linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] linux,tce-size property is 32 bits
@ 2006-10-05  3:28 Nathan Lynch
  2006-10-05  9:18 ` Benjamin Herrenschmidt
  2006-10-05 15:36 ` Olof Johansson
  0 siblings, 2 replies; 7+ messages in thread
From: Nathan Lynch @ 2006-10-05  3:28 UTC (permalink / raw)
  To: linuxppc-dev; +Cc: Paul Mackerras, matthltc

The "linux,tce-size" property is only 32 bits (see
prom_initialize_tce_table() in arch/powerpc/kernel/prom_init.c).
Treating it as an unsigned long in iommu_table_setparms() leads to
access beyond the end of the property's buffer, so we pass garbage to
the memset() in that function.

[boot]0020 XICS Init
i8259 legacy interrupt controller initialized
[boot]0021 XICS Done
PID hash table entries: 4096 (order: 12, 32768 bytes)
cpu 0x0: Vector: 300 (Data Access) at [c0000000fe783850]
    pc: c000000000035e90: .memset+0x60/0xfc
    lr: c000000000044fa4: .iommu_table_setparms+0xb0/0x158
    sp: c0000000fe783ad0
   msr: 9000000000009032
   dar: c000000100000000
 dsisr: 42010000
  current = 0xc00000000450e810
  paca    = 0xc000000000411580
    pid   = 1, comm = swapper
enter ? for help
[link register   ] c000000000044fa4 .iommu_table_setparms+0xb0/0x158
[c0000000fe783ad0] c000000000044f4c .iommu_table_setparms+0x58/0x158
(unreliable)
[c0000000fe783b70] c00000000004529c
.iommu_bus_setup_pSeries+0x1c4/0x254
[c0000000fe783c00] c00000000002b8ac .do_bus_setup+0x3c/0xe4
[c0000000fe783c80] c00000000002c924 .pcibios_fixup_bus+0x64/0xd8
[c0000000fe783d00] c0000000001a2d5c .pci_scan_child_bus+0x6c/0x10c
[c0000000fe783da0] c00000000002be28 .scan_phb+0x17c/0x1b4
[c0000000fe783e40] c0000000003cfa00 .pcibios_init+0x58/0x19c
[c0000000fe783ec0] c0000000000094b4 .init+0x1e8/0x3d8
[c0000000fe783f90] c000000000026e54 .kernel_thread+0x4c/0x68

Signed-off-by: Nathan Lynch <ntl@pobox.com>

---

I believe this is a regression since 2.6.18, so please push for
inclusion in 2.6.19.


--- linux-2.6.git.orig/arch/powerpc/platforms/pseries/iommu.c
+++ linux-2.6.git/arch/powerpc/platforms/pseries/iommu.c
@@ -267,7 +267,8 @@ static void iommu_table_setparms(struct 
 				 struct iommu_table *tbl)
 {
 	struct device_node *node;
-	const unsigned long *basep, *sizep;
+	const unsigned long *basep;
+	const u32 *sizep;
 
 	node = (struct device_node *)phb->arch_data;
 

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH] linux,tce-size property is 32 bits
  2006-10-05  3:28 [PATCH] linux,tce-size property is 32 bits Nathan Lynch
@ 2006-10-05  9:18 ` Benjamin Herrenschmidt
  2006-10-05 14:32   ` Nathan Lynch
  2006-10-05 15:36 ` Olof Johansson
  1 sibling, 1 reply; 7+ messages in thread
From: Benjamin Herrenschmidt @ 2006-10-05  9:18 UTC (permalink / raw)
  To: Nathan Lynch; +Cc: linuxppc-dev, Paul Mackerras, matthltc

On Wed, 2006-10-04 at 22:28 -0500, Nathan Lynch wrote:
> The "linux,tce-size" property is only 32 bits (see
> prom_initialize_tce_table() in arch/powerpc/kernel/prom_init.c).
> Treating it as an unsigned long in iommu_table_setparms() leads to
> access beyond the end of the property's buffer, so we pass garbage to
> the memset() in that function.

Probably needs to go into stable as well. Do you know if RHEL5 is
affected too ?

Cheers
Ben.

