| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Mar 2008 21:11:55 -0400 From: Jarod Wilson <jwilson@...hat.com> To: Stefan Richter <stefanr@...6.in-berlin.de> Cc: linux1394-devel@...ts.sourceforge.net, linux-kernel@...r.kernel.org Subject: Re: [PATCH] firewire: fw-ohci: sync AT dma buffer before use On Wednesday 12 March 2008 07:16:43 pm Stefan Richter wrote: > Jarod Wilson wrote: > > At least on my setup, where I could within seconds reliably reproduce a > > panic in handle_at_packet() by simply dd'ing from two drives on different > > controllers, the panic is gone. > > > > See http://bugzilla.kernel.org/show_bug.cgi?id=9617 > > Alas the panic from comment #10 is still there, i.e. instant crash when > plugging in an LSI based CD-RW (shortly after SCSI inquiry) --- but only > if CONFIG_DEBUG_PAGEALLOC=y. > > Jarod, did your crashes happen with CONFIG_DEBUG_PAGEALLOC=n? No, they're with it turned on (and still on w/this change where it doesn't panic). If I run with CONFIG_DEBUG_PAGEALLOC=n, no panic. > > --- a/drivers/firewire/fw-ohci.c > > +++ b/drivers/firewire/fw-ohci.c > > @@ -780,6 +780,10 @@ at_context_queue_packet(struct context *ctx, struct > > fw_packet *packet) > > > > context_append(ctx, d, z, 4 - z); > > > > + /* Sync the DMA buffer up for the device to read from */ > > + dma_sync_single_for_device(ohci->card.device, payload_bus, > > + packet->payload_length, DMA_TO_DEVICE); > > + > > /* If the context isn't already running, start it up. */ > > reg = reg_read(ctx->ohci, CONTROL_SET(ctx->regs)); > > if ((reg & CONTEXT_RUN) == 0) > > The dma_sync_single_ call should be conditional for > packet->payload_length > 0. You would have noticed that if my patch > "firewire: fw-ohci: shut up false compiler warning on PPC32" wouldn't > have shadowed the corresponding compiler warning, which would be for > real after your patch. And, as David wrote, the call should come before > context_append. > > However, we actually don't need it at all. > > The dma_map_single(...) already syncs the payload for the device, and we > don't access the payload after that anymore. D'oh, got overzealous reading dma docs, missed the fact that we didn't actually touch it on the host side, so nothing to actually sync... > So this patch shouldn't do > anything, except that it inserts a call which happens to have barrier > characteristics on some platforms. ...but got lucky in that it actually helps this particular setup (x86_64 kernel, dual quad-core opteron, 8G RAM, 3 FireWire controllers). Hrm. > What we rather have to check is: > > - Are we really writing into the context program the order that we > need to? This includes ordering WRT MMIO writes. > > - Are we writing the branch address atomically? (No, we don't enforce > an atomic access at the moment, although it is very likely that the > compiler uses an atomic access.) > > (We have to expect that the controller reads a descriptor while we write > into it.) More investigative fun for tomorrow... > - Is there a use-after-free problem somewhere? > > (A pattern in the original report and in a crash that you mentioned > looked like use of freed memory: "Faulting instruction address: > 0x6b6b6b68" in comment #1.) Seems both of the ones that looked like slab poison were on PowerPC. I'll have to spin up a ppc kernel on the old powerbook and poke around more. -- Jarod Wilson jwilson@...hat.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists