Fix ARMv6-M/ARMv7-M SVCall register corruption in protected builds, fix lm3s6965-ek:qemu-protected boot, and add board documentation.#18683
Merged
Conversation
Fix several issues preventing the protected build from booting: memory.ld: Increase ksram from 16K to 20K to accommodate kernel BSS and idle thread stack. Rebalance usram to 20K and xsram to 24K accordingly. defconfig: Remove CONFIG_FS_TMPFS to reduce kernel binary size so it fits within the 128KB kflash partition. defconfig: Add CONFIG_TLS_LOG2_MAXSTACK=11 to reduce TLS stack alignment from 8K(default) to 2K. The default 8K alignment caused memalign to request oversized allocations from the user heap, failing the init task stack allocation. Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
Add board documentation for the Stellaris LM3S6965 Evaluation Kit including available configurations (nsh, qemu-flat, qemu-protected, qemu-kostest, qemu-nxflat) and instructions for running and debugging with QEMU. Also add a Supported Boards toctree section to the Tiva platform index to automatically include board documentation. Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
jasonbu
requested review from
acassis,
anchao,
jerpelea,
masayuki2009,
raiden00pl,
xiaoxiang781216,
yamt and
yf13
as code owners
jasonbu
changed the title
lm3s6965-ek:qemu-protected boot, and add board documentation.
github-actions
Bot
added
Area: Documentation
…tected arm_dispatch_syscall in armv7-m clobbered r11 with 'mov r11, sp' and the user-space callee-saved register value leaked back through the exception frame when SYS_syscall_return restored the context, resulting in corrupted parameters on subsequent syscalls and system hangs in protected builds. In armv6-m, r4 was used to load g_stublookup (Thumb-1 cannot use ip for indexed addressing) but was not restored before SYS_syscall_return, causing the same class of register corruption. Fix with minimal changes: - armv7-m: remove 'mov r11, sp' to stop clobbering user r11 - armv6-m: restore r4 from the stack frame before SYS_syscall_return Signed-off-by: buxiasen <buxiasen@xiaomi.com>
anchao
approved these changes
Apr 7, 2026
simbit18
approved these changes
Apr 7, 2026
acassis
approved these changes
Apr 7, 2026
xiaoxiang781216
approved these changes
Apr 7, 2026
jerpelea
approved these changes
Apr 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix the
lm3s6965-ek:qemu-protectedconfiguration to boot successfully under QEMU, and add board documentation.Commit 1: fix qemu-protected to boot in QEMU
The protected build failed to boot due to three independent issues:
memory.ld: ksram (16K) was too small for kernel BSS + idle thread stack. Rebalanced to ksram=20K, usram=20K, xsram=24K.defconfig:CONFIG_FS_TMPFScaused the kernel binary to exceed the 128KB kflash partition. Removed it.defconfig: The defaultTLS_LOG2_MAXSTACK=13(8KB alignment) causedmemalign(8192, stack_size)to fail in the 16KB user heap — there was simply not enough contiguous aligned memory to allocate the init task stack. Reduced toTLS_LOG2_MAXSTACK=11(2KB alignment).Commit 2: add lm3s6965-ek board documentation
New
index.rstcovering hardware features, all available configurations (nsh, qemu-flat, qemu-protected, qemu-kostest, qemu-nxflat, etc.), QEMU run instructions for both FLAT and PROTECTED builds (including networking and the-device loadertrick for user binaries), and GDB debugging steps. Also adds a "Supported Boards" toctree to the Tiva platform index.Commit 3: fix callee-saved register corruption in arm_dispatch_syscall
armv7-m: The old code didmov r11, spat entry, clobbering the user-space r11 value. WhenSYS_syscall_returnrestored the exception frame, the corrupted r11 leaked back to user space, causing parameter corruption on subsequent syscalls and eventual system hangs. Fix: removemov r11, sp(it was only used for CFI, replaced with.cfi_def_cfa_offset).armv6-m: r4 was used to loadg_stublookupand the stub address (Thumb-1 cannot use ip for indexed loads), but was never restored beforesvc SYS_syscall_return. The corrupted r4 propagated back to user space. Fix: addldr r4, [sp, #0]to restore r4 from the stack frame before the return SVC.Impact
readon procfs (e.g., thefreeNSH command).arm_dispatch_syscall.Sis not modified (it does not have themov r11, sppattern).Testing
Tested on
lm3s6965-ek:qemu-protectedunder QEMU:$ ./tools/configure.sh -l lm3s6965-ek:qemu-protected $ make -j$(nproc) $ qemu-system-arm -M lm3s6965evb -nographic \ -kernel nuttx.bin \ -device loader,file=nuttx_user.bin,addr=0x20000Verified:
freecommand displays memory info correctly (previously caused system hang)ls,ps,help) work without corruptionlm3s6965-ek:qemu-flatbuildDocumentation tested with
make html— renders correctly with no Sphinx warnings.