Re: 2.6.37-rc7: Regression: b43: crashes in hwrng_register()

From: Mario 'BitKoenig' Holbe
Date: Thu Dec 30 2010 - 21:29:27 EST

Next message: Herbert Xu: "Re: 2.6.37-rc7: Regression: b43: crashes in hwrng_register()"
Previous message: Michael Büsch: "Re: 2.6.37-rc7: Regression: b43: crashes in hwrng_register()"
In reply to: Larry Finger: "Re: 2.6.37-rc7: Regression: b43: crashes in hwrng_register()"
Next in thread: Herbert Xu: "Re: 2.6.37-rc7: Regression: b43: crashes in hwrng_register()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Dec 30, 2010 at 06:46:31PM -0600, Larry Finger wrote:
> On 12/30/2010 06:37 PM, Herbert Xu wrote:
> > My suspicion is that VIA's xstore is writing more than 4 bytes as
> > the list pointer happens to lie immediately after rng->priv which
> > is where xstore is writing to.
> >
> > Harald, do you know whether this is documented or is this a known
> > errata item?
>
> The following patch should be able to test if xstore is overwriting the list
> pointer.

Confirmed. No crashes with the junk buffer in action.
I applied both patches (dump_stack() in hwrng_register() and junk[]
after priv data) to vanilla 2.6.37-rc7 and tested both: via-rng and my
via+rng2 as well as via-rng and b43-rng - no crashes. The (previously
also crashing) `cat rng_available' does survive as well:

$ cat /sys/devices/virtual/misc/hw_random/rng_available
via b43_phy0 via2
$

Attached 2 dmesg excerpts.

regards & g'nite
Mario
--
Tower: "Say fuelstate." Pilot: "Fuelstate."
Tower: "Say again." Pilot: "Again."
Tower: "Arghl, give me your fuel!" Pilot: "Sorry, need it by myself..."
[ 11.606134] VIA RNG detected
[ 11.606139] Calling hwrng_register
[ 11.606145] Pid: 752, comm: modprobe Not tainted 2.6.37-rc7-self #1
[ 11.606149] Call Trace:
[ 11.606159] [<f90c33ac>] ? hwrng_register+0x2c/0x14d [rng_core]
[ 11.606167] [<f90d0023>] ? mod_init+0x23/0x3b [via_rng]
[ 11.606176] [<c1003069>] ? do_one_initcall+0x68/0x10f
[ 11.606186] [<c105f0d3>] ? sys_init_module+0xca5/0xe36
[ 11.606214] [<c1008b1f>] ? sysenter_do_call+0x12/0x28
...
[ 92.687121] VIA RNG detected
[ 92.687126] Calling hwrng_register
[ 92.687132] Pid: 2698, comm: modprobe Not tainted 2.6.37-rc7-self #1
[ 92.687136] Call Trace:
[ 92.687152] [<f90c33ac>] ? hwrng_register+0x2c/0x14d [rng_core]
[ 92.687161] [<f8274023>] ? mod_init+0x23/0x3b [via_rng2]
[ 92.687171] [<c1003069>] ? do_one_initcall+0x68/0x10f
[ 92.687181] [<c105f0d3>] ? sys_init_module+0xca5/0xe36
[ 92.687227] [<c1008b1f>] ? sysenter_do_call+0x12/0x28
[ 11.686811] VIA RNG detected
[ 11.686816] Calling hwrng_register
[ 11.686822] Pid: 807, comm: modprobe Not tainted 2.6.37-rc7-self #1
[ 11.686826] Call Trace:
[ 11.686839] [<f8fb23ac>] ? hwrng_register+0x2c/0x14d [rng_core]
[ 11.686847] [<f923f023>] ? mod_init+0x23/0x3b [via_rng]
[ 11.686856] [<c1003069>] ? do_one_initcall+0x68/0x10f
[ 11.686867] [<c105f0d3>] ? sys_init_module+0xca5/0xe36
[ 11.686897] [<c1008b1f>] ? sysenter_do_call+0x12/0x28
...
[ 29.964239] b43-pci-bridge 0000:02:00.0: PCI: Disallowing DAC for device
[ 29.964251] b43-phy0: DMA mask fallback from 64-bit to 32-bit
[ 29.984626] Calling hwrng_register
[ 29.984640] Pid: 1550, comm: NetworkManager Not tainted 2.6.37-rc7-self #1
[ 29.984648] Call Trace:
[ 29.984688] [<f8fb23ac>] ? hwrng_register+0x2c/0x14d [rng_core]
[ 29.984729] [<f8ffe879>] ? b43_wireless_core_init+0xd12/0xddf [b43]
[ 29.984759] [<f8ffed73>] ? b43_op_start+0xf8/0x142 [b43]
[ 29.984796] [<f8d463da>] ? cfg80211_netdev_notifier_call+0x342/0x355 [cfg80211]
[ 29.984853] [<f8f1a889>] ? ieee80211_do_open+0xed/0x45f [mac80211]
[ 29.984886] [<f8f19e7a>] ? ieee80211_check_concurrent_iface+0x1c/0x135 [mac80211]
[ 29.984908] [<c1203247>] ? __dev_open+0x7d/0xa7
[ 29.984922] [<c1201c10>] ? __dev_change_flags+0x9a/0x10d
[ 29.984934] [<c120319f>] ? dev_change_flags+0x10/0x3b
[ 29.984949] [<c120d207>] ? do_setlink+0x23e/0x532
[ 29.984965] [<c120d5cb>] ? rtnl_setlink+0xd0/0xe1
[ 29.984986] [<c114f000>] ? clear_user+0x2b/0x43
[ 29.984997] [<c120d4fb>] ? rtnl_setlink+0x0/0xe1
[ 29.985008] [<c120cd32>] ? rtnetlink_rcv_msg+0x186/0x19c
[ 29.985020] [<c120cbac>] ? rtnetlink_rcv_msg+0x0/0x19c
[ 29.985034] [<c121bda8>] ? netlink_rcv_skb+0x2d/0x72
[ 29.985046] [<c120cba6>] ? rtnetlink_rcv+0x18/0x1e
[ 29.985056] [<c121bbfc>] ? netlink_unicast+0xba/0x10e
[ 29.985068] [<c121c700>] ? netlink_sendmsg+0x23d/0x256
[ 29.985082] [<c11f53a6>] ? __sock_sendmsg+0x48/0x4e
[ 29.985093] [<c11f560f>] ? sock_sendmsg+0x78/0x8f
[ 29.985105] [<c11f560f>] ? sock_sendmsg+0x78/0x8f
[ 29.985119] [<c10cf5dd>] ? d_kill+0x38/0x3d
[ 29.985137] [<c11fd48c>] ? verify_iovec+0x3d/0x79
[ 29.985147] [<c11f5e0d>] ? sys_sendmsg+0x15f/0x1c1
[ 29.985159] [<c11f5a44>] ? sockfd_lookup_light+0x13/0x3f
[ 29.985170] [<c11f60a5>] ? sys_sendto+0xfd/0x121
[ 29.985182] [<c11f996b>] ? sk_prot_alloc+0x62/0xd6
[ 29.985195] [<c10079ee>] ? __switch_to+0x6f/0xe2
[ 29.985213] [<c129ced6>] ? schedule+0x579/0x5b6
[ 29.985225] [<c11f5ca3>] ? sys_recvmsg+0x3c/0x47
[ 29.985236] [<c11f707d>] ? sys_socketcall+0x17f/0x1cb
[ 29.985249] [<c1008b1f>] ? sysenter_do_call+0x12/0x28
[ 29.987285] ADDRCONF(NETDEV_UP): wlan0: link is not ready
...
[ 99.003298] VIA RNG detected
[ 99.003303] Calling hwrng_register
[ 99.003309] Pid: 2797, comm: modprobe Not tainted 2.6.37-rc7-self #1
[ 99.003313] Call Trace:
[ 99.003332] [<f8fb23ac>] ? hwrng_register+0x2c/0x14d [rng_core]
[ 99.003341] [<f8281023>] ? mod_init+0x23/0x3b [via_rng2]
[ 99.003350] [<c1003069>] ? do_one_initcall+0x68/0x10f
[ 99.003360] [<c105f0d3>] ? sys_init_module+0xca5/0xe36
[ 99.003403] [<c1008b1f>] ? sysenter_do_call+0x12/0x28

Attachment: signature.asc
Description: Digital signature

Next message: Herbert Xu: "Re: 2.6.37-rc7: Regression: b43: crashes in hwrng_register()"
Previous message: Michael Büsch: "Re: 2.6.37-rc7: Regression: b43: crashes in hwrng_register()"
In reply to: Larry Finger: "Re: 2.6.37-rc7: Regression: b43: crashes in hwrng_register()"
Next in thread: Herbert Xu: "Re: 2.6.37-rc7: Regression: b43: crashes in hwrng_register()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]