As luck would have it, the TSS for the main IA task has
all the information we need, populate an exception stack
frame with it.
The double-fault handler just stashes data and makes the main
hardware thread runnable again, and processing of the
exception continues from there.
We check the first byte before the faulting ESP value to see
if the stack pointer had run up to a non-present page, a sign
that this is a stack overflow and not a double fault for
some other reason.
Stack overflows in kernel mode are now recoverable for non-
essential threads, with the caveat that we hope we weren't in
a critical section updating kernel data structures when it
happened.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Configuring the RAM/ROM regions will be the same for all
x86 targets as this is done with linker symbols.
Peripheral configuration left at the SOC level.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The CPU first checks the page directory entry for write
or user permissions on a particular page before looking
at the page table entry.
If a region configured all pages to be non user accessible,
and this was changed for a page within it to be accessible,
the PDE would not be updated and any access would still
return a page fault.
The least amount of runtime logic to deal with this is to
indicate at build time that some pages within a region may
be marked writable or user accessible at runtime, and to
pre-set the flags in the page directory entry accordingly.
The driving need for this is the region configuration for
kernel memory, which will have user permissions set at
runtime for stacks and user-configured memory domains.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Page faults will additionally dump out some interesting
page directory and page table flags for the faulting
memory address.
Intended to help determine whether the page tables have been
configured incorrectly as we enable memory protection features.
This only happens if CONFIG_EXCEPTION_DEBUG is turned on.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The ouput speed of the gpio pins passed via the 'conf' argument was
ignored, causing the speed to always be in its reset state (lowest
possible speed for most pins). This was causing problems for pins that
actually need a speed faster than the default, like the ethernet
controller pins.
Combined with the correct pinmux configuration this fixes problems
of the olimex_stm32_e407 board not being able to send ethernet data.
Signed-off-by: Erwin Rol <erwin@erwinrol.com>
Historically, stacks were just character buffers and could be treated
as such if the user wanted to look inside the stack data, and also
declared as an array of the desired stack size.
This is no longer the case. Certain architectures will create a memory
region much larger to account for MPU/MMU guard pages. Unfortunately,
the kernel interfaces treat both the declared stack, and the valid
stack buffer within it as the same char * data type, even though these
absolutely cannot be used interchangeably.
We introduce an opaque k_thread_stack_t which gets instantiated by
K_THREAD_STACK_DECLARE(), this is no longer treated by the compiler
as a character pointer, even though it really is.
To access the real stack buffer within, the result of
K_THREAD_STACK_BUFFER() can be used, which will return a char * type.
This should catch a bunch of programming mistakes at build time:
- Declaring a character array outside of K_THREAD_STACK_DECLARE() and
passing it to K_THREAD_CREATE
- Directly examining the stack created by K_THREAD_STACK_DECLARE()
which is not actually the memory desired and may trigger a CPU
exception
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Move to using the generated IRQ defines from the DTS instead of soc.h.
This change also fixes a minor bug in that the error irq priority wasn't
getting correctly picked up from device tree.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
STM32F3 pinmux handler is reworked to support future pinmux dts
generation.
Preliminary change is done to move pin configuration
informations in a {pin, conf} structure closer to dts fields
"pins" array is removed as information is transfered to
"pinconf" array
Signed-off-by: Erwan Gouriou <erwan.gouriou@linaro.org>
STM32F4 pinmux handler is reworked to support future pinmux dts
generation.
Preliminary change is done to move pin configuration
informations in a {pin, conf} structure closer to dts fields
"pins" array is removed as information is transfered to
"pinconf" array
Signed-off-by: Erwan Gouriou <erwan.gouriou@linaro.org>
Rework stm32f1 pinmux code for future dts based pinmux code
generation.
Pin configuration is now done directly thanks to gpio port
configuration. Reference to pseudo alternate functions are
now removed same as the use of pins[] array.
Pins function (uart tx for instance) is set implicitly by
defining gpio mode and configuration.
This behavior is specific to stm32f10x series.
Signed-off-by: Erwan Gouriou <erwan.gouriou@linaro.org>
STM32L4 pinmux handler is reworked to support future pinmux dts
generation.
Preliminary change is done to move pin configuration
informations in a {pin, conf} structure closer to dts fields
"pins" array is removed and information is transferred to
"pinconf" array
Signed-off-by: Erwan Gouriou <erwan.gouriou@linaro.org>
In L4 series, select HAS_STM32CUBE is done per soc.
This could be factorized in Kconfig.series.
Aim is to lower the steps to add a new SoC.
