Re: [linux-usb-devel] Re: serious 2.6 bug in USB subsystem?

From: David Mosberger
Date: Wed Mar 10 2004 - 13:10:56 EST

Next message: Geert Uytterhoeven: "[PATCH] Applicom warning"
Previous message: Randy.Dunlap: "Re: (0 == foo), rather than (foo == 0)"
In reply to: David Brownell: "Re: [linux-usb-devel] Re: serious 2.6 bug in USB subsystem?"
Next in thread: David Brownell: "Re: [linux-usb-devel] Re: serious 2.6 bug in USB subsystem?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>>>> On Wed, 10 Mar 2004 08:22:26 -0800, David Brownell <david-b@xxxxxxxxxxx> said:

David.B> It won't add new BUG_ON calls (WARN at worst)

I put them there mostly as assertions. What I'd really want there is
a DEBUG_BUG_ON, which is more like assert() in user-land (i.e.,
production code would drop the checks). WARN_ON() would be fine, too.

>> The current OHCI relies on the internals of the dma_pool()
>> implementation. If the implementation changed to, say, modify
>> the memory that is free or, heaven forbid, return the memory to
>> the kernel, you'd get _extremely_ difficult to track down race
>> conditions.

David.B> It'd be good if you said _how_ you think it relies on such
David.B> internals.

I thought I did. Suppose somebody changed the dma_pool code such that
it would overwrite freed memory with an 0xf00000000000000 pattern. If
the HC can still hold a reference to a freed ED (it can without my
patch), the HC could see this kind of ED:

hw=(info=00000000 tailp=f0000000 headp=00000000 nextED=f0000000)

If so, the HC would go ahead and try to interpret the memory at
address 0 as a transfer descriptor. Depending on the memory contents,
this could cause silent data corruption at an arbitrary address.

>> - thus you might get a case where hwTailP is 0 but hwHeadP is
>> non-zero, which would cause the HC to happily start dereferencing
>> the descriptor

David.B> If you assume a bug where the ED is freed but still in use,
David.B> that's hardly the only thing that'd go wrong!! You can't
David.B> use such a potential bug to prove something else is broken.

You lost me here. All I'm saying is that the current code has a
dangerous race that can corrupt memory, crash machines, or have all
sorts of other wild side-effects. I never claimed this bug had
anything todo with the BTC keyboard problem.

--david
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Geert Uytterhoeven: "[PATCH] Applicom warning"
Previous message: Randy.Dunlap: "Re: (0 == foo), rather than (foo == 0)"
In reply to: David Brownell: "Re: [linux-usb-devel] Re: serious 2.6 bug in USB subsystem?"
Next in thread: David Brownell: "Re: [linux-usb-devel] Re: serious 2.6 bug in USB subsystem?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]