lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210210155419.629c18c7@gollum>
Date:   Wed, 10 Feb 2021 15:54:19 +0100
From:   Juerg Haefliger <juerg.haefliger@...onical.com>
To:     Nicolas Saenz Julienne <nsaenzjulienne@...e.de>
Cc:     Juerg Haefliger <juerg.haefliger@...onical.com>,
        stefan.wahren@...e.com, Florian Fainelli <f.fainelli@...il.com>,
        Catalin Marinas <catalin.marinas@....com>,
        Robin Murphy <robin.murphy@....con>,
        bcm-kernel-feedback-list@...adcom.com, linux-pm@...r.kernel.org,
        linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: bcm2711_thermal: Kernel panic - not syncing: Asynchronous
 SError Interrupt

On Wed, 10 Feb 2021 14:15:46 +0100
Nicolas Saenz Julienne <nsaenzjulienne@...e.de> wrote:

> [ Add Robin, Catalin and Florian in case they want to chime in ]
> 
> Hi Juerg, thanks for the report!
> 
> On Wed, 2021-02-10 at 11:48 +0100, Juerg Haefliger wrote:
> > Trying to dump the BCM2711 registers kills the kernel:
> > 
> > # cat /sys/kernel/debug/regmap/dummy-avs-monitor\@fd5d2000/range
> > 0-efc
> > # cat /sys/kernel/debug/regmap/dummy-avs-monitor\@fd5d2000/registers 
> > 
> > [   62.857661] SError Interrupt on CPU1, code 0xbf000002 -- SError  
> 
> So ESR's IDS (bit 24) is set, which means it's an 'Implementation Defined
> SError,' hence IIUC the rest of the error code is meaningless to anyone outside
> of Broadcom/RPi.
> 
> The regmap is created through the following syscon device:
> 
> 	avs_monitor: avs-monitor@...d2000 {
> 		compatible = "brcm,bcm2711-avs-monitor",
> 			     "syscon", "simple-mfd";
> 		reg = <0x7d5d2000 0xf00>;
> 
> 		thermal: thermal {
> 			compatible = "brcm,bcm2711-thermal";
> 			#thermal-sensor-cells = <0>;
> 		};
> 	};
> 
> I've done some tests with devmem, and the whole <0x7d5d2000 0xf00> range is
> full of addresses that trigger this same error. Also note that as per Florian's
> comments[1]: "AVS_RO_REGISTERS_0: 0x7d5d2200 - 0x7d5d22e3." But from what I can
> tell, at least 0x7d5d22b0 seems to be faulty too.
> 
> Any ideas/comments? My guess is that those addresses are marked somehow as
> secure, and only for VC4 to access (VC4 is RPi4's co-processor). Ultimately,
> the solution is to narrow the register range exposed by avs-monitor to whatever
> bcm2711-thermal needs (which is ATM a single 32bit register).

Yeah, that's what I tried but wasn't sure if that's the correct approach or
if there was something wrong with the DTB (which I know virtually nothing
about).

With [1] I get seemingly the correct behavior:

# cat /sys/kernel/debug/regmap/dummy-avs-monitor\@fd5d2200/range 
0-0
# cat /sys/kernel/debug/regmap/dummy-avs-monitor\@fd5d2200/registers 
0: 000106fa
# cat /sys/class/thermal/thermal_zone0/temp 
39433

On a different note, how did you come up with that address range in the DTB?
Is that public information?

...Juerg


[1]
diff --git a/arch/arm/boot/dts/bcm2711.dtsi b/arch/arm/boot/dts/bcm2711.dtsi
index 4847dd305317..a7059967aab1 100644
--- a/arch/arm/boot/dts/bcm2711.dtsi
+++ b/arch/arm/boot/dts/bcm2711.dtsi
@@ -65,10 +65,10 @@ gicv2: interrupt-controller@...41000 {
                                                 IRQ_TYPE_LEVEL_HIGH)>;
                };
 
