[#5532] request PJx on BF537 will cause buffer overflow
Submitted By: Barry Song
Open Date
2009-09-14 03:12:10 Close Date
2010-02-22 10:23:50
Priority:
Medium Assignee:
Michael Hennerich
Status:
Closed Fixed In Release:
N/A
Found In Release:
2010R1 Release:
Category:
N/A Board:
N/A
Processor:
BF537 Silicon Revision:
Is this bug repeatable?:
Yes Resolution:
Fixed
Uboot version or rev.:
Toolchain version or rev.:
09R1_RC10
App binary format:
N/A
Summary: request PJx on BF537 will cause buffer overflow
Details:
Except BF538/539, on BF537, requesting the following pins(including I2C/SPI/CAN/SPORT) will cause buffer overflow too since PORT_PJx is bigger than MAX_BLACKFIN_GPIOS 48.
#define P_MDC (P_DEFINED | P_IDENT(PORT_PJ0) | P_FUNCT(0))
#define P_MDIO (P_DEFINED | P_IDENT(PORT_PJ1) | P_FUNCT(0))
#define P_TWI0_SCL (P_DEFINED | P_IDENT(PORT_PJ2) | P_FUNCT(0))
#define P_TWI0_SDA (P_DEFINED | P_IDENT(PORT_PJ3) | P_FUNCT(0))
#define P_SPORT0_DRSEC (P_DEFINED | P_IDENT(PORT_PJ4) | P_FUNCT(0))
#define P_SPORT0_DTSEC (P_DEFINED | P_IDENT(PORT_PJ5) | P_FUNCT(0))
#define P_SPORT0_RSCLK (P_DEFINED | P_IDENT(PORT_PJ6) | P_FUNCT(0))
#define P_SPORT0_RFS (P_DEFINED | P_IDENT(PORT_PJ7) | P_FUNCT(0))
#define P_SPORT0_DRPRI (P_DEFINED | P_IDENT(PORT_PJ8) | P_FUNCT(0))
#define P_SPORT0_TSCLK (P_DEFINED | P_IDENT(PORT_PJ9) | P_FUNCT(0))
#define P_SPORT0_TFS (P_DEFINED | P_IDENT(PORT_PJ10) | P_FUNCT(0))
#define P_SPORT0_DTPRI (P_DEFINED | P_IDENT(PORT_PJ11) | P_FUNCT(0))
#define P_CAN0_RX (P_DEFINED | P_IDENT(PORT_PJ4) | P_FUNCT(1))
#define P_CAN0_TX (P_DEFINED | P_IDENT(PORT_PJ5) | P_FUNCT(1))
#define P_SPI0_SSEL3 (P_DEFINED | P_IDENT(PORT_PJ10) | P_FUNCT(1))
#define P_SPI0_SSEL2 (P_DEFINED | P_IDENT(PORT_PJ11) | P_FUNCT(1))
#define P_SPI0_SSEL7 (P_DEFINED | P_IDENT(PORT_PJ5) | P_FUNCT(2))
The problem exists on 09R1 release too.
Follow-ups
--- Yi Li 2009-09-14 03:35:59
Using linux-kernel svn #7309, when bfin_mac driver call peripheral_request() for
PortJ (P_MDC, P_MIO), peripheral_request() will return failure and cause
exception. So either we need to change bfin_mac driver or to chagne
peripheral_request().
peripheral_request: the GPIO number 48 is bigger available GPIOs 48 !
bfin_mii_bus bfin_mii_bus.0: Requesting peripherals failed!
NULL pointer access
Kernel OOPS in progress
Deferred Exception context
CURRENT PROCESS:
COMM=swapper PID=1
CPU = 0
invalid mm
return address: [0x0010af76]; contents of:
0x0010af50: 5608 4340 0c00 1c48 3045 e3fd 1a6d e53d
0x0010af60: 0015 0c45 1886 e12a 02c0 5bd4 3044 e52a
0x0010af70: 0014 e73a 001d [bd94] e3fd 1e78 0c00 3038
0x0010af80: 1444 3044 e3fe 5380 e140 0011 e100 4060
ADSP-BF537-0.2 500(MHz CCLK) 100(MHz SCLK) (mpu off)
Linux version 2.6.31-ADI-2010R1-pre-svn7309 (adam@adam-desktop) (gcc version
4.1.2 (ADI svn)) #134 Mon Sep 14 15:06:36 CST 2009
SEQUENCER STATUS: Not tainted
SEQSTAT: 00000027 IPEND: 8008 IMASK: ffff SYSCFG: 0006
EXCAUSE : 0x27
physical IVG3 asserted : <0xffa006f8> { _trap + 0x0 }
physical IVG15 asserted : <0xffa00fc8> { _evt_system_call + 0x0 }
logical irq 6 mapped : <0xffa00374> { _timer_interrupt + 0x0 }
RETE: <0x00000000> /* Maybe null pointer? */
RETN: <0x0201bea4> /* kernel dynamic memory */
RETX: <0x00000480> /* Maybe fixed code section */
RETS: <0x0010af5e> { _bfin_mac_probe + 0xf6 }
PC : <0x0010af76> { _bfin_mac_probe + 0x10e }
DCPLB_FAULT_ADDR: <0x00000018> /* Maybe null pointer? */
ICPLB_FAULT_ADDR: <0x0010af76> { _bfin_mac_probe + 0x10e }
PROCESSOR STATE:
R0 : 02081000 R1 : ffff96bf R2 : ffffff96 R3 : 00000000
R4 : 00000000 R5 : 0017f62c R6 : 0201bf20 R7 : 00177580
P0 : 0292de88 P1 : 0292de68 P2 : 00000000 P3 : 0017754c
P4 : 02081000 P5 : 00177488 FP : 020812c0 SP : 0201bdc8
LB0: ffa016ae LT0: ffa016ae LC0: 00000000
LB1: 00092820 LT1: 00092820 LC1: 00000000
B0 : 00000000 L0 : 00000000 M0 : 00000000 I0 : 0201beb0
B1 : 00000000 L1 : 00000000 M1 : 00000000 I1 : 0201be5c
B2 : 00000000 L2 : 00000000 M2 : 00000000 I2 : 00000000
B3 : 00000000 L3 : 00000000 M3 : 00000000 I3 : 00000000
A0.w: 00000000 A0.x: 00000000 A1.w: 00000000 A1.x: 00000000
USP : 00000000 ASTAT: 00003004
Hardware Trace:
0 Target : <0x00004e34> { _trap_c + 0x0 }
Source : <0xffa0068c> { _exception_to_level5 + 0xa4 } CALL pcrel
1 Target : <0xffa005e8> { _exception_to_level5 + 0x0 }
Source : <0xffa0049c> { _bfin_return_from_exception + 0x20 } RTX
2 Target : <0xffa0047c> { _bfin_return_from_exception + 0x0 }
Source : <0xffa00540> { _ex_trap_c + 0x74 } JUMP.S
3 Target : <0xffa004cc> { _ex_trap_c + 0x0 }
Source : <0xffa003a4> { _ex_workaround_261 + 0x1c } JUMP.S
4 Target : <0xffa00388> { _ex_workaround_261 + 0x0 }
Source : <0xffa00760> { _trap + 0x68 } JUMP (P4)
5 Target : <0xffa00718> { _trap + 0x20 }
Source : <0xffa00714> { _trap + 0x1c } IF !CC JUMP
6 Target : <0xffa006f8> { _trap + 0x0 }
Source : <0xffa0049c> { _bfin_return_from_exception + 0x20 } RTX
7 Target : <0xffa0047c> { _bfin_return_from_exception + 0x0 }
Source : <0xffa0039a> { _ex_workaround_261 + 0x12 } IF !CC JUMP
8 Target : <0xffa00388> { _ex_workaround_261 + 0x0 }
Source : <0xffa00760> { _trap + 0x68 } JUMP (P4)
9 Target : <0xffa00718> { _trap + 0x20 }
Source : <0xffa00714> { _trap + 0x1c } IF !CC JUMP
10 Target : <0xffa006f8> { _trap + 0x0 }
Source : <0x0010af72> { _bfin_mac_probe + 0x10a } 0xe73a
11 Target : <0x0010af5e> { _bfin_mac_probe + 0xf6 }
Source : <0x000ae448> { _setup_mac_addr + 0x14 } RTS
12 Target : <0x000ae434> { _setup_mac_addr + 0x0 }
Source : <0x0010af5a> { _bfin_mac_probe + 0xf2 } CALL pcrel
13 Target : <0x0010aef4> { _bfin_mac_probe + 0x8c }
Source : <0x0010aec2> { _bfin_mac_probe + 0x5a } IF !CC JUMP
