From: David Brownell <david-b@pacbell.net>
To: davidm@hpl.hp.com
Cc: Grant Grundler <iod00d@hp.com>, Greg KH <greg@kroah.com>,
vojtech@suse.cz, linux-usb-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org, linux-ia64@vger.kernel.org,
pochini@shiny.it
Subject: Re: [linux-usb-devel] Re: serious 2.6 bug in USB subsystem?
Date: Wed, 10 Mar 2004 16:22:26 +0000 [thread overview]
Message-ID: <404F40C2.3080003@pacbell.net> (raw)
In-Reply-To: <16462.48341.393442.583311@napali.hpl.hp.com>
I'll send out a revised patch later, thanks! It's also good
this code got a more careful read. It seems like some things
are not as obvious as I might like...
That patch will merge those list corruption fixes I sent, the
"else" you verified was needed (ugh!!!), and some of what you
include here. It won't add new BUG_ON calls (WARN at worst)
or a duplicate ED state (see next).
> >> ... add a new state
> >> ED_DESCHEDULED, which is treated exactly like ED_IDLE, except
> >> that in this state, the HC may still be referring to the ED in
> >> question. Thus, if
>
> David.B> Sounds exactly like ED_UNLINK -- except maybe that it's not
> David.B> been put onto ed_rm_list (with ED_DEQUEUE set). Why add
> David.B> another state?
> ...
>
> The current OHCI relies on the internals of the dma_pool()
> implementation. If the implementation changed to, say, modify the
> memory that is free or, heaven forbid, return the memory to the
> kernel, you'd get _extremely_ difficult to track down race conditions.
The current implementation _does_ poison memory on free, if
slab poisoning is enabled. (That's why I asked if you were
using it.)
And that's been quite handy for reporting list corruption bugs,
from races or otherwise. But those list corruption bugs hit a
blind spot in that code: it doesn't check for modify-after-free.
Which is why those bugs were able to hide for so long!
It'd be good if you said _how_ you think it relies on such
internals. Some of your debug diagnostics wrongly claimed
allocation of "new" EDs when they were just being re-used.
That'd make intentional/safe re-use look like a bug or race.
> Even so, the code isn't race-free, like I explained yesterday:
>
> - ed_alloc() clears the ED to 0 via memset()
> - the order in which memset() clears memory is undefined (various
> from platform to platform etc)
There's a wmb() before any ED is handed off to the OHCI silicon;
that forces a defined order. Top of ed_schedule(). First use,
or Nth re-use; no matter.
> - thus you might get a case where hwTailP is 0 but hwHeadP
> is non-zero, which would cause the HC to happily start
> dereferencing the descriptor
If you assume a bug where the ED is freed but still in use,
that's hardly the only thing that'd go wrong!! You can't
use such a potential bug to prove something else is broken.
- Dave
WARNING: multiple messages have this Message-ID (diff)
From: David Brownell <david-b@pacbell.net>
To: davidm@hpl.hp.com
Cc: Grant Grundler <iod00d@hp.com>, Greg KH <greg@kroah.com>,
vojtech@suse.cz, linux-usb-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org, linux-ia64@vger.kernel.org,
pochini@shiny.it
Subject: Re: [linux-usb-devel] Re: serious 2.6 bug in USB subsystem?
Date: Wed, 10 Mar 2004 08:22:26 -0800 [thread overview]
Message-ID: <404F40C2.3080003@pacbell.net> (raw)
In-Reply-To: <16462.48341.393442.583311@napali.hpl.hp.com>
I'll send out a revised patch later, thanks! It's also good
this code got a more careful read. It seems like some things
are not as obvious as I might like...
That patch will merge those list corruption fixes I sent, the
"else" you verified was needed (ugh!!!), and some of what you
include here. It won't add new BUG_ON calls (WARN at worst)
or a duplicate ED state (see next).
> >> ... add a new state
> >> ED_DESCHEDULED, which is treated exactly like ED_IDLE, except
> >> that in this state, the HC may still be referring to the ED in
> >> question. Thus, if
>
> David.B> Sounds exactly like ED_UNLINK -- except maybe that it's not
> David.B> been put onto ed_rm_list (with ED_DEQUEUE set). Why add
> David.B> another state?
> ...
>
> The current OHCI relies on the internals of the dma_pool()
> implementation. If the implementation changed to, say, modify the
> memory that is free or, heaven forbid, return the memory to the
> kernel, you'd get _extremely_ difficult to track down race conditions.
The current implementation _does_ poison memory on free, if
slab poisoning is enabled. (That's why I asked if you were
using it.)
And that's been quite handy for reporting list corruption bugs,
from races or otherwise. But those list corruption bugs hit a
blind spot in that code: it doesn't check for modify-after-free.
Which is why those bugs were able to hide for so long!
It'd be good if you said _how_ you think it relies on such
internals. Some of your debug diagnostics wrongly claimed
allocation of "new" EDs when they were just being re-used.
