| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Mar 2019 11:33:52 +0800
From: Liang Yang <liang.yang@...ogic.com>
To: Martin Blumenstingl <martin.blumenstingl@...glemail.com>
CC: Miquel Raynal <miquel.raynal@...tlin.com>, <mark.rutland@....com>,
<devicetree@...r.kernel.org>, <jianxin.pan@...ogic.com>,
<linux-kernel@...r.kernel.org>, <robh+dt@...nel.org>,
<linux-mtd@...ts.infradead.org>,
<linux-amlogic@...ts.infradead.org>,
<linux-arm-kernel@...ts.infradead.org>
Subject: Re: [RFC PATCH nand-next 0/2] meson-nand: support for older SoCs
Hi Martin,
Thanks for your time.
On 2019/3/20 4:27, Martin Blumenstingl wrote:
> Hello Liang,
>
> On Sat, Mar 16, 2019 at 11:55 AM Martin Blumenstingl
> <martin.blumenstingl@...glemail.com> wrote:
> [...]
>>> Martin, Now i am not sure whether NFC driver leads to kernel panic when
>>> calling kmem_cache_alloc_trace.
>> thank you for confirming that it works for you on GXL
>>
>> I'm not sure that this is a NFC driver problem.
>> after enabling CONFIG_SLAB_FREELIST_HARDENED in my kernel config the
>> crash moves. it's now crashing in slub.c's kfree() at
>> BUG_ON(!PageCompound(page));
> I added some debug prints in meson_nfc_read_buf() to get some details
> about the info buffer before the crash,
> format is: meson_nfc_read_buf <virtual address> <physical address>
>
> during my first test three different addresses are used:
> - meson_nfc_read_buf e9e6c640 0x29e6c640 (works fine)
> - meson_nfc_read_buf e9e6c680 0x29e6c680 (works fine)
> - meson_nfc_read_buf ee39a34b 0x2e39a34b (crashes during kfree)
>
> so I tried playing around with the allocation size (see the attached
> patch) and changed it to:
> kzalloc(PER_INFO_BYTE + 64, GFP_KERNEL)
> this results in the following addresses being used:
> - meson_nfc_read_buf e9ea4280 0x29ea4280 (works fine)
> - meson_nfc_read_buf e9ea4300 0x29ea4300 (works fine)
> (there is no crash anymore)
>
> Liang, are there any special requirements on the "info address" like
> the alignment?
It must be 4 bytes alignment. i have met it previously when debugging
NFC driver on AXG platform, but it is not specified on spec. Now i am
confused that how to get the no aligned address "xe39a34b" when using
kmalloc; i think it should return the aligned address. doesn't it?
> also do you know why the PER_INFO_BYTE buffer is allocated dynamically
> in meson_nfc_read_buf() instead of allocating it at initialization?
> I'm not saying that it should be changed! I'm curious because there's
> per-meson_nfc_nand_chip info and data buffers which are allocated at
> initialization time.
> NAND scan or initialization is divided into three stages:
nand_scan_ident->nand_attach->nand_scan_tail. info and data buffer which
depend on the result of nand_scan_ident are allocated on nand_attach; so
nand_scan_ident can not use the info buffer on meson_nfc_nand_chip.
Allocating a fixed size info buffer before nand_scan_ident and attach it
on the struct meson_nfc; Or considering not use dma for reading data
less than 8 bytes. Both can reduce kmalloc and kfree calling. Thanks.
>
> meson_nfc_read_buf debug log with PER_INFO_BYTE allocation:
> [ 2.032914] meson_nfc_read_buf e9e6c640 0x29e6c640
> [ 2.033005] meson_nfc_dma_buffer_setup 0x29e6c640
> [ 2.037717] meson_nfc_read_buf: about to kfree info
> [ 2.042535] meson_nfc_read_buf: kfree'd info
> [ 2.046794] meson_nfc_read_buf e9e6c640 0x29e6c640
> [ 2.051552] meson_nfc_dma_buffer_setup 0x29e6c640
> [ 2.056261] meson_nfc_read_buf: about to kfree info
> [ 2.061086] meson_nfc_read_buf: kfree'd info
> [ 2.065356] meson_nfc_read_buf e9e6c680 0x29e6c680
> [ 2.070102] meson_nfc_dma_buffer_setup 0x29e6c680
> [ 2.074810] meson_nfc_read_buf: about to kfree info
> [ 2.079635] meson_nfc_read_buf: kfree'd info
> [ 2.083978] meson_nfc_read_buf e9e6c640 0x29e6c640
> [ 2.088684] meson_nfc_dma_buffer_setup 0x29e6c640
> [ 2.093334] meson_nfc_read_buf: about to kfree info
> [ 2.098199] meson_nfc_read_buf: kfree'd info
> [ 2.102446] meson_nfc_read_buf e9e6c640 0x29e6c640
> [ 2.107208] meson_nfc_dma_buffer_setup 0x29e6c640
> [ 2.111883] meson_nfc_read_buf: about to kfree info
> [ 2.116765] meson_nfc_read_buf: kfree'd info
> [ 2.120996] meson_nfc_read_buf e9e6c640 0x29e6c640
> [ 2.125762] meson_nfc_dma_buffer_setup 0x29e6c640
> [ 2.130433] meson_nfc_read_buf: about to kfree info
> [ 2.135294] meson_nfc_read_buf: kfree'd info
> [ 2.139545] Could not find a valid ONFI parameter page, trying
> bit-wise majority to recover it
> [ 2.148173] ONFI parameter recovery failed, aborting
> [ 2.153058] meson_nfc_read_buf e9e6c680 0x29e6c680
> [ 2.157831] meson_nfc_dma_buffer_setup 0x29e6c680
> [ 2.162527] meson_nfc_read_buf: about to kfree info
> [ 2.167369] meson_nfc_read_buf: kfree'd info
> [ 2.171611] meson_nfc_read_buf ee39a34b 0x2e39a34b
> [ 2.176383] meson_nfc_dma_buffer_setup 0x2e39a34b
> [ 2.181076] meson_nfc_read_buf: about to kfree info
> [ 2.185932] ------------[ cut here ]------------
> [ 2.190503] kernel BUG at mm/slub.c:3950!
> [ 2.194491] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
> ...
>
> meson_nfc_read_buf debug log with PER_INFO_BYTE+64 allocation:
> [ 2.033019] meson_nfc_read_buf e9ea4280 0x29ea4280
> [ 2.033112] meson_nfc_dma_buffer_setup 0x29ea4280
> [ 2.037847] meson_nfc_read_buf: about to kfree info
> [ 2.042642] meson_nfc_read_buf: kfree'd info
> [ 2.046909] meson_nfc_read_buf e9ea4280 0x29ea4280
> [ 2.051659] meson_nfc_dma_buffer_setup 0x29ea4280
> [ 2.056374] meson_nfc_read_buf: about to kfree info
> [ 2.061192] meson_nfc_read_buf: kfree'd info
> [ 2.065461] meson_nfc_read_buf e9ea4280 0x29ea4280
> [ 2.070208] meson_nfc_dma_buffer_setup 0x29ea4280
> [ 2.074922] meson_nfc_read_buf: about to kfree info
> [ 2.079742] meson_nfc_read_buf: kfree'd info
> [ 2.084087] meson_nfc_read_buf e9ea4280 0x29ea4280
> [ 2.088789] meson_nfc_dma_buffer_setup 0x29ea4280
> [ 2.093440] meson_nfc_read_buf: about to kfree info
> [ 2.098303] meson_nfc_read_buf: kfree'd info
> [ 2.102553] meson_nfc_read_buf e9ea4280 0x29ea4280
> [ 2.107316] meson_nfc_dma_buffer_setup 0x29ea4280
> [ 2.111990] meson_nfc_read_buf: about to kfree info
> [ 2.116870] meson_nfc_read_buf: kfree'd info
> [ 2.121103] meson_nfc_read_buf e9ea4280 0x29ea4280
> [ 2.125868] meson_nfc_dma_buffer_setup 0x29ea4280
> [ 2.130540] meson_nfc_read_buf: about to kfree info
> [ 2.135400] meson_nfc_read_buf: kfree'd info
> [ 2.139652] Could not find a valid ONFI parameter page, trying
> bit-wise majority to recover it
> [ 2.148276] ONFI parameter recovery failed, aborting
> [ 2.153165] meson_nfc_read_buf e9ea4280 0x29ea4280
> [ 2.157938] meson_nfc_dma_buffer_setup 0x29ea4280
> [ 2.162634] meson_nfc_read_buf: about to kfree info
> [ 2.167475] meson_nfc_read_buf: kfree'd info
> [ 2.171717] meson_nfc_read_buf e9ea4280 0x29ea4280
> [ 2.176489] meson_nfc_dma_buffer_setup 0x29ea4280
> [ 2.181183] meson_nfc_read_buf: about to kfree info
> [ 2.186025] meson_nfc_read_buf: kfree'd info
> [ 2.190265] nand: device found, Manufacturer ID: 0xad, Chip ID: 0xde
> [ 2.196598] nand: Hynix NAND 8GiB 3,3V 8-bit
> [ 2.200840] nand: 8192 MiB, MLC, erase size: 4096 KiB, page size:
> 16384, OOB size: 1280
> [ 2.208829] meson_nfc_read_buf e9ea4300 0x29ea4300
> [ 2.213581] meson_nfc_dma_buffer_setup 0x29ea4300
> [ 2.218291] meson_nfc_read_buf: about to kfree info
> [ 2.223115] meson_nfc_read_buf: kfree'd info
> [ 2.227374] ------------[ cut here ]------------
> [ 2.231968] WARNING: CPU: 1 PID: 1 at
> drivers/mtd/nand/raw/nand_base.c:5503 nand_scan_with_ids+0x1718/0x171c
> [ 2.241760] No oob scheme defined for oobsize 1280
> ...
> (the "No oob scheme defined for oobsize 1280" message is expected)
>
miss mtd_set_ooblayout(mtd, &meson_ooblayout_ops) on function
meson_nand_attach_chip.
>
> Regards
> Martin
>
Powered by blists - more mailing lists