Wolfgang Walter
-----Forwarded message from Benoit Poulot-Cazajous <poulot@sunchorus.france.sun.com>-----
Return-Path: <owner-linux-kernel-outgoing@vger.rutgers.edu>
Delivered-To: walterw-linux-kernel@wuerli.h3.stusta.mhn.de
Received: (qmail 1964 invoked from network); 1 Jun 1998 00:26:53 -0000
Received: from mailhub.stusta.mhn.de (10.150.31.2)
by wuerli.h3.stusta.mhn.de with SMTP; 1 Jun 1998 00:26:53 -0000
Received: (qmail 15928 invoked from network); 1 Jun 1998 00:26:54 -0000
Received: from ferret.lmh.ox.ac.uk (163.1.138.204)
by mailhub.stusta.mhn.de with SMTP; 1 Jun 1998 00:26:54 -0000
Received: (qmail 22607 invoked from network); 1 Jun 1998 00:26:15 -0000
Received: from vger.rutgers.edu (root@128.6.190.2)
by ferret.lmh.ox.ac.uk with SMTP; 1 Jun 1998 00:26:15 -0000
Received: by vger.rutgers.edu id <971101-11595>; Sun, 31 May 1998 19:14:24 -0400
Received: from relay5.eunet.fr ([193.107.193.102]:4803 "HELO relay5.eunet.fr" ident: "NO-IDENT-SERVICE[2]") by vger.rutgers.edu with SMTP id <971159-11595>; Sun, 31 May 1998 19:11:20 -0400
Received: from relay2.eunet.fr by relay5.eunet.fr (5.65c8d/96.05.03)
via EUnet-France id AA19654; Mon, 1 Jun 1998 02:17:11 +0200 (MET)
Received: from walhalla (root@pm3-16.creaweb.fr [194.98.233.152])
by relay2.eunet.fr (8.8.5/8.8.5) with ESMTP id CAA10435
for <linux-kernel@vger.rutgers.edu>; Mon, 1 Jun 1998 02:17:10 +0200 (MET DST)
Received: by walhalla
id m0ygJzS-000XdpC
(Debian Smail-3.2 1996-Jul-4 #6); Mon, 1 Jun 1998 04:06:22 +0200 (MET DST)
To: linux-kernel@vger.rutgers.edu
Subject: Re: A new K6 bug
References: <19980531150414Z970912-11595+37@vger.rutgers.edu>
From: Benoit Poulot-Cazajous <poulot@sunchorus.france.sun.com>
Date: 01 Jun 1998 04:06:22 +0200
In-Reply-To: owner-linux-kernel-digest@vger.rutgers.edu's message of Sun, 31 May 1998 10:58:31 -0400
Message-Id: <lnhg25dgf5.fsf@sunchorus.france.sun.com>
X-Mailer: Gnus v5.5/Emacs 20.2
X-Orcpt: rfc822;linux-kernel@vger.rutgers.edu
Sender: owner-linux-kernel@vger.rutgers.edu
Precedence: bulk
X-Loop: majordomo@vger.rutgers.edu
The problem reported by andreas@camus.xss.co.at with crashme is really caused
by a K6 bug. It can be reproduced at will on 2.0.xx kernels. It looks like
2.1.xx kernels hide the bug.
Here is how to reproduce it :
$ cat a.s
.text
.align 4096 /* r1 */
.globl _start
_start:
movl _start, %edi /* S1 */
cmpb 0x80000000(%edi),%dl /* r2, S2 */
je nowhere /* r3 */
ret
$ as -o a.o a.s
$ ld -defsym nowhere=0xc0000000 a.o
$ ./a.out
<lockup. hard reset required>
Remarks :
r1) _start must be aligned, otherwise you get a segfault instead of a lockup.
r2) Using movb instead of compb does not work.
r3) Tries to escape the code segment. Before 2.1.43, the code segments ended
at bfffffff. After and including 2.1.43, escaping is not possible, because
the code segment covers the whole address space (reducing this segment
to 3.75 GB allows to trigger the bug on 2.1.103).
Speculations :
S1) edi must be loaded with the address of something in a deep cache on the
CPU. _start works well.
S2) tries to access an invalid address. This address should look like an
already cached address. If only the highest bits are different, it is
probably more difficult to notice that the address is not really cached.
So using _start+0x80000000 works well.
I don't known if this bug is already fixed in recent revisions of the K6.
I was able to crash a K6 bought only a month ago, so AMD may not be aware
of the problem.
Is there anybody out there willing to propagate the 2.1.43 change to
pre-2.0.34 ?
-- Benoit
PS: How large is the code segment on NT ? ;-)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
-----End of forwarded message-----
-- Veni, Vidi, VISA: I came, I saw, I did a little shopping.
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu