The value of the PTE (starting_pte_num) was not
calulated correctly. If size of the buffer exceeded 4KB,
the buffer validation API was failing.
JIRA: ZEP-2489
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
The API name space for Bluetooth is bt_* and BT_* so it makes sense to
align the Kconfig name space with this. The additional benefit is that
this also makes the names shorter. It is also in line with what Linux
uses for Bluetooth Kconfig entries.
Some Bluetooth-related Networking Kconfig defines are renamed as well
in order to be consistent, such as NET_L2_BLUETOOTH.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
As luck would have it, the TSS for the main IA task has
all the information we need, populate an exception stack
frame with it.
The double-fault handler just stashes data and makes the main
hardware thread runnable again, and processing of the
exception continues from there.
We check the first byte before the faulting ESP value to see
if the stack pointer had run up to a non-present page, a sign
that this is a stack overflow and not a double fault for
some other reason.
Stack overflows in kernel mode are now recoverable for non-
essential threads, with the caveat that we hope we weren't in
a critical section updating kernel data structures when it
happened.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Configuring the RAM/ROM regions will be the same for all
x86 targets as this is done with linker symbols.
Peripheral configuration left at the SOC level.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The CPU first checks the page directory entry for write
or user permissions on a particular page before looking
at the page table entry.
If a region configured all pages to be non user accessible,
and this was changed for a page within it to be accessible,
the PDE would not be updated and any access would still
return a page fault.
The least amount of runtime logic to deal with this is to
indicate at build time that some pages within a region may
be marked writable or user accessible at runtime, and to
pre-set the flags in the page directory entry accordingly.
The driving need for this is the region configuration for
kernel memory, which will have user permissions set at
runtime for stacks and user-configured memory domains.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Page faults will additionally dump out some interesting
page directory and page table flags for the faulting
memory address.
Intended to help determine whether the page tables have been
configured incorrectly as we enable memory protection features.
This only happens if CONFIG_EXCEPTION_DEBUG is turned on.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Historically, stacks were just character buffers and could be treated
as such if the user wanted to look inside the stack data, and also
declared as an array of the desired stack size.
This is no longer the case. Certain architectures will create a memory
region much larger to account for MPU/MMU guard pages. Unfortunately,
the kernel interfaces treat both the declared stack, and the valid
stack buffer within it as the same char * data type, even though these
absolutely cannot be used interchangeably.
We introduce an opaque k_thread_stack_t which gets instantiated by
K_THREAD_STACK_DECLARE(), this is no longer treated by the compiler
as a character pointer, even though it really is.
To access the real stack buffer within, the result of
K_THREAD_STACK_BUFFER() can be used, which will return a char * type.
This should catch a bunch of programming mistakes at build time:
- Declaring a character array outside of K_THREAD_STACK_DECLARE() and
passing it to K_THREAD_CREATE
- Directly examining the stack created by K_THREAD_STACK_DECLARE()
which is not actually the memory desired and may trigger a CPU
exception
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This will trigger a page fault if the guard area
is written to. Since the exception itself will try
to write to the memory, a double fault will be triggered
and we will do an IA task switch to the df_tss and panic.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Subsequent patches will set this guard page as unmapped,
triggering a page fault on access. If this is due to
stack overflow, a double fault will be triggered,
which we are now capable of handling with a switch to
a know good stack.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We now create a special IA hardware task for handling
double faults. This has a known good stack so that if
the kernel tries to push stack data onto an unmapped page,
we don't triple-fault and reset the system.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We will need this for stack memory protection scenarios
where a writable GDT with Task State Segment descriptors
will be used. The addresses of the TSS segments cannot be
put in the GDT via preprocessor magic due to architecture
requirments that the address be split up into different
fields in the segment descriptor.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This has one use-case: configuring the double-fault #DF
exception handler to do an IA task switch to a special
IA task with a known good stack, such that we can dump
diagnostic information and then panic.
Will be used for stack overflow detection in kernel mode,
as otherwise the CPU will triple-fault and reset.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This is one less host tool we have to compile for every build,
and makes the build tools more portable across host OSes.
The code is also much simpler to maintain.
Issue: ZEP-2063
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This enables the MMU-based stack protection feature,
which will cause a fatal error if a thread overflows
its stack in kernel mode, at a nontrivial cost in memory
(4K per thread).
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This will cause sanitycheck runs to finish more quickly
instead of sitting there waiting on a timeout. We already
do this with the Xtensa simulator.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
'commit
("devicetree: Generate BLUETOOTH_UART ,UART_PIPE etc config from dt")'
created a dependency of selecting UART_QMSI_0 on device tree.
This change is reverted as it incorrect.
Signed-off-by: Savinay Dharmappa <savinay.dharmappa@intel.com>
patch uses chosen property zephyr,bt-uart, zephyr,uart-pipe
and zephyr,bt-mon-uart to determine the uart instance to be
used for bluetooth,uart_pipe and bluetooth_monitor and generate
appropriate configs.
Signed-off-by: Savinay Dharmappa <savinay.dharmappa@intel.com>
A user space buffer must be validated before required operation
can proceed. This API will check the current MMU
configuration to determine if the buffer held by the user is valid.
Jira: ZEP-2326
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
We can use the chosen property "zephyr,console" to determine what uart
should be used as the console and find its name to generate a define for
CONFIG_UART_CONSOLE_ON_DEV_NAME.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This breaks too easily, for example if &some_linker_variable
is used. The names don't matter at all, use preprocessor
__COUNTER__.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Previously we were instantiating QEMU with 32MB of RAM but
only enabling a small fraction of it.
Now we boot with 8MB of ram. We ignore the first 4K so we can
make that an unmapped paged to catch NULL pointer dereferences.
If XIP is enabled, the "ROM" region will be the first half of
memory, the "RAM" region the latter.
Move the IDT_LIST and MMU_LIST regions elsewhere so they don't
overlap the new memory arrangement.
Use !XIP to fix a problem where CONFIG_RAM_SIZE was set incorrectly
for XIP case.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The defaults of 0x100000 for ROM and 0x400000 for RAM are intended
to 'fake' a XIP configuration, this all takes place in just RAM.
The gap between these two values is 3 megabytes, specify this
properly.
Fixes numerous test cases on qemu_x86 if CONFIG_XIP is enabled.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This patch allows more generic USB configuration in the samples
and removes platform dependent driver configuration.
Signed-off-by: Johann Fischer <j.fischer@phytec.de>
patch adds necessary files and does the modification to the existing
files to add device support for x86 based intel quark microcontroller
Signed-off-by: Savinay Dharmappa <savinay.dharmappa@intel.com>
1. Changed _tsc_read() to k_cycles_get_32(). Thus reading the
time stamp will be agnostic of the architecutre used.
2. Changed the variable names from *_tsc to *_time_stamp.
JIRA: ZEP-1426
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Add a separate section in the linker to place the MMU configuration
information. This location is read by the gen_mmu.py script to
create the actual page tables.
JIRA: ZEP-2095
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
In crt0.S the MMU is initialized. It uses the statically build
page tables. Here 32-bit paging scheme is used, thereby each page
table entry maps to a 4KB page. The valid regions of the memory are
specified by SOC specific file(soc.c).
JIRA: ZEP-2099
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Makefile rule to create the MMU page tables at boot time. This
rule invokes the gen_mmu.py script to create a binary which is
then placed into the kernel image using objcopy.
Makefile.mmu is included only when CONFIG_X86_MMU is enabled.
JIRA: ZEP-2095
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Macro is used to create a structure to specify the boot time
page table configuration. Needed by the gen_mmu.py script to generate
the actual page tables.
Linker script is needed for the following:
1. To place the MMU page tables at 4KByte boundary.
2. To keep the configuration structure created by
the Macro(mentioned above).
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Kconfig definition for enabling the memory management Unit
on x86 based platforms.
JIRA: ZEP-2093
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Stack sentinel doesn't prevent corruption, it just notices when
it happens. Any memory could be in a bad state and it's more
appropriate to take the entire system down rather than just kill
the thread.
Fatal testcase will still work since it installs its own
_SysFatalErrorHandler.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
One of the stack sentinel policies was to check the sentinel
any time a cooperative context switch is done (i.e, _Swap is
called).
This was done by adding a hook to _check_stack_sentinel in
every arch's __swap function.
This way is cleaner as we just have the hook in one inline
function rather than implemented in several different assembly
dialects.
The check upon interrupt is now made unconditionally rather
than checking if we are calling __swap, since the check now
is only called on cooperative _Swap(). The interrupt is always
serviced first.
Issue: ZEP-2244
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The kernel tracks time slice usage with the _time_slice_elapsed global.
Every time the timer interrupt goes off and the timer driver calls
_nano_sys_clock_tick_announce() with the elapsed time, this is added to
_time_slice_elapsed. If it exceeds the total time slice, the thread is
moved to the back of the queue for that priority level and
_time_slice_elapsed is reset to zero.
In a non-tickless kernel, this is the only time _time_slice_elapsed is
reset. If a thread uses up a partial time slice, and then cooperatively
switches to another thread, the next thread will inherit the remaining
time slice, causing it not to be able to run as long as it ought to.
There does exist code to properly reset the elapsed count, but it was
only compiled in a tickless kernel. Now it is built any time
CONFIG_TIMESLICING is enabled.
Issue: ZEP-2107
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This reverts commit 37f4178f58.
This change builds gen_idt in the zephyr project tree instead of
building it in outdir of the application. The build process should all
happen inside outdir and no binaries should be placed in the zephyr
tree.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This places a sentinel value at the lowest 4 bytes of a stack
memory region and checks it at various intervals, including when
servicing interrupts or context switching.
This is implemented on all arches except ARC, which supports stack
bounds checking directly in hardware.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Andrew Boie