Google Git
Sign in
pigweed / third_party / github / zephyrproject-rtos / zephyr / aa066d413945a4bfcb9b36963a859e6bc7de4536 / . / arch / x86 / core / ia32 / fatal.c
blob: 8c0cbab9f61efb57b199c020aac52c7823929487 [file] [log] [blame]
/*
* Copyright (c) 2013-2014 Wind River Systems, Inc.
*
* SPDX-License-Identifier: Apache-2.0
*/
/**
* @file
* @brief Kernel fatal error handler
*/
#include <toolchain.h>
#include <linker/sections.h>
#include <kernel.h>
#include <kernel_structs.h>
#include <drivers/interrupt_controller/sysapic.h>
#include <arch/x86/ia32/segmentation.h>
#include <ia32/exception.h>
#include <inttypes.h>
#include <exc_handle.h>
#include <logging/log_ctrl.h>
__weak void z_debug_fatal_hook(const z_arch_esf_t *esf) { ARG_UNUSED(esf); }
#ifdef CONFIG_THREAD_STACK_INFO
/**
* @brief Check if a memory address range falls within the stack
*
* Given a memory address range, ensure that it falls within the bounds
* of the faulting context's stack.
*
* @param addr Starting address
* @param size Size of the region, or 0 if we just want to see if addr is
* in bounds
* @param cs Code segment of faulting context
* @return true if addr/size region is not within the thread stack
*/
static bool check_stack_bounds(u32_t addr, size_t size, u16_t cs)
{
u32_t start, end;
if (z_is_in_isr()) {
/* We were servicing an interrupt */
start = (u32_t)Z_ARCH_THREAD_STACK_BUFFER(_interrupt_stack);
end = start + CONFIG_ISR_STACK_SIZE;
} else if ((cs & 0x3U) != 0U ||
(_current->base.user_options & K_USER) == 0) {
/* Thread was in user mode, or is not a user mode thread.
* The normal stack buffer is what we will check.
*/
start = _current->stack_info.start;
end = STACK_ROUND_DOWN(_current->stack_info.start +
_current->stack_info.size);
} else {
/* User thread was doing a syscall, check kernel stack bounds */
start = _current->stack_info.start - MMU_PAGE_SIZE;
end = _current->stack_info.start;
}
return (addr <= start) || (addr + size > end);
}
#endif
#if defined(CONFIG_EXCEPTION_STACK_TRACE)
struct stack_frame {
u32_t next;
u32_t ret_addr;
u32_t args;
};
#define MAX_STACK_FRAMES 8
static void unwind_stack(u32_t base_ptr, u16_t cs)
{
struct stack_frame *frame;
int i;
if (base_ptr == 0U) {
z_fatal_print("NULL base ptr");
return;
}
for (i = 0; i < MAX_STACK_FRAMES; i++) {
if (base_ptr % sizeof(base_ptr) != 0U) {
z_fatal_print("unaligned frame ptr");
return;
}
frame = (struct stack_frame *)base_ptr;
if (frame == NULL) {
break;
}
#ifdef CONFIG_THREAD_STACK_INFO
/* Ensure the stack frame is within the faulting context's
* stack buffer
*/
if (check_stack_bounds((u32_t)frame, sizeof(*frame), cs)) {
z_fatal_print(" corrupted? (bp=%p)", frame);
break;
}
#endif
if (frame->ret_addr == 0U) {
break;
}
#ifdef CONFIG_X86_IAMCU
z_fatal_print(" 0x%08x", frame->ret_addr);
#else
z_fatal_print(" 0x%08x (0x%x)", frame->ret_addr,
frame->args);
#endif
base_ptr = frame->next;
}
}
#endif /* CONFIG_EXCEPTION_STACK_TRACE */
#ifdef CONFIG_BOARD_QEMU_X86
FUNC_NORETURN void z_arch_system_halt(unsigned int reason)
{
ARG_UNUSED(reason);
/* Causes QEMU to exit. We passed the following on the command line:
* -device isa-debug-exit,iobase=0xf4,iosize=0x04
*/
sys_out32(0, 0xf4);
CODE_UNREACHABLE;
}
#endif
FUNC_NORETURN void z_x86_fatal_error(unsigned int reason, const z_arch_esf_t *esf)
{
if (esf != NULL) {
z_fatal_print("eax: 0x%08x, ebx: 0x%08x, ecx: 0x%08x, edx: 0x%08x",
esf->eax, esf->ebx, esf->ecx, esf->edx);
z_fatal_print("esi: 0x%08x, edi: 0x%08x, ebp: 0x%08x, esp: 0x%08x",
esf->esi, esf->edi, esf->ebp, esf->esp);
z_fatal_print("eflags: 0x%08x cs: 0x%04x cr3: %p", esf->eflags,
esf->cs & 0xFFFFU, z_x86_page_tables_get());
#ifdef CONFIG_EXCEPTION_STACK_TRACE
z_fatal_print("call trace:");
#endif
z_fatal_print("eip: 0x%08x", esf->eip);
#ifdef CONFIG_EXCEPTION_STACK_TRACE
unwind_stack(esf->ebp, esf->cs);
#endif
}
z_fatal_error(reason, esf);
CODE_UNREACHABLE;
}
void z_x86_spurious_irq(const z_arch_esf_t *esf)
{
int vector = z_irq_controller_isr_vector_get();
if (vector >= 0) {
z_fatal_print("IRQ vector: %d", vector);
}
z_x86_fatal_error(K_ERR_SPURIOUS_IRQ, esf);
}
void z_arch_syscall_oops(void *ssf_ptr)
{
struct _x86_syscall_stack_frame *ssf =
(struct _x86_syscall_stack_frame *)ssf_ptr;
z_arch_esf_t oops = {
.eip = ssf->eip,
.cs = ssf->cs,
.eflags = ssf->eflags
};
if (oops.cs == USER_CODE_SEG) {
oops.esp = ssf->esp;
}
z_x86_fatal_error(K_ERR_KERNEL_OOPS, &oops);
}
#ifdef CONFIG_X86_KERNEL_OOPS
void z_do_kernel_oops(const z_arch_esf_t *esf)
{
u32_t *stack_ptr = (u32_t *)esf->esp;
u32_t reason = *stack_ptr;
#ifdef CONFIG_USERSPACE
/* User mode is only allowed to induce oopses and stack check
* failures via this software interrupt
*/
if (esf->cs == USER_CODE_SEG && !(reason == K_ERR_KERNEL_OOPS ||
reason == K_ERR_STACK_CHK_FAIL)) {
reason = K_ERR_KERNEL_OOPS;
}
#endif
z_x86_fatal_error(reason, esf);
}
extern void (*_kernel_oops_handler)(void);
NANO_CPU_INT_REGISTER(_kernel_oops_handler, NANO_SOFT_IRQ,
CONFIG_X86_KERNEL_OOPS_VECTOR / 16,
CONFIG_X86_KERNEL_OOPS_VECTOR, 3);
#endif
#if CONFIG_EXCEPTION_DEBUG
FUNC_NORETURN static void generic_exc_handle(unsigned int vector,
const z_arch_esf_t *pEsf)
{
switch (vector) {
case IV_GENERAL_PROTECTION:
z_fatal_print("General Protection Fault");
break;
case IV_DEVICE_NOT_AVAILABLE:
z_fatal_print("Floating point unit not enabled");
break;
default:
z_fatal_print("CPU exception %d", vector);
break;
}
if ((BIT(vector) & _EXC_ERROR_CODE_FAULTS) != 0) {
z_fatal_print("Exception code: 0x%x", pEsf->errorCode);
}
z_x86_fatal_error(K_ERR_CPU_EXCEPTION, pEsf);
}
#define _EXC_FUNC(vector) \
FUNC_NORETURN void handle_exc_##vector(const z_arch_esf_t *pEsf) \
{ \
generic_exc_handle(vector, pEsf); \
}
#define Z_EXC_FUNC_CODE(vector) \
_EXC_FUNC(vector) \
_EXCEPTION_CONNECT_CODE(handle_exc_##vector, vector)
#define Z_EXC_FUNC_NOCODE(vector) \
_EXC_FUNC(vector) \
_EXCEPTION_CONNECT_NOCODE(handle_exc_##vector, vector)
/* Necessary indirection to ensure 'vector' is expanded before we expand
* the handle_exc_##vector
*/
#define EXC_FUNC_NOCODE(vector) \
Z_EXC_FUNC_NOCODE(vector)
#define EXC_FUNC_CODE(vector) \
Z_EXC_FUNC_CODE(vector)
EXC_FUNC_NOCODE(IV_DIVIDE_ERROR);
EXC_FUNC_NOCODE(IV_NON_MASKABLE_INTERRUPT);
EXC_FUNC_NOCODE(IV_OVERFLOW);
EXC_FUNC_NOCODE(IV_BOUND_RANGE);
EXC_FUNC_NOCODE(IV_INVALID_OPCODE);
EXC_FUNC_NOCODE(IV_DEVICE_NOT_AVAILABLE);
#ifndef CONFIG_X86_ENABLE_TSS
EXC_FUNC_NOCODE(IV_DOUBLE_FAULT);
#endif
EXC_FUNC_CODE(IV_INVALID_TSS);
EXC_FUNC_CODE(IV_SEGMENT_NOT_PRESENT);
EXC_FUNC_CODE(IV_STACK_FAULT);
EXC_FUNC_CODE(IV_GENERAL_PROTECTION);
EXC_FUNC_NOCODE(IV_X87_FPU_FP_ERROR);
EXC_FUNC_CODE(IV_ALIGNMENT_CHECK);
EXC_FUNC_NOCODE(IV_MACHINE_CHECK);
/* Page fault error code flags */
#define PRESENT BIT(0)
#define WR BIT(1)
#define US BIT(2)
#define RSVD BIT(3)
#define ID BIT(4)
#define PK BIT(5)
#define SGX BIT(15)
#ifdef CONFIG_X86_MMU
static void dump_entry_flags(const char *name, x86_page_entry_data_t flags)
{
z_fatal_print("%s: 0x%x%x %s, %s, %s, %s", name, (u32_t)(flags>>32),
(u32_t)(flags),
flags & (x86_page_entry_data_t)MMU_ENTRY_PRESENT ?
"Present" : "Non-present",
flags & (x86_page_entry_data_t)MMU_ENTRY_WRITE ?
"Writable" : "Read-only",
flags & (x86_page_entry_data_t)MMU_ENTRY_USER ?
"User" : "Supervisor",
flags & (x86_page_entry_data_t)MMU_ENTRY_EXECUTE_DISABLE ?
"Execute Disable" : "Execute Enabled");
}
static void dump_mmu_flags(struct x86_mmu_pdpt *pdpt, void *addr)
{
x86_page_entry_data_t pde_flags, pte_flags;
z_x86_mmu_get_flags(pdpt, addr, &pde_flags, &pte_flags);
dump_entry_flags("PDE", pde_flags);
dump_entry_flags("PTE", pte_flags);
}
#endif /* CONFIG_X86_MMU */
static void dump_page_fault(z_arch_esf_t *esf)
{
u32_t err, cr2;
/* See Section 6.15 of the IA32 Software Developer's Manual vol 3 */
__asm__ ("mov %%cr2, %0" : "=r" (cr2));
err = esf->errorCode;
z_fatal_print("***** CPU Page Fault (error code 0x%08x)", err);
z_fatal_print("%s thread %s address 0x%08x",
(err & US) != 0U ? "User" : "Supervisor",
(err & ID) != 0U ? "executed" : ((err & WR) != 0U ?
"wrote" :
"read"), cr2);
#ifdef CONFIG_X86_MMU
#ifdef CONFIG_X86_KPTI
if (err & US) {
dump_mmu_flags(&z_x86_user_pdpt, (void *)cr2);
return;
}
#endif
dump_mmu_flags(&z_x86_kernel_pdpt, (void *)cr2);
#endif
}
#endif /* CONFIG_EXCEPTION_DEBUG */
#ifdef CONFIG_USERSPACE
Z_EXC_DECLARE(z_arch_user_string_nlen);
static const struct z_exc_handle exceptions[] = {
Z_EXC_HANDLE(z_arch_user_string_nlen)
};
#endif
void page_fault_handler(z_arch_esf_t *esf)
{
#ifdef CONFIG_USERSPACE
int i;
for (i = 0; i < ARRAY_SIZE(exceptions); i++) {
if ((void *)esf->eip >= exceptions[i].start &&
(void *)esf->eip < exceptions[i].end) {
esf->eip = (unsigned int)(exceptions[i].fixup);
return;
}
}
#endif
#ifdef CONFIG_EXCEPTION_DEBUG
dump_page_fault(esf);
#endif
#ifdef CONFIG_THREAD_STACK_INFO
if (check_stack_bounds(esf->esp, 0, esf->cs)) {
z_x86_fatal_error(K_ERR_STACK_CHK_FAIL, esf);
}
#endif
z_x86_fatal_error(K_ERR_CPU_EXCEPTION, esf);
CODE_UNREACHABLE;
}
_EXCEPTION_CONNECT_CODE(page_fault_handler, IV_PAGE_FAULT);
#ifdef CONFIG_X86_ENABLE_TSS
static __noinit volatile z_arch_esf_t _df_esf;
/* Very tiny stack; just enough for the bogus error code pushed by the CPU
* and a frame pointer push by the compiler. All df_handler_top does is
* shuffle some data around with 'mov' statements and then 'iret'.
*/
static __noinit char _df_stack[8];
static FUNC_NORETURN __used void df_handler_top(void);
#ifdef CONFIG_X86_KPTI
extern char z_trampoline_stack_end[];
#endif
Z_GENERIC_SECTION(.tss)
struct task_state_segment _main_tss = {
.ss0 = DATA_SEG,
#ifdef CONFIG_X86_KPTI
/* Stack to land on when we get a soft/hard IRQ in user mode.
* In a special kernel page that, unlike all other kernel pages,
* is marked present in the user page table.
*/
.esp0 = (u32_t)&z_trampoline_stack_end
#endif
};
/* Special TSS for handling double-faults with a known good stack */
Z_GENERIC_SECTION(.tss)
struct task_state_segment _df_tss = {
.esp = (u32_t)(_df_stack + sizeof(_df_stack)),
.cs = CODE_SEG,
.ds = DATA_SEG,
.es = DATA_SEG,
.ss = DATA_SEG,
.eip = (u32_t)df_handler_top,
.cr3 = (u32_t)&z_x86_kernel_pdpt
};
static __used void df_handler_bottom(void)
{
/* We're back in the main hardware task on the interrupt stack */
int reason = K_ERR_CPU_EXCEPTION;
/* Restore the top half so it is runnable again */
_df_tss.esp = (u32_t)(_df_stack + sizeof(_df_stack));
_df_tss.eip = (u32_t)df_handler_top;
z_fatal_print("Double Fault");
#ifdef CONFIG_THREAD_STACK_INFO
if (check_stack_bounds(_df_esf.esp, 0, _df_esf.cs)) {
reason = K_ERR_STACK_CHK_FAIL;
}
#endif
z_x86_fatal_error(reason, (z_arch_esf_t *)&_df_esf);
}
static FUNC_NORETURN __used void df_handler_top(void)
{
/* State of the system when the double-fault forced a task switch
* will be in _main_tss. Set up a z_arch_esf_t and copy system state into
* it
*/
_df_esf.esp = _main_tss.esp;
_df_esf.ebp = _main_tss.ebp;
_df_esf.ebx = _main_tss.ebx;
_df_esf.esi = _main_tss.esi;
_df_esf.edi = _main_tss.edi;
_df_esf.edx = _main_tss.edx;
_df_esf.eax = _main_tss.eax;
_df_esf.ecx = _main_tss.ecx;
_df_esf.errorCode = 0;
_df_esf.eip = _main_tss.eip;
_df_esf.cs = _main_tss.cs;
_df_esf.eflags = _main_tss.eflags;
/* Restore the main IA task to a runnable state */
_main_tss.esp = (u32_t)(Z_ARCH_THREAD_STACK_BUFFER(_interrupt_stack) +
CONFIG_ISR_STACK_SIZE);
_main_tss.cs = CODE_SEG;
_main_tss.ds = DATA_SEG;
_main_tss.es = DATA_SEG;
_main_tss.ss = DATA_SEG;
_main_tss.eip = (u32_t)df_handler_bottom;
_main_tss.cr3 = (u32_t)&z_x86_kernel_pdpt;
_main_tss.eflags = 0U;
/* NT bit is set in EFLAGS so we will task switch back to _main_tss
* and run df_handler_bottom
*/
__asm__ volatile ("iret");
CODE_UNREACHABLE;
}
/* Configure a task gate descriptor in the IDT for the double fault
* exception
*/
_X86_IDT_TSS_REGISTER(DF_TSS, -1, -1, IV_DOUBLE_FAULT, 0);
#endif /* CONFIG_X86_ENABLE_TSS */