From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
To: Nathan Lynch <ntl@pobox.com>
Cc: linuxppc-dev@ozlabs.org, Paul Mackerras <paulus@samba.org>,
matthltc@us.ibm.com
Subject: Re: [PATCH] linux,tce-size property is 32 bits
Date: Thu, 05 Oct 2006 19:18:18 +1000 [thread overview]
Message-ID: <1160039899.22232.54.camel@localhost.localdomain> (raw)
In-Reply-To: <20061005032800.GH24705@localdomain>
On Wed, 2006-10-04 at 22:28 -0500, Nathan Lynch wrote:
> The "linux,tce-size" property is only 32 bits (see
> prom_initialize_tce_table() in arch/powerpc/kernel/prom_init.c).
> Treating it as an unsigned long in iommu_table_setparms() leads to
> access beyond the end of the property's buffer, so we pass garbage to
> the memset() in that function.
Probably needs to go into stable as well. Do you know if RHEL5 is
affected too ?
Cheers
Ben.
> [boot]0020 XICS Init
> i8259 legacy interrupt controller initialized
> [boot]0021 XICS Done
> PID hash table entries: 4096 (order: 12, 32768 bytes)
> cpu 0x0: Vector: 300 (Data Access) at [c0000000fe783850]
> pc: c000000000035e90: .memset+0x60/0xfc
> lr: c000000000044fa4: .iommu_table_setparms+0xb0/0x158
> sp: c0000000fe783ad0
> msr: 9000000000009032
> dar: c000000100000000
> dsisr: 42010000
> current = 0xc00000000450e810
> paca = 0xc000000000411580
> pid = 1, comm = swapper
> enter ? for help
> [link register ] c000000000044fa4 .iommu_table_setparms+0xb0/0x158
> [c0000000fe783ad0] c000000000044f4c .iommu_table_setparms+0x58/0x158
> (unreliable)
> [c0000000fe783b70] c00000000004529c
> .iommu_bus_setup_pSeries+0x1c4/0x254
> [c0000000fe783c00] c00000000002b8ac .do_bus_setup+0x3c/0xe4
> [c0000000fe783c80] c00000000002c924 .pcibios_fixup_bus+0x64/0xd8
> [c0000000fe783d00] c0000000001a2d5c .pci_scan_child_bus+0x6c/0x10c
> [c0000000fe783da0] c00000000002be28 .scan_phb+0x17c/0x1b4
> [c0000000fe783e40] c0000000003cfa00 .pcibios_init+0x58/0x19c
> [c0000000fe783ec0] c0000000000094b4 .init+0x1e8/0x3d8
> [c0000000fe783f90] c000000000026e54 .kernel_thread+0x4c/0x68
>
> Signed-off-by: Nathan Lynch <ntl@pobox.com>
>
> ---
>
> I believe this is a regression since 2.6.18, so please push for
> inclusion in 2.6.19.
>
>
> --- linux-2.6.git.orig/arch/powerpc/platforms/pseries/iommu.c
> +++ linux-2.6.git/arch/powerpc/platforms/pseries/iommu.c
> @@ -267,7 +267,8 @@ static void iommu_table_setparms(struct
> struct iommu_table *tbl)
> {
> struct device_node *node;
> - const unsigned long *basep, *sizep;
> + const unsigned long *basep;
> + const u32 *sizep;
>
> node = (struct device_node *)phb->arch_data;
>
> _______________________________________________
> Linuxppc-dev mailing list
> Linuxppc-dev@ozlabs.org
> https://ozlabs.org/mailman/listinfo/linuxppc-dev
next prev parent reply other threads:[~2006-10-05 9:18 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-05 3:28 [PATCH] linux,tce-size property is 32 bits Nathan Lynch
2006-10-05 9:18 ` Benjamin Herrenschmidt [this message]
2006-10-05 14:32 ` Nathan Lynch
2006-10-06 2:16 ` Jeremy Kerr
2006-10-06 2:22 ` Olof Johansson
2006-10-06 2:27 ` Jeremy Kerr
2006-10-05 15:36 ` Olof Johansson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1160039899.22232.54.camel@localhost.localdomain \
--to=benh@kernel.crashing.org \
--cc=linuxppc-dev@ozlabs.org \
--cc=matthltc@us.ibm.com \
--cc=ntl@pobox.com \
--cc=paulus@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).