That'd make intentional/safe re-use look like a bug or race.
> Even so, the code isn't race-free, like I explained yesterday:
>
> - ed_alloc() clears the ED to 0 via memset()
> - the order in which memset() clears memory is undefined (various
> from platform to platform etc)
There's a wmb() before any ED is handed off to the OHCI silicon;
that forces a defined order. Top of ed_schedule(). First use,
or Nth re-use; no matter.
> - thus you might get a case where hwTailP is 0 but hwHeadP
> is non-zero, which would cause the HC to happily start
> dereferencing the descriptor
If you assume a bug where the ED is freed but still in use,
that's hardly the only thing that'd go wrong!! You can't
use such a potential bug to prove something else is broken.
- Dave
next prev parent reply other threads:[~2004-03-10 16:22 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-27 22:35 serious 2.6 bug in USB subsystem? David Mosberger
2003-10-28 1:30 ` Greg KH
2003-10-28 3:00 ` David Mosberger
2003-10-30 15:11 ` [linux-usb-devel] " David Brownell
2003-10-30 20:15 ` David Mosberger
[not found] ` <16289.55171.278494.17172@napali.hpl.hp.com>
2003-10-31 16:23 ` David Brownell
2003-10-31 18:34 ` David Mosberger
2003-10-31 18:50 ` Valdis.Kletnieks
2003-10-31 19:28 ` David Brownell
2003-10-31 19:50 ` David Mosberger
2003-10-31 20:06 ` David S. Miller
2004-03-06 2:08 ` David Mosberger
2004-03-06 2:08 ` David Mosberger
2004-03-06 2:13 ` David Mosberger
2004-03-06 2:13 ` David Mosberger
2004-03-06 4:55 ` David Brownell
2004-03-06 4:55 ` David Brownell
2004-03-06 5:49 ` David Mosberger
2004-03-06 5:49 ` David Mosberger
2004-03-06 7:21 ` David Mosberger
2004-03-06 7:21 ` David Mosberger
2004-03-06 8:39 ` David Mosberger
2004-03-06 8:39 ` David Mosberger
2004-03-06 16:37 ` David Brownell
2004-03-06 16:37 ` David Brownell
2004-03-08 6:18 ` Grant Grundler
2004-03-08 6:18 ` Grant Grundler
2004-03-08 18:58 ` David Mosberger
2004-03-08 18:58 ` David Mosberger
2004-03-08 21:48 ` David Brownell
2004-03-08 21:48 ` David Brownell
2004-03-09 9:15 ` David Mosberger
2004-03-09 9:15 ` David Mosberger
2004-03-09 17:36 ` David Brownell
2004-03-09 17:36 ` David Brownell
2004-03-09 17:58 ` David Mosberger
2004-03-09 17:58 ` David Mosberger
2004-03-09 20:39 ` David Brownell
2004-03-09 20:39 ` David Brownell
2004-03-09 23:32 ` David Mosberger
2004-03-09 23:32 ` David Mosberger
2004-03-10 2:53 ` David Brownell
2004-03-10 2:53 ` David Brownell
2004-03-10 6:11 ` David Mosberger
2004-03-10 6:11 ` David Mosberger
2004-03-10 6:59 ` David Mosberger
2004-03-10 6:59 ` David Mosberger
2004-03-10 7:52 ` Wouter Lueks
2004-03-10 16:49 ` David Mosberger
2004-03-10 19:49 ` Wouter Lueks
2004-03-10 16:22 ` David Brownell [this message]
2004-03-10 16:22 ` David Brownell
2004-03-10 18:04 ` David Mosberger
2004-03-10 18:04 ` David Mosberger
2004-03-11 2:43 ` David Brownell
2004-03-11 2:43 ` David Brownell
2004-03-11 5:35 ` David Mosberger
2004-03-11 5:35 ` David Mosberger
2004-03-10 19:29 ` Colin Leroy
2004-03-06 9:17 ` [linux-usb-devel] " David Mosberger
2004-03-06 9:17 ` David Mosberger
2004-03-06 17:30 ` David Brownell
2004-03-06 17:30 ` David Brownell
2004-03-07 13:48 ` Matthias Andree
2004-03-08 18:49 ` David Mosberger
2004-03-08 18:49 ` David Mosberger
2003-11-03 3:46 ` David Brownell
2003-11-03 21:25 ` David Mosberger
2004-03-03 12:33 ` Wouter Lueks
2004-03-03 15:30 ` Wouter Lueks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=404F40C2.3080003@pacbell.net \
--to=david-b@pacbell.net \
--cc=davidm@hpl.hp.com \
--cc=greg@kroah.com \
--cc=iod00d@hp.com \
--cc=linux-ia64@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb-devel@lists.sourceforge.net \
--cc=pochini@shiny.it \
--cc=vojtech@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.