14 Target : <0x0010ae7a> { _bfin_mac_probe + 0x12 }
Source : <0x000d5682> { _alloc_etherdev_mq + 0x1e } RTS
15 Target : <0x000d567e> { _alloc_etherdev_mq + 0x1a }
Source : <0x000cc3fe> { _alloc_netdev_mq + 0xba } RTS
Kernel Stack
Stack info:
SP: [0x0201bdf8] <0x0201bdf8> /* kernel dynamic memory */
FP: (0x0201bebc)
Memory from 0x0201bdf0 to 0201c000
0201bdf0: 00092820 ffa016ae [00092820] ffa016ae 00000000 00000000 00000000
00000000
0201be10: 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000
0201be30: 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000
0201be50: 0201be5c 0201beb0 00000000 020812c0 00177488 02081000 0017754c
00000000
0201be70: 0292de68 0292de88 00177580 0201bf20 0017f62c 00000000 00000000
ffffff96
0201be90: ffff96bf 02081000 02081000 0292de88 00000006 <00076092>
02931324 0017f62c
0201beb0: 00000001 <000a8232> 02919720 (00000000)<000a8390>
0017754c 001736b4 0017f62c
0201bed0: 00177580 02008b28 00000000 <0010a058> 0201bf60
<000a8454> 0017754c 0017f62c
0201bef0: 0017f0e4 00177580 0017f0e4 00000000 0201bf20 <000a7af4>
000a83f4 0017f62c
0201bf10: 00000000 02919720 00000000 00000000 020045d8 02037a10
<000a81ea> 02919720
0201bf30: 00000000 00000000 00000000 0201bf60 0201bf60 <000a7f88>
000a83f4 <000a7fa6>
0201bf50:<000a871c> 0017f5dc 00165148 001383f8 0013f97c
<000a8704> 0017f62c 00165148
0201bf70: 0016500c 00000000 0019fcd8 00000000 00165148 <0000102e>
0019fcd8 00000000
0201bf90: 00000000 02037ce0 00003739 00000000 00000000 00000000
<00186296> 0019fcd8
0201bfb0: 0019fd38 00000000 00000000 00000000 00000000 00000000 00198220
00000000
0201bfd0: 00001490 <0018649e> 00165018 00000000 00000000 00000000
00000000 <00001496>
0201bff0: 00000000 00000000 ffffffff 00000006
Return addresses in stack:
address : <0x00076092> { _create_dir + 0x3a }
address : <0x000a8232> { _driver_sysfs_add + 0x42 }
frame 1 : <0x000a8390> { _really_probe + 0xdc }
address : <0x0010a058> { _klist_next + 0x20 }
address : <0x000a8454> { ___driver_attach + 0x60 }
address : <0x000a7af4> { _bus_for_each_dev + 0x3c }
address : <0x000a81ea> { _driver_attach + 0x1a }
address : <0x000a7f88> { _bus_add_driver + 0x60 }
address : <0x000a7fa6> { _bus_add_driver + 0x7e }
address : <0x000a871c> { _driver_register + 0x64 }
address : <0x000a8704> { _driver_register + 0x4c }
address : <0x0000102e> { _do_one_initcall + 0x2e }
address : <0x00186296> { _do_initcalls + 0x2a }
address : <0x0018649e> { _kernel_init + 0x3e }
address : <0x00001496> { _kernel_thread_helper + 0x6 }
Modules linked in:
Kernel panic - not syncing: Kernel exception
Hardware Trace:
Stack info:
SP: [0x0201bce0] <0x0201bce0> /* kernel dynamic memory */
FP: (0x0201bebc)
Memory from 0x0201bce0 to 0201c000
0201bce0:[0013ab58]<00010acc> 0016bdc8 0013ab58 0016a3d2 0016a3d2
0016a3d2 0201bd1c
0201bd00: 0201bd1c <000051a6> 0201bdc8 ffe02014 0017754c 0013a628
ffa016cc 0000003f
0201bd20: ffffffff <ffa00be2> ffc00014 0003000b 10624dd3 00000000
00000000 00000000
0201bd40: 000114e2 00008050 00000026 00000000 00000000 00000000 000114e2
04c4b400
0201bd60: 00000006 02003004 00000000 0201bd90 <0000b42a> 00000000
01312d00 0014ff97
0201bd80: 00000001 00000000 00000000 0201bdb0 <0000b470> ffffffff
0201bdf4 <0008d6a2>
0201bda0: 00000001 <ffa00690> 00167000 00008008 00000027 0017f62c
00000000 00171da4
0201bdc0: 0201bdc8 00000480 00000480 00008008 00000027 00000000 0201bea4
00000480
0201bde0: 0010af76 <0010af5e> 02081000 00003004 00092820 ffa016ae
00092820 ffa016ae
0201be00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000
0201be20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000
0201be40: 00000000 00000000 00000000 00000000 0201be5c 0201beb0 00000000
020812c0
0201be60: 00177488 02081000 0017754c 00000000 0292de68 0292de88 00177580
0201bf20
0201be80: 0017f62c 00000000 00000000 ffffff96 ffff96bf 02081000 02081000
0292de88
0201bea0: 00000006 <00076092> 02931324 0017f62c 00000001
<000a8232> 02919720 (00000000)
0201bec0:<000a8390> 0017754c 001736b4 0017f62c 00177580 02008b28
00000000 <0010a058>
0201bee0: 0201bf60 <000a8454> 0017754c 0017f62c 0017f0e4 00177580
0017f0e4 00000000
0201bf00: 0201bf20 <000a7af4> 000a83f4 0017f62c 00000000 02919720
00000000 00000000
0201bf20: 020045d8 02037a10 <000a81ea> 02919720 00000000 00000000
00000000 0201bf60
0201bf40: 0201bf60 <000a7f88> 000a83f4 <000a7fa6><000a871c>
0017f5dc 00165148 001383f8
0201bf60: 0013f97c <000a8704> 0017f62c 00165148 0016500c 00000000
0019fcd8 00000000
0201bf80: 00165148 <0000102e> 0019fcd8 00000000 00000000 02037ce0
00003739 00000000
0201bfa0: 00000000 00000000 <00186296> 0019fcd8 0019fd38 00000000
00000000 00000000
0201bfc0: 00000000 00000000 00198220 00000000 00001490 <0018649e>
00165018 00000000
0201bfe0: 00000000 00000000 00000000 <00001496> 00000000 00000000
ffffffff 00000006
Return addresses in stack:
address : <0x00010acc> { _panic + 0x4c }
address : <0x000051a6> { _trap_c + 0x372 }
address : <0xffa00be2> { __common_int_entry + 0x72 }
address : <0x0000b42a> { _wakeup_gran + 0x6a }
address : <0x0000b470> { _wakeup_preempt_entity + 0x28 }
address : <0x0008d6a2> { _idr_get_empty_slot + 0x86 }
address : <0xffa00690> { _exception_to_level5 + 0xa8 }
address : <0x0010af5e> { _bfin_mac_probe + 0xf6 }
address : <0x00076092> { _create_dir + 0x3a }
address : <0x000a8232> { _driver_sysfs_add + 0x42 }
frame 1 : <0x000a8390> { _really_probe + 0xdc }
address : <0x0010a058> { _klist_next + 0x20 }
address : <0x000a8454> { ___driver_attach + 0x60 }
address : <0x000a7af4> { _bus_for_each_dev + 0x3c }
address : <0x000a81ea> { _driver_attach + 0x1a }
address : <0x000a7f88> { _bus_add_driver + 0x60 }
address : <0x000a7fa6> { _bus_add_driver + 0x7e }
address : <0x000a871c> { _driver_register + 0x64 }
address : <0x000a8704> { _driver_register + 0x4c }
address : <0x0000102e> { _do_one_initcall + 0x2e }
address : <0x00186296> { _do_initcalls + 0x2a }
address : <0x0018649e> { _kernel_init + 0x3e }
address : <0x00001496> { _kernel_thread_helper + 0x6 }
--- Barry Song 2009-09-14 03:40:39
Michael,
I can change P_DEFINED to P_DONTCARE for PJx and move BUG_ON(ident >=
MAX_BLACKFIN_GPIOS) behind the if (per & P_DONTCARE) check in
peripheral_request for fast fix since PJx can't work as GPIO on BF537 in fact.
But maybe it's better for you to make an overall fix for all related issues.
I am not sure whether I lost something too.
-Barry
--- Barry Song 2009-09-16 02:11:26
To fix the problem, change BUG_ON(ident >= MAX_BLACKFIN_GPIOS) to
BUG_ON(ident >= MAX_RESOURCES).
MAX_RESOURCES is bigger than MAX_BLACKFIN_GPIOS in BF537. So pins between 48
and 63 can be reserverd by peripheral, but not by gpio.
--- Michael Hennerich 2010-02-22 10:23:01
close it
Files
Changes
Commits
Dependencies
Duplicates
Associations
Tags
File Name File Type File Size Posted By
No Files Were Found