Message ID | 20200531110231.620711-1-laurent@vivier.eu |
---|---|
State | New |
Headers | show |
Series | target/m68k: implement fmove.l #<data>,FPCR | expand |
Hi Laurent! On 5/31/20 1:02 PM, Laurent Vivier wrote: > The immediate value mode was ignored and instruction execution > ends to an invalid access mode. > > This was found running 'R' that set FPSR to 0 at startup with > a 'fmove.l #0,FPSR' in qemu-system-m68k emulation and triggers a > kernel crash: > (...) > Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> > Signed-off-by: Laurent Vivier <laurent@vivier.eu> > --- > target/m68k/translate.c | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) Thanks for the fix. I applied the patch, but I'm getting a lock-up now as you previously reported in the other discussion on the Linux/m68k mailing list: root@pacman:~# R [ 68.420000] watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [R:650] [ 68.420000] Modules linked in: sg evdev mac_hid ip_tables x_tables sha1_generic hmac ipv6 nf_defrag_ipv6 autofs4 ext4 crc16 mbcache jbd2 crc32c_generic sd_mod t10_pi crc_t10dif sr_mod cdrom crct10dif_generic crct10dif_common mac_esp macsonic esp_scsi [ 68.420000] Format 00 Vector: 0064 PC: 0002df9c Status: 2008 Not tainted [ 68.420000] ORIG_D0: ffffffff D0: 00000000 A2: c02e239a A1: ffa10000 [ 68.420000] A0: 3c9adf29 D5: 0000000d D4: 8002ce30 [ 68.420000] D3: 8002b418 D2: 8002b4b4 D1: 00000000 Is this related or a different bug? I have not seen these lockups on real hardware. Adrian
Le 31/05/2020 à 13:23, John Paul Adrian Glaubitz a écrit : > Hi Laurent! > > On 5/31/20 1:02 PM, Laurent Vivier wrote: >> The immediate value mode was ignored and instruction execution >> ends to an invalid access mode. >> >> This was found running 'R' that set FPSR to 0 at startup with >> a 'fmove.l #0,FPSR' in qemu-system-m68k emulation and triggers a >> kernel crash: >> (...) >> Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> >> Signed-off-by: Laurent Vivier <laurent@vivier.eu> >> --- >> target/m68k/translate.c | 14 ++++++++++++++ >> 1 file changed, 14 insertions(+) > Thanks for the fix. > > I applied the patch, but I'm getting a lock-up now as you previously reported > in the other discussion on the Linux/m68k mailing list: > > root@pacman:~# R > [ 68.420000] watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [R:650] > [ 68.420000] Modules linked in: sg evdev mac_hid ip_tables x_tables sha1_generic hmac ipv6 nf_defrag_ipv6 autofs4 ext4 crc16 mbcache jbd2 crc32c_generic sd_mod t10_pi crc_t10dif sr_mod cdrom crct10dif_generic crct10dif_common mac_esp macsonic esp_scsi > [ 68.420000] Format 00 Vector: 0064 PC: 0002df9c Status: 2008 Not tainted > [ 68.420000] ORIG_D0: ffffffff D0: 00000000 A2: c02e239a A1: ffa10000 > [ 68.420000] A0: 3c9adf29 D5: 0000000d D4: 8002ce30 > [ 68.420000] D3: 8002b418 D2: 8002b4b4 D1: 00000000 > > Is this related or a different bug? > > I have not seen these lockups on real hardware. I guess you are using my q800-dev branch? In this branch, there is an attempt to manage unnormalized numbers that seems to trigger this lock up. You can either use master + this patch or update your q800-dev branch from my repo. Thanks, Laurent
Hi Laurent! On 5/31/20 2:09 PM, Laurent Vivier wrote: > I guess you are using my q800-dev branch? That's what I initially did, then I pulled from upstream. > In this branch, there is an attempt to manage unnormalized numbers that > seems to trigger this lock up. > > You can either use master + this patch or update your q800-dev branch > from my repo. However, I then still copied the compiled binary from the qemu-m68k where I first tested the patch. Guess I should be more careful when using the bash history with absolute paths ;). So, I can confirm it works for me. Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Adrian
