Geode LX DDC freeze in emulator when executing OUTW 0x20

Bart Trojanowski bart at jukie.net
Sun Dec 23 12:02:04 PST 2007 

Hi,

I have been looking into an issue we have been seeing on several GeodeLX
based embedded devices when using Linux 2.6.21-2.6..23, xorg 1.3.0.0 and
xorg-video-amd 2.7.7.X.  I have CC'ed the other people involved.

The investigation started on Ubuntu launchpad:

https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-amd/+bug/140051

It then continued on the new xorg-geode-driver mailing list:

http://lists.x.org/archives/xorg-driver-geode/2007-December/000002.html

I have traced through the code effected and discovered the following:

* xorg-video-amd DDC probe calls into vbeDoEDID()

* The X86EMU runs through thousands of VGA BIOS instructions, some of
  them being IO operations, but freezes when it tries to execute

        outl(0x20, 00000018)

* On the x86 port 0x20 is responsible for initializing the first PIC
  (interrupt controller).  After that instruction nothing else executes,
  probably because it messes up the (Linux) kernel's scheduler.

There is more info here for those interested...

http://lists.x.org/archives/xorg-driver-geode/2007-December/000074.html
http://lists.x.org/archives/xorg-driver-geode/2007-December/000075.html

We have no control over what the BIOS tries to execute but we can
prevent the emulator from causing bad things to happen when the BIOS
has bugs (or is expecting to be running only DOS).

Under the belief that access to certain ports should not be permitted
under any circumstances I propose this patch:

http://www.jukie.net/~bart/patches/xorg-server/20071222/0001-X86EMU-blacklist-I-O-port-20-for-INT-10-emulation.patch

The patch has a black list, but maybe a white list is more appropriate.

I have also seen a lot of accesses to port 0.  Port 0 is the first DMA
channel.  X has no guarantee that it's the only consumer of this
peripheral, and thus could cause really bad memory corruptions by
racing with other software (most likely the kernel).  For the purpose
of the DMA agents, X86EMU should probably emulate DMA's with memcpy().

I would like to continue working on this, but I need some advice from
the xorg-core team.  What direction would you like me to take this work?

Should I perhaps form a framework for blacklisting arbitrary
instructions and test them from X86EMU_exec() before executing the
actual handler?

Thanks for reading, and seasons greetings.

-Bart

-- 
				WebSig: http://www.jukie.net/~bart/sig/

More information about the xorg mailing list