| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 14 Jun 2015 11:05:07 +0200
From: Pali Rohár <pali.rohar@...il.com>
To: Hans de Goede <hdegoede@...hat.com>,
Darren Hart <dvhart@...radead.org>,
Ben Skeggs <bskeggs@...hat.com>,
Stuart Hayes <stuart_hayes@...l.com>,
Matthew Garrett <mjg@...hat.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Michal Hocko <mhocko@...e.cz>
Cc: platform-driver-x86@...r.kernel.org, linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Subject: Possible broken MM code in dell-laptop.c?
Hello,
in drivers/platform/x86/dell-laptop.c is this part of code:
static int __init dell_init(void)
{
...
/*
* Allocate buffer below 4GB for SMI data--only 32-bit physical addr
* is passed to SMI handler.
*/
bufferpage = alloc_page(GFP_KERNEL | GFP_DMA32);
if (!bufferpage) {
ret = -ENOMEM;
goto fail_buffer;
}
buffer = page_address(bufferpage);
ret = dell_setup_rfkill();
if (ret) {
pr_warn("Unable to setup rfkill\n");
goto fail_rfkill;
}
...
fail_rfkill:
free_page((unsigned long)bufferpage);
fail_buffer:
...
}
Then there is another part:
static void __exit dell_exit(void)
{
...
free_page((unsigned long)buffer);
}
I suspect that there is some problem with free_page() call. In dell_init
is called free_page() on bufferpage and in dell_exit() on buffer.
Matthew and Stuart, you introduced this inconsistency in commit:
-------------------------------------------------
commit 116ee77b2858d9c89c0327f3a47c8ba864bf4a96
Author: Stuart Hayes <stuart_hayes@...l.com>
Committer: Matthew Garrett <mjg@...hat.com>
Date: Wed Feb 10 14:12:13 2010 -0500
dell-laptop: Use buffer with 32-bit physical address
Calls to communicate with system firmware via a SMI (using dcdbas)
need to use a buffer that has a physical address of 4GB or less.
Currently the dell-laptop driver does not guarantee this, and when
the
buffer address is higher than 4GB, the address is truncated to 32
bits
and the SMI handler writes to the wrong memory address.
Signed-off-by: Stuart Hayes <stuart_hayes@...l.com>
Acked-by: Matthew Garrett <mjg@...hat.com>
-------------------------------------------------
Can you or somebody else (CCed linux-mm) look at this page related code?
I think it is wrong, but somebody authoritative should provide answer.
Thanks.
--
Pali Rohár
pali.rohar@...il.com
Download attachment "signature.asc " of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists