| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Dec 2013 12:16:16 +0400 From: Eugene Shatokhin <eugene.shatokhin@...alab.ru> To: Alan Stern <stern@...land.harvard.edu> CC: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, linux-usb@...r.kernel.org, LKML <linux-kernel@...r.kernel.org> Subject: Re: uhci_hcd: Possible corruption of DMA pool uhci->td_pool On 12/11/2013 08:41 PM, Alan Stern wrote: > On Wed, 11 Dec 2013, Eugene Shatokhin wrote: > >> Hi, >> >> On ROSA Linux with kernel 3.10.21 with DMA debug options enabled, the >> kernel sometimes issues a warning about DMA pool corruption (see the log >> below). >> >> That happens sometimes, when the system boots or resumes from >> hibernation with Samson C01U USB microphone attached. >> >> The affected DMA pool is 'uhci->td_pool', uhci_alloc_td() from >> drivers/usb/host/uhci-hcd.c makes the relevant dma_pool_alloc() calls. >> >> Any ideas about how to find what causes this and how to fix it? > > This is not an easy sort of thing to track down... > >> Here is the relevant part of the system log: >> ---------------------------- >> [ 22.264332] usb 2-1: new full-speed USB device number 2 using uhci_hcd >> [ 22.450609] usb 2-1: New USB device found, idVendor=17a0, idProduct=0001 >> [ 22.450626] usb 2-1: New USB device strings: Mfr=1, Product=2, >> SerialNumber=0 >> [ 22.450639] usb 2-1: Product: Samson C01U >> [ 22.450649] usb 2-1: Manufacturer: Samson Technologies >> <...> >> [ 280.703483] retire_capture_urb: 4494 callbacks suppressed >> [ 284.961087] uhci_hcd 0000:00:1d.1: dma_pool_alloc uhci_td, efb7b060 >> (corruped) >> [ 284.961087] 00000000: 00 06 00 00 af 00 00 03 a7 a7 a7 a7 a7 a7 a7 a7 >> ................ >> [ 284.961087] 00000010: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 >> ................ >> [ 284.961087] 00000020: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 >> ................ >> [ 284.961087] retire_capture_urb: 4343 callbacks suppressed >> [ 284.961087] uhci_hcd 0000:00:1d.1: dma_pool_alloc uhci_td, efb7b5d0 >> (corruped) >> [ 284.961087] 00000000: 00 06 00 00 af 00 00 03 a7 a7 a7 a7 a7 a7 a7 a7 >> ................ >> [ 284.961087] 00000010: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 >> ................ >> [ 284.961087] 00000020: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 >> ................ >> [ 284.961087] cannot submit urb (err = -27) >> [ 284.961087] cannot submit urb (err = -27) >> [ 284.961087] cannot submit urb (err = -27) >> [ 284.961087] cannot submit urb (err = -27) >> [ 284.961087] cannot submit urb (err = -27) >> [ 284.961087] cannot submit urb (err = -27) >> [ 284.961087] cannot submit urb (err = -27) >> [ 284.961087] cannot submit urb (err = -27) >> ---------------------------- >> >> 0xa7 is POOL_POISON_FREED. The memory pages to be allocated from the >> pool should be filled with such bytes. >> >> Each time I observed this problem, the first 8 bytes of the listed >> memory area were overwritten, with different data each time. > > It kind of looks like a hardware bug. Still, it's hard to say. > > Can you test the current 3.13-rc kernel? There have been a few recent > changes in this area that might have an effect. > I tested 3.13-rc3 - the problem has not shown up so far. Regards, Eugene -- Eugene Shatokhin, ROSA Laboratory. www.rosalab.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists