lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <52A87E84.3030804@rosalab.ru>
Date:	Wed, 11 Dec 2013 19:02:28 +0400
From:	Eugene Shatokhin <eugene.shatokhin@...alab.ru>
To:	Alan Stern <stern@...land.harvard.edu>
CC:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	linux-usb@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>
Subject: uhci_hcd: Possible corruption of DMA pool uhci->td_pool

Hi,

On ROSA Linux with kernel 3.10.21 with DMA debug options enabled, the 
kernel sometimes issues a warning about DMA pool corruption (see the log 
below).

That happens sometimes, when the system boots or resumes from 
hibernation with Samson C01U USB microphone attached.

The affected DMA pool is 'uhci->td_pool', uhci_alloc_td() from 
drivers/usb/host/uhci-hcd.c makes the relevant dma_pool_alloc() calls.

Any ideas about how to find what causes this and how to fix it?

Here is the relevant part of the system log:
----------------------------
[   22.264332] usb 2-1: new full-speed USB device number 2 using uhci_hcd
[   22.450609] usb 2-1: New USB device found, idVendor=17a0, idProduct=0001
[   22.450626] usb 2-1: New USB device strings: Mfr=1, Product=2, 
SerialNumber=0
[   22.450639] usb 2-1: Product: Samson C01U
[   22.450649] usb 2-1: Manufacturer: Samson Technologies
<...>
[  280.703483] retire_capture_urb: 4494 callbacks suppressed
[  284.961087] uhci_hcd 0000:00:1d.1: dma_pool_alloc uhci_td, efb7b060 
(corruped)
[  284.961087] 00000000: 00 06 00 00 af 00 00 03 a7 a7 a7 a7 a7 a7 a7 a7 
  ................
[  284.961087] 00000010: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 
  ................
[  284.961087] 00000020: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 
  ................
[  284.961087] retire_capture_urb: 4343 callbacks suppressed
[  284.961087] uhci_hcd 0000:00:1d.1: dma_pool_alloc uhci_td, efb7b5d0 
(corruped)
[  284.961087] 00000000: 00 06 00 00 af 00 00 03 a7 a7 a7 a7 a7 a7 a7 a7 
  ................
[  284.961087] 00000010: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 
  ................
[  284.961087] 00000020: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 
  ................
[  284.961087] cannot submit urb (err = -27)
[  284.961087] cannot submit urb (err = -27)
[  284.961087] cannot submit urb (err = -27)
[  284.961087] cannot submit urb (err = -27)
[  284.961087] cannot submit urb (err = -27)
[  284.961087] cannot submit urb (err = -27)
[  284.961087] cannot submit urb (err = -27)
[  284.961087] cannot submit urb (err = -27)
----------------------------

0xa7 is POOL_POISON_FREED. The memory pages to be allocated from the 
pool should be filled with such bytes.

Each time I observed this problem, the first 8 bytes of the listed 
memory area were overwritten, with different data each time.

Regards,
Eugene

-- 
Eugene Shatokhin, ROSA Laboratory.
www.rosalab.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