port-macppc/59176: bogus call to oea_iobat_add() in rbus_pccbb_parent_mem()

To: port-macppc-maintainer%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: port-macppc/59176: bogus call to oea_iobat_add() in rbus_pccbb_parent_mem()
From: martin%NetBSD.org@localhost
Date: Fri, 14 Mar 2025 11:45:01 +0000 (UTC)

>Number:         59176
>Category:       port-macppc
>Synopsis:       bogus call to oea_iobat_add() in rbus_pccbb_parent_mem()
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    port-macppc-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Mar 14 11:45:00 +0000 2025
>Originator:     Martin Husemann
>Release:        NetBSD 10.99.12
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD gethsemane.aprisoft.de 10.99.12 NetBSD 10.99.12 (GETHSEMANE) #393: Tue Mar 11 10:41:48 CET 2025  martin%seven-days-to-the-wolves.aprisoft.de@localhost:/work/src/sys/arch/macppc/compile/GETHSEMANE macppc
Architecture: powerpc
Machine: macppc
>Description:

I have a PCI cardbus bridge in one of my Macs and it shows up at OF level
as:

name                    cardbus 
device_type             cardbus 
compatible              pci1180,0475
                        cardbus-bridge
model                   XXX,PCIXXXX-81
reg                     00009800 00000000 00000000  00000000 00000000
                        02009810 00000000 00000000  00000000 00001000
                        01009844 00000000 00000000  00000000 00000004
                        21009898 00000000 00000000  00000000 00000010
#address-cells          00000003
#size-cells             00000002
[..]
assigned-addresses      81009844 00000000 00009010  00000000 00000004 
                        81009898 00000000 00009000  00000000 00000010 
                        82009810 00000000 a0102000  00000000 00001000 

and attaches as:

cbb0 at pci1 dev 19 function 0: Ricoh 5C475 PCI-CardBus Bridge (rev. 0x81)
[..]
cbb0: cacheline 0x0 lattimer 0x10
cbb0: bhlc 0x21000
cbb0: interrupting at irq 53
cardslot0 at cbb0
cardbus0 at cardslot0: bus 1
pcmcia0 at cardslot0

The code in rbus_pccb_parent_mem() has a strange XXX clause:

        node = pcidev_to_ofdev(pa->pa_pc, pa->pa_tag);
        OF_getprop(node, "assigned-addresses", reg, sizeof(reg));
        
        start = reg[2];
        size = reg[4];

        /* XXX PowerBook G3 */
        if (size < 0x10000) {
                start = 0x90000000;
                size  = 0x10000000;
        }

        oea_iobat_add(start, size);

Now this has multiple issues. The "unit" of size passed to oea_iobat_add()
is in BAT_BL_* defines, the firmware says 4 which would be BAT_BL_256K.

The "XXX PowerBook G3" code seems to work in units of bytes instead, and since
this if is not conditionalized on the mainboard model, this all goes very
wrong (the size < 0x10000 triggers for all valid firmware values and the
size  = 0x10000000 is an invalid input to oea_iobat_add).

Even with this XXX if() fixed, it would panic in oea_iobat_add() as that
does not allow anything below 8M BAT entries:

void
oea_iobat_add(paddr_t pa, register_t len)
{
        static int z = 1;
        const u_int n = BAT_BL_TO_SIZE(len) / BAT_BL_TO_SIZE(BAT_BL_8M); 
        const u_int i = BAT_VA2IDX(pa) & -n; /* in case pa was in the middle */
        const int after_bat3 = (oeacpufeat & OEACPU_HIGHBAT) ? 4 : 8;
 
        KASSERT(len >= BAT_BL_8M);

So I better not insert a cardbus card that requires a mem mapping.

>How-To-Repeat:
s/a

>Fix:
n/a

Prev by Date: Re: kern/59175: posix_spawn hang, hanging other process too
Next by Date: Re: kern/59175: posix_spawn hang, hanging other process too
Previous by Thread: kern/59175: posix_spawn hang, hanging other process too
Next by Thread: Re: port-macppc/59176: bogus call to oea_iobat_add() in rbus_pccbb_parent_mem()
Indexes:

Home | Main Index | Thread Index | Old Index