linaro-pkg team mailing list archive

[Leif Lindholm <1029956@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

I originally found this issue when enabling CONFIG_API for the vexpress
build on the linaro-stable head, but tracking it down shows this only
affects the alignment and the bug is present regardless - only does not
trigger a crash otherwise.

Image built from linaro-stable head for vexpress_ca9x4, put it on my
board, ran it - and it crashed somewhere after printing "DRAM:  1 GiB".

Tracked it down to an unaligned access in "fixrel" in arch/arm/cpu/armv7/start.S  - an address that appears to be one greater what's intended. Setting a watchpoint to trap accesses, the culprit turns out to be the following innocent-looking line in drivers/serial/serial_pl01x.c
---
       serial_init_called++;
---

This (global) variable was added by patch
http://git.linaro.org/gitweb?p=boot/u-boot-linaro-stable.git;a=commitdiff;h=a20a4cd6297b216383a40799c5b355bf5502724d

With CONFIG_API enabled, the address contained in the relocation is
corrupted.  With it disabled, the type of the relocation is corrupted -
causing "fixrel" to ignore it.

I _think_ what's going on here is that accesses to global data is not safe before the image has been copied to its destination, due to the u-boot linker script placing the relocations as an "OVERLAY", but it could be more complicated than that.
I have not verified that it affects only vexpress, and in fact it would surprise me somewhat if it did.

** Affects: u-boot-linaro
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Linaro
Maintainers, which is the registrant for Linaro U-Boot.
https://bugs.launchpad.net/bugs/1029956

Title:
  vexpress: Corruption of relocation entry pre-copying

Status in Linaro U-Boot:
  New

Bug description:
  I originally found this issue when enabling CONFIG_API for the
  vexpress build on the linaro-stable head, but tracking it down shows
  this only affects the alignment and the bug is present regardless -
  only does not trigger a crash otherwise.

  Image built from linaro-stable head for vexpress_ca9x4, put it on my
  board, ran it - and it crashed somewhere after printing "DRAM:  1
  GiB".

  Tracked it down to an unaligned access in "fixrel" in arch/arm/cpu/armv7/start.S  - an address that appears to be one greater what's intended. Setting a watchpoint to trap accesses, the culprit turns out to be the following innocent-looking line in drivers/serial/serial_pl01x.c
  ---
         serial_init_called++;
  ---

  This (global) variable was added by patch
  http://git.linaro.org/gitweb?p=boot/u-boot-linaro-stable.git;a=commitdiff;h=a20a4cd6297b216383a40799c5b355bf5502724d

  With CONFIG_API enabled, the address contained in the relocation is
  corrupted.  With it disabled, the type of the relocation is corrupted
  - causing "fixrel" to ignore it.

  I _think_ what's going on here is that accesses to global data is not safe before the image has been copied to its destination, due to the u-boot linker script placing the relocations as an "OVERLAY", but it could be more complicated than that.
  I have not verified that it affects only vexpress, and in fact it would surprise me somewhat if it did.

To manage notifications about this bug go to:
https://bugs.launchpad.net/u-boot-linaro/+bug/1029956/+subscriptions