this problem. The
addresses before and after it are all ok:
root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\
Registers/ICPLB_DATA9
0x00000000
root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\
Registers/ICPLB_FAULT_A
DDR
0x0294d97a
root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\
Registers/ICPLB_STATUS
0x00000003
root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\
Registers/ITEST_DATA0
0xe10affe0
root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\
Registers/ITEST_DATA1
0x7fff3bff
root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\
Registers/ITEST_COMMAND
Data access CPLB miss
<5> - Used by the MMU to signal a CPLB miss on a data access.
Kernel OOPS in progress
Deferred Exception context
CURRENT PROCESS:
COMM=cat PID=212 CPU=0
TEXT = 0x02a80000-0x02acd854 DATA = 0x02b28854-0x02b2c1f4
BSS = 0x02b2c1f4-0x02b40000 USER-STACK = 0x02b5fe70
return address: [0x02a0c004]; contents of:
0x02a0bfe0: 0000 0000 68cc 0294 1000 0000 ecf8 02b5
Then continue to figure out the reason.
--- Robin Getz 2009-11-08 22:40:11
The act of writing ITEST_COMMAND can trigger reads/writes in the cache - dending
on the value.
-------
When the Instruction Test Command register (ITEST_COMMAND) is written
to, the L1 cache data or tag arrays are accessed, and the data is transferred
through the Instruction Test Data registers (ITEST_DATA[1:0]).
-------
It could be that this is a bug -- and that no one should be reading
ITEST_COMMAND either. (there isn't much point)...
I'll check with design
-Robin
--- Barry Song 2009-12-11 04:59:20
The problem disappeared in trunk head:
root:/> uname -a
Linux blackfin 2.6.32-ADI-2010R1-pre-svn7960 #2738 Fri Dec 11 17:26:43 CST 2009
blackfin GNU/Linux
root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\
Registers/ITEST_COMMAND
0x00000000
root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\
Registers/ICPLB_STATUS
0x00000003
root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\
Registers/ITEST_DATA0
0x93086001
root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\
Registers/ITEST_DATA1
0x3fbff5d2
root:/> cat /sys/kernel/debug/blackfin/L1\ Code\ Memory\
Registers/IMEM_CONTROL
0x00000007
--- Mike Frysinger 2009-12-11 11:23:43
you simply got lucky, just like in the original bug, you simply got unlucky
--- Robin Getz 2010-07-08 11:04:16
This is anomaly was added to the most recent version of the anomaly sheets.
05000481 - Reads of ITEST_COMMAND and ITEST_DATA Registers Cause Cache
Corruption
Workaround:
1) Never read ITEST_COMMAND or ITEST_DATA
2) when performing the read, atomically and immediately after, write the same
data to the same register.
So, unless anyone has any objections, I'm going to change
arch/blackfin/include/asm/cdef_LPBlackfin.h to something like:
bfin_read_ITEST_COMMAND()
{
u32 val;
unsigned long flags;
local_irq_save_hw(flags);
val = bfin_read32(ITEST_COMMAND);
bfin_write32(val, ITEST_COMMAND);
local_irq_restore_hw(flags);
return val;
}
I think that should fix things.
--- Mike Frysinger 2010-07-08 12:43:16
it wont fix debugmmrs because that reads/writes addresses directly. you'll have
to tweak the file to use the helper.
--- Robin Getz 2010-07-08 14:10:46
Quick discussion on the phone with Mike - we came to the agreement to do the
first anomaly workaround - remove this from
arch/blackfin/include/asm/cdef_LPBlackfin.h, and from the xml file/debugmmrs.
-Robin
--- Robin Getz 2010-07-09 13:31:14
Fixed by removing the register from everywhere...
Assign back to Vivi for test (to make sure nothing broke).
-Robin
--- Vivi Li 2010-07-11 23:41:06
It's pass now on bf537-stamp. So close this bug.
I find that on other platform this test fail at other different files. So open
new bugs 6108/6109/6110/6111.
Files
Changes
Commits
Dependencies
Duplicates
Associations
Tags
File Name File Type File Size Posted By
No Files Were Found