Fix a memory corruption bug caused by commit
247c445c0fbd52c77e497ff5bfcf0dceb8afea8d ("ARM: OMAP5: Add the
WakeupGen IP updates") and commit
ec2c0825ca3183a646a24717966cc7752e8b0393 ("ARM: OMAP2+: Remove
hardcoded IRQs and enable SPARSE_IRQ").
The first commit, in the OMAP4+ wakeupgen code, has an implicit
dependency on !SPARSE_IRQ. It allocates a static array with NR_IRQS
elements, then proceeds to iterate over 128 or 160 elements of
that array, clearing them to zero.
The second commit switched OMAP2+ to use sparse IRQs, but missed the
NR_IRQS reference in the wakeupgen code. Before the second commit,
NR_IRQS was 474 on OMAP4430; but afterwards, it became 16.
This resulted in the wakeupgen code allocating a 16 element array, and
then attempting to write to 128 or 160 of those elements, depending on the
type of SoC. This trashed a chunk of whatever was allocated after the
array.
The immediate manifestation was a set of boot warnings similar to the
following:
WARNING: at arch/arm/mach-omap2/omap_hwmod.c:1941 _enable+0x1bc/0x204()
omap_hwmod: mpu: could not enable clockdomain mpuss_clkdm: -22
...
since it blew away arch_clkdm. Ultimately the kernel crashed during boot.
Fix the problem in the OMAP4+ wakeupgen code by removing the reference to
NR_IRQS, allocating a larger array, and warning if the iteration is larger
than the array.
Signed-off-by: Paul Walmsley <paul@xxxxxxxxx>
Cc: Tony Lindgren <tony@xxxxxxxxxxx>
Cc: Santosh Shilimkar <santosh.shilimkar@xxxxxx>
---
Applies on arm-soc omap/cleanup-sparseirq and should ideally be merged
there before the 3.7 merge window.
Test logs are here:
http://www.pwsan.com/omap/testlogs/broken_sparseirq_fix_3.7/20120922012656/
arch/arm/mach-omap2/omap-wakeupgen.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/arch/arm/mach-omap2/omap-wakeupgen.c b/arch/arm/mach-omap2/omap-wakeupgen.c
index b54427d..869f16c 100644
--- a/arch/arm/mach-omap2/omap-wakeupgen.c
+++ b/arch/arm/mach-omap2/omap-wakeupgen.c
@@ -47,7 +47,7 @@
static void __iomem *wakeupgen_base;
static void __iomem *sar_base;
static DEFINE_SPINLOCK(wakeupgen_lock);
-static unsigned int irq_target_cpu[NR_IRQS];
+static unsigned int irq_target_cpu[MAX_IRQS];
static unsigned int irq_banks = MAX_NR_REG_BANKS;
static unsigned int max_irqs = MAX_IRQS;
static unsigned int omap_secure_apis;
@@ -446,6 +446,12 @@ int __init omap_wakeupgen_init(void)
* GIC code has necessary hooks in place.
*/
+ /*
+ * If you see this warning, then the subsequent loop just
+ * corrupted some memory
+ */
+ WARN_ON(max_irqs > ARRAY_SIZE(irq_target_cpu));
+
/* Associate all the IRQs to boot CPU like GIC init does. */
for (i = 0; i < max_irqs; i++)
irq_target_cpu[i] = boot_cpu;
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe linux-omap" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
