New 745x errata

Adrian Cox adrian at humboldt.co.uk
Tue Nov 18 02:37:00 EST 2003


On Mon, 2003-11-17 at 15:12, Gabriel Paubert wrote:
> On Mon, Nov 17, 2003 at 02:57:53PM +0000, Adrian Cox wrote:
> > Any opinion on the dcbt issue?  It looks like it could provide a way for
> > a malicious userspace application to crash the machine, though it needs
> > a combination of:
> > 1) good timing
> > 2) a peripheral that would be confused by an extra read cycle

> Well, only privileged applications should have access to
> peripherals, no?
[...]
> But maybe I miss something.

That's the bug - a dcbt to a protected region can cause a spurious read
cycle to that address. To trigger it:

1) the target address is in a BAT or TLB, marked as supervisor access
only.
2) a cache miss to a cache alias of the target address reaches the
load-store unit
2) you issue a dcbt to the target address within 1 clock cycle of step
2.

Actually, I now believe the bug may be harmless, as the peripheral has
an extra defence - its BAT or TLB entry will be non-cacheable, so no bus
cycle will occur. The text of the errata doesn't spell this out as
clearly as I'd like, but I think all it can do is cause a spurious bus
cycle to ram.

- Adrian Cox
http://www.humboldt.co.uk/


** Sent via the linuxppc-dev mail list. See http://lists.linuxppc.org/





More information about the Linuxppc-dev mailing list