Signed-off-by: Erwan Gouriou <erwan.gouriou@linaro.org>
Now that we generate BLUETOOTH_UART_ON_DEV_NAME, UART_PIPE_ON_DEV_NAME,
and BLUETOOTH_MONITOR_ON_DEV_NAME Kconfig defines for dts enabled
platforms add those into the appropriate dts files and remove from the
various board/Kconfig.defconfig files.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This will trigger a page fault if the guard area
is written to. Since the exception itself will try
to write to the memory, a double fault will be triggered
and we will do an IA task switch to the df_tss and panic.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Subsequent patches will set this guard page as unmapped,
triggering a page fault on access. If this is due to
stack overflow, a double fault will be triggered,
which we are now capable of handling with a switch to
a know good stack.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We now create a special IA hardware task for handling
double faults. This has a known good stack so that if
the kernel tries to push stack data onto an unmapped page,
we don't triple-fault and reset the system.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We will need this for stack memory protection scenarios
where a writable GDT with Task State Segment descriptors
will be used. The addresses of the TSS segments cannot be
put in the GDT via preprocessor magic due to architecture
requirments that the address be split up into different
fields in the segment descriptor.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This has one use-case: configuring the double-fault #DF
exception handler to do an IA task switch to a special
IA task with a known good stack, such that we can dump
diagnostic information and then panic.
Will be used for stack overflow detection in kernel mode,
as otherwise the CPU will triple-fault and reset.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This is one less host tool we have to compile for every build,
and makes the build tools more portable across host OSes.
The code is also much simpler to maintain.
Issue: ZEP-2063
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This enables the MMU-based stack protection feature,
which will cause a fatal error if a thread overflows
its stack in kernel mode, at a nontrivial cost in memory
(4K per thread).
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This will cause sanitycheck runs to finish more quickly
instead of sitting there waiting on a timeout. We already
do this with the Xtensa simulator.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
With introduction of commit "pinmux: stm32: directly return error if
stm32_get_pin_config fails", pin configuration fails when
pins are not configured in pins[] array.
This was the case for configuration UART1 assigned on PB6/PB7.
Signed-off-by: Erwan Gouriou <erwan.gouriou@linaro.org>
'commit
("devicetree: Generate BLUETOOTH_UART ,UART_PIPE etc config from dt")'
created a dependency of selecting UART_QMSI_0 on device tree.
This change is reverted as it incorrect.
Signed-off-by: Savinay Dharmappa <savinay.dharmappa@intel.com>
If the adc driver configuration is enabled (CONFIG_ADC=y), then enable
the mcux shim driver by default for all Kinetis SoCs.
Jira: ZEP-1396
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
Adds a shim layer around the mcux adc16 driver to adapt it to the Zephyr
adc interface.
Jira: ZEP-1396
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
patch uses chosen property zephyr,bt-uart, zephyr,uart-pipe
and zephyr,bt-mon-uart to determine the uart instance to be
used for bluetooth,uart_pipe and bluetooth_monitor and generate
appropriate configs.
Signed-off-by: Savinay Dharmappa <savinay.dharmappa@intel.com>
A user space buffer must be validated before required operation
can proceed. This API will check the current MMU
configuration to determine if the buffer held by the user is valid.
Jira: ZEP-2326
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
This needs to be in <arch/cpu.h> so that it can be called
from the k_panic()/k_oops() macros in kernel.h.
Fixes build errors on these arches when using k_panic() or
k_oops().
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We can use the chosen property "zephyr,console" to determine what uart
should be used as the console and find its name to generate a define for
CONFIG_UART_CONSOLE_ON_DEV_NAME.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This breaks too easily, for example if &some_linker_variable
is used. The names don't matter at all, use preprocessor
__COUNTER__.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Previously we were instantiating QEMU with 32MB of RAM but
only enabling a small fraction of it.
Now we boot with 8MB of ram. We ignore the first 4K so we can
make that an unmapped paged to catch NULL pointer dereferences.
If XIP is enabled, the "ROM" region will be the first half of
memory, the "RAM" region the latter.
Move the IDT_LIST and MMU_LIST regions elsewhere so they don't
overlap the new memory arrangement.
Use !XIP to fix a problem where CONFIG_RAM_SIZE was set incorrectly
for XIP case.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Add a STM32 LL based driver for the RNG processor. The RNG processor
is a random number generator, based on a continuous analog noise, that
provides a random 32-bit value to the host when read. The RNG passed
the FIPS PUB 140-2 (2001 October 10) tests with a success ratio of 99%.
Signed-off-by: Erwin Rol <erwin@erwinrol.com>
Right now we allow for the I2C subsystem to be built without any drivers
enabled that utilize it. When we added support for the new STM32 I2C
driver we forced the I2C driver to be enabled if the I2C subsystem was
enabled. While this makes a reasonable amount of sense, it breaks
current assumptions for various testcases that we need to cleanup.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
By now, t0 register restored value is overwritten
by mepc and mstatus values prior to returning from ISR.
Fixed by restoring mstatus and mepc registers before
restoring the caller-saved registers.
As t0 is a temporary register within the riscv ABI,
this issue was unnoticed for most applications, except
for computation intensive apps, like crypto tests.
Signed-off-by: Jean-Paul Etienne <fractalclone@gmail.com>
The defaults of 0x100000 for ROM and 0x400000 for RAM are intended
to 'fake' a XIP configuration, this all takes place in just RAM.
The gap between these two values is 3 megabytes, specify this
properly.
Fixes numerous test cases on qemu_x86 if CONFIG_XIP is enabled.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