On 5/31/20 4:02 AM, Laurent Vivier wrote: > The immediate value mode was ignored and instruction execution > ends to an invalid access mode. > > This was found running 'R' that set FPSR to 0 at startup with > a 'fmove.l #0,FPSR' in qemu-system-m68k emulation and triggers a > kernel crash: > > [ 56.640000] *** ADDRESS ERROR *** FORMAT=2 > [ 56.640000] Current process id is 728 > [ 56.640000] BAD KERNEL TRAP: 00000000 > [ 56.640000] Modules linked in: sg evdev mac_hid ip_tables x_tables sha1_generic hmac ipv6 nf_defrag_ipv6 autofs4 ext4 crc16 mbcache jbd2 crc32c_generic sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common sr_mod cdrom mac_esp macsonic esp_scsi > [ 56.640000] PC: [<00016a2c>] X_UNSUPP+0x2c/0x3c > [ 56.640000] SR: 2004 SP: 3eb5e68c a2: c02e239a > [ 56.640000] d0: 00000040 d1: 00000002 d2: 8002adec d3: 8002ad50 > [ 56.640000] d4: 8002c768 d5: 0000000d a0: ffffffc2 a1: ffffffc1 > [ 56.640000] Process R (pid: 728, task=a3dfda5d) > [ 56.640000] Frame format=2 instr addr=00000000 > [ 56.650000] Stack from 3a4d9f30: > [ 56.650000] 41000000 00000002 00000002 ffffffc2 ffffffc1 1fff0000 80000000 00000000 > [ 56.650000] 3fbf0000 80000000 00000000 00000000 20000000 00000000 7fff0000 ffffffff > [ 56.650000] ffffffff 00000000 00050008 00000000 8000067c c02c2000 efffee20 000002d8 > [ 56.650000] 00002a28 3a4d9f98 00000002 00000014 fffffffe 8002c768 00000002 00000041 > [ 56.650000] 00000002 c041fc58 c0743758 ffffffff 00000000 0008c075 00002b24 00000012 > [ 56.650000] 000007d0 00000024 00000002 c05bef04 c05bef04 0000005e 00000077 c28aca70 > [ 56.650000] Call Trace: [<00050008>] copy_overflow+0x10/0x28 > [ 56.650000] [<00002a28>] buserr+0x20/0x28 > [ 56.650000] [<0008c075>] bpf_check+0x57f/0x1cfa > [ 56.650000] [<00002b24>] syscall+0x8/0xc > [ 56.650000] [<0000c019>] dn_sched_init+0x75/0x88 > [ 56.650000] Code: 1017 0200 00f0 0c00 0040 66ff 0000 05ac <f23c> 8800 0000 0000 f23c 9000 0000 0000 222e ff84 082e 0005 ff1c 6600 000a 0281 > [ 56.650000] Disabling lock debugging due to kernel taint > ... > > Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> > Signed-off-by: Laurent Vivier <laurent@vivier.eu> > --- > target/m68k/translate.c | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) Reviewed-by: Richard Henderson <richard.henderson@linaro.org> r~
diff --git a/target/m68k/translate.c b/target/m68k/translate.c index 0f80888203d3..c093f6c683e8 100644 --- a/target/m68k/translate.c +++ b/target/m68k/translate.c @@ -4936,6 +4936,20 @@ static void gen_op_fmove_fcr(CPUM68KState *env, DisasContext *s, gen_store_fcr(s, AREG(insn, 0), mask); } return; + case 7: /* Immediate */ + if (REG(insn, 0) == 4) { + if (is_write || + (mask != M68K_FPIAR && mask != M68K_FPSR && + mask != M68K_FPCR)) { + gen_exception(s, s->base.pc_next, EXCP_ILLEGAL); + return; + } + tmp = tcg_const_i32(read_im32(env, s)); + gen_store_fcr(s, tmp, mask); + tcg_temp_free(tmp); + return; + } + break; default: break; }
The immediate value mode was ignored and instruction execution ends to an invalid access mode. This was found running 'R' that set FPSR to 0 at startup with a 'fmove.l #0,FPSR' in qemu-system-m68k emulation and triggers a kernel crash: [ 56.640000] *** ADDRESS ERROR *** FORMAT=2 [ 56.640000] Current process id is 728 [ 56.640000] BAD KERNEL TRAP: 00000000 [ 56.640000] Modules linked in: sg evdev mac_hid ip_tables x_tables sha1_generic hmac ipv6 nf_defrag_ipv6 autofs4 ext4 crc16 mbcache jbd2 crc32c_generic sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common sr_mod cdrom mac_esp macsonic esp_scsi [ 56.640000] PC: [<00016a2c>] X_UNSUPP+0x2c/0x3c [ 56.640000] SR: 2004 SP: 3eb5e68c a2: c02e239a [ 56.640000] d0: 00000040 d1: 00000002 d2: 8002adec d3: 8002ad50 [ 56.640000] d4: 8002c768 d5: 0000000d a0: ffffffc2 a1: ffffffc1 [ 56.640000] Process R (pid: 728, task=a3dfda5d) [ 56.640000] Frame format=2 instr addr=00000000 [ 56.650000] Stack from 3a4d9f30: [ 56.650000] 41000000 00000002 00000002 ffffffc2 ffffffc1 1fff0000 80000000 00000000 [ 56.650000] 3fbf0000 80000000 00000000 00000000 20000000 00000000 7fff0000 ffffffff [ 56.650000] ffffffff 00000000 00050008 00000000 8000067c c02c2000 efffee20 000002d8 [ 56.650000] 00002a28 3a4d9f98 00000002 00000014 fffffffe 8002c768 00000002 00000041 [ 56.650000] 00000002 c041fc58 c0743758 ffffffff 00000000 0008c075 00002b24 00000012 [ 56.650000] 000007d0 00000024 00000002 c05bef04 c05bef04 0000005e 00000077 c28aca70 [ 56.650000] Call Trace: [<00050008>] copy_overflow+0x10/0x28 [ 56.650000] [<00002a28>] buserr+0x20/0x28 [ 56.650000] [<0008c075>] bpf_check+0x57f/0x1cfa [ 56.650000] [<00002b24>] syscall+0x8/0xc [ 56.650000] [<0000c019>] dn_sched_init+0x75/0x88 [ 56.650000] Code: 1017 0200 00f0 0c00 0040 66ff 0000 05ac <f23c> 8800 0000 0000 f23c 9000 0000 0000 222e ff84 082e 0005 ff1c 6600 000a 0281 [ 56.650000] Disabling lock debugging due to kernel taint ... Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Signed-off-by: Laurent Vivier <laurent@vivier.eu> --- target/m68k/translate.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+)