-               avs_monitor: avs-monitor@...d2000 {
+               avs_monitor: avs-monitor@...d2200 {
                        compatible = "brcm,bcm2711-avs-monitor",
                                     "syscon", "simple-mfd";
-                       reg = <0x7d5d2000 0xf00>;
+                       reg = <0x7d5d2200 0x4>;
 
                        thermal: thermal {
                                compatible = "brcm,bcm2711-thermal";
diff --git a/drivers/thermal/broadcom/bcm2711_thermal.c b/drivers/thermal/broadcom/bcm2711_thermal.c
index 67c2a737bc9d..3b5a84402b89 100644
--- a/drivers/thermal/broadcom/bcm2711_thermal.c
+++ b/drivers/thermal/broadcom/bcm2711_thermal.c
@@ -22,7 +22,7 @@
 
 #include "../thermal_hwmon.h"
 
-#define AVS_RO_TEMP_STATUS             0x200
+#define AVS_RO_TEMP_STATUS             0x0 /* address 0x7d5d2200 */
 #define AVS_RO_TEMP_STATUS_VALID_MSK   (BIT(16) | BIT(10))
 #define AVS_RO_TEMP_STATUS_DATA_MSK    GENMASK(9, 0)




> Regards,
> Nicolas
> 
> [1] https://lore.kernel.org/linux-pm/82125042-684a-b4e2-fbaa-45a393b2ce5e@gmx.net/
> 
> > [   62.857671] CPU: 1 PID: 478 Comm: cat Not tainted 5.11.0-rc7 #4
> > [   62.857674] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT)
> > [   62.857676] pstate: 20000085 (nzCv daIf -PAN -UAO -TCO BTYPE=--)
> > [   62.857679] pc : regmap_mmio_read32le+0x1c/0x34
> > [   62.857681] lr : regmap_mmio_read+0x50/0x80
> > [   62.857682] sp : ffff8000105c3c00
> > [   62.857685] x29: ffff8000105c3c00 x28: 0000000000000014 
> > [   62.857694] x27: 0000000000000014 x26: ffffd2ea1c2060b0 
> > [   62.857699] x25: ffff4e34408ecc00 x24: 0000000000000efc 
> > [   62.857704] x23: ffff8000105c3e20 x22: ffff8000105c3d3c 
> > [   62.857710] x21: ffff8000105c3d3c x20: 0000000000000014 
> > [   62.857715] x19: ffff4e344037a900 x18: 0000000000000020 
> > [   62.857720] x17: 0000000000000000 x16: 0000000000000000 
> > [   62.857725] x15: ffff4e3447ac40f0 x14: 0000000000000003 
> > [   62.857730] x13: ffff4e34422c0000 x12: ffff4e34422a0046 
> > [   62.857735] x11: ffffd2ea1c8765e0 x10: 0000000000000000 
> > [   62.857741] x9 : ffffd2ea1b9495a0 x8 : ffff4e34429ef980 
> > [   62.857746] x7 : 000000000000000f x6 : ffff4e34422a004b 
> > [   62.857751] x5 : 00000000fffffff9 x4 : 0000000000000000 
> > [   62.857757] x3 : ffffd2ea1b949550 x2 : ffffd2ea1b949330 
> > [   62.857761] x1 : 0000000000000014 x0 : 0000000000000000 
> > [   62.857767] Kernel panic - not syncing: Asynchronous SError Interrupt
> > [   62.857770] CPU: 1 PID: 478 Comm: cat Not tainted 5.11.0-rc7 #4
> > [   62.857773] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT)
> > [   62.857775] Call trace:
> > [   62.857777]  dump_backtrace+0x0/0x1e0
> > [   62.857778]  show_stack+0x24/0x70
> > [   62.857780]  dump_stack+0xd0/0x12c
> > [   62.857782]  panic+0x168/0x370
> > [   62.857783]  nmi_panic+0x98/0xa0
> > [   62.857786]  arm64_serror_panic+0x8c/0x98
> > [   62.857787]  do_serror+0x3c/0x6c
> > [   62.857789]  el1_error+0x78/0xf0
> > [   62.857791]  regmap_mmio_read32le+0x1c/0x34
> > [   62.857793]  _regmap_bus_reg_read+0x24/0x30
> > [   62.857795]  _regmap_read+0x6c/0x17c
> > [   62.857797]  regmap_read+0x58/0x84
> > [   62.857799]  regmap_read_debugfs+0x138/0x3f4
> > [   62.857801]  regmap_map_read_file+0x34/0x40
> > [   62.857803]  full_proxy_read+0x6c/0xc0
> > [   62.857805]  vfs_read+0xb8/0x1e4
> > [   62.857807]  ksys_read+0x78/0x10c
> > [   62.857809]  __arm64_sys_read+0x28/0x34
> > [   62.857811]  el0_svc_common.constprop.0+0x7c/0x194
> > [   62.857813]  do_el0_svc+0x30/0x9c
> > [   62.857814]  el0_svc+0x20/0x30
> > [   62.857816]  el0_sync_handler+0x1a4/0x1b0
> > [   62.857818]  el0_sync+0x174/0x180
> > [   62.857842] SMP: stopping secondary CPUs
> > [   62.857845] Kernel Offset: 0x52ea0b080000 from 0xffff800010000000
> > [   62.857847] PHYS_OFFSET: 0xffffb1cc00000000
> > [   62.857849] CPU features: 0x00240022,61806000
> > [   62.857851] Memory Limit: none
> > 
> > Sprinkling printks around regmap_read [1] shows that reading from 0x14 (20)
> > seems to cause the issue:
> > 
> > 
> > [   40.456230] map=ffff020a069c9c00, from=0, to=3836, count=131072
> > [   40.462520] map=ffff020a069c9c00, i=0
> > [   40.466319] ret=0, val=0
> > [   40.468922] map=ffff020a069c9c00, i=4
> > [   40.472684] ret=0, val=0
> > [   40.475292] map=ffff020a069c9c00, i=8
> > [   40.479048] ret=0, val=0
> > [   40.481649] map=ffff020a069c9c00, i=12
> > [   40.485492] ret=0, val=0
> > [   40.488080] map=ffff020a069c9c00, i=16
> > [   40.491922] ret=0, val=0
> > [   40.494523] map=ffff020a069c9c00, i=20
> > [   40.498497] SError Interrupt on CPU0, code 0xbf000002 -- SError
> > [   40.498499] CPU: 0 PID: 486 Comm: cat Not tainted 5.11.0-rc7+ #8
> > [   40.498501] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT)
> > 
> > 
> > ...Juerg
> > 
> > [1]
> > diff --git a/drivers/base/regmap/regmap-debugfs.c b/drivers/base/regmap/regmap-debugfs.c
> > index ff2ee87987c7..9465f5a2f3b8 100644
> > --- a/drivers/base/regmap/regmap-debugfs.c
> > +++ b/drivers/base/regmap/regmap-debugfs.c
> > @@ -229,6 +229,7 @@ static ssize_t regmap_read_debugfs(struct regmap *map, unsigned int from,
> >         if (count > (PAGE_SIZE << (MAX_ORDER - 1)))
> >                 count = PAGE_SIZE << (MAX_ORDER - 1);
> >  
> > 
> > +       printk("map=%px, from=%d, to=%d, count=%ld\n", map, from, to, count);
> >         buf = kmalloc(count, GFP_KERNEL);
> >         if (!buf)
> >                 return -ENOMEM;
> > @@ -253,7 +254,9 @@ static ssize_t regmap_read_debugfs(struct regmap *map, unsigned int from,
> >                         buf_pos += map->debugfs_reg_len + 2;
> >  
> > 
> >                         /* Format the value, write all X if we can't read */
> > +                       printk("map=%px, i=%d\n", map, i);
> >                         ret = regmap_read(map, i, &val);
> > +                       printk("ret=%ld, val=%x\n", ret, val);
> >                         if (ret == 0)
> >                                 snprintf(buf + buf_pos, count - buf_pos,
> >                                          "%.*x", map->debugfs_val_len, val);
> >   
> 
> 
> 


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