> [boot]0020 XICS Init
> i8259 legacy interrupt controller initialized
> [boot]0021 XICS Done
> PID hash table entries: 4096 (order: 12, 32768 bytes)
> cpu 0x0: Vector: 300 (Data Access) at [c0000000fe783850]
>     pc: c000000000035e90: .memset+0x60/0xfc
>     lr: c000000000044fa4: .iommu_table_setparms+0xb0/0x158
>     sp: c0000000fe783ad0
>    msr: 9000000000009032
>    dar: c000000100000000
>  dsisr: 42010000
>   current = 0xc00000000450e810
>   paca    = 0xc000000000411580
>     pid   = 1, comm = swapper
> enter ? for help
> [link register   ] c000000000044fa4 .iommu_table_setparms+0xb0/0x158
> [c0000000fe783ad0] c000000000044f4c .iommu_table_setparms+0x58/0x158
> (unreliable)
> [c0000000fe783b70] c00000000004529c
> .iommu_bus_setup_pSeries+0x1c4/0x254
> [c0000000fe783c00] c00000000002b8ac .do_bus_setup+0x3c/0xe4
> [c0000000fe783c80] c00000000002c924 .pcibios_fixup_bus+0x64/0xd8
> [c0000000fe783d00] c0000000001a2d5c .pci_scan_child_bus+0x6c/0x10c
> [c0000000fe783da0] c00000000002be28 .scan_phb+0x17c/0x1b4
> [c0000000fe783e40] c0000000003cfa00 .pcibios_init+0x58/0x19c
> [c0000000fe783ec0] c0000000000094b4 .init+0x1e8/0x3d8
> [c0000000fe783f90] c000000000026e54 .kernel_thread+0x4c/0x68
> 
> Signed-off-by: Nathan Lynch <ntl@pobox.com>
> 
> ---
> 
> I believe this is a regression since 2.6.18, so please push for
> inclusion in 2.6.19.
> 
> 
> --- linux-2.6.git.orig/arch/powerpc/platforms/pseries/iommu.c
> +++ linux-2.6.git/arch/powerpc/platforms/pseries/iommu.c
> @@ -267,7 +267,8 @@ static void iommu_table_setparms(struct 
>  				 struct iommu_table *tbl)
>  {
>  	struct device_node *node;
> -	const unsigned long *basep, *sizep;
> +	const unsigned long *basep;
> +	const u32 *sizep;
>  
>  	node = (struct device_node *)phb->arch_data;
>  
> _______________________________________________
> Linuxppc-dev mailing list
> Linuxppc-dev@ozlabs.org
> https://ozlabs.org/mailman/listinfo/linuxppc-dev

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH] linux,tce-size property is 32 bits
  2006-10-05  9:18 ` Benjamin Herrenschmidt
@ 2006-10-05 14:32   ` Nathan Lynch
  2006-10-06  2:16     ` Jeremy Kerr
  0 siblings, 1 reply; 7+ messages in thread
From: Nathan Lynch @ 2006-10-05 14:32 UTC (permalink / raw)
  To: Benjamin Herrenschmidt; +Cc: linuxppc-dev, Paul Mackerras, matthltc

Benjamin Herrenschmidt wrote:
> On Wed, 2006-10-04 at 22:28 -0500, Nathan Lynch wrote:
> > The "linux,tce-size" property is only 32 bits (see
> > prom_initialize_tce_table() in arch/powerpc/kernel/prom_init.c).
> > Treating it as an unsigned long in iommu_table_setparms() leads to
> > access beyond the end of the property's buffer, so we pass garbage to
> > the memset() in that function.
> 
> Probably needs to go into stable as well. Do you know if RHEL5 is
> affected too ?

AFAICT this was introduced by the "Constify & voidify get_property()"
series which went in post-2.6.18 so no backport for -stable is
needed.  Not sure about RHEL5.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH] linux,tce-size property is 32 bits
  2006-10-05  3:28 [PATCH] linux,tce-size property is 32 bits Nathan Lynch
  2006-10-05  9:18 ` Benjamin Herrenschmidt
@ 2006-10-05 15:36 ` Olof Johansson
  1 sibling, 0 replies; 7+ messages in thread
From: Olof Johansson @ 2006-10-05 15:36 UTC (permalink / raw)
  To: Nathan Lynch; +Cc: linuxppc-dev, Paul Mackerras, matthltc

On Wed, 4 Oct 2006 22:28:00 -0500 Nathan Lynch <ntl@pobox.com> wrote:

> The "linux,tce-size" property is only 32 bits (see
> prom_initialize_tce_table() in arch/powerpc/kernel/prom_init.c).
> Treating it as an unsigned long in iommu_table_setparms() leads to
> access beyond the end of the property's buffer, so we pass garbage to
> the memset() in that function.
> 
> [boot]0020 XICS Init
> i8259 legacy interrupt controller initialized
> [boot]0021 XICS Done
> PID hash table entries: 4096 (order: 12, 32768 bytes)
> cpu 0x0: Vector: 300 (Data Access) at [c0000000fe783850]
>     pc: c000000000035e90: .memset+0x60/0xfc
>     lr: c000000000044fa4: .iommu_table_setparms+0xb0/0x158
>     sp: c0000000fe783ad0
>    msr: 9000000000009032
>    dar: c000000100000000
>  dsisr: 42010000
>   current = 0xc00000000450e810
>   paca    = 0xc000000000411580
>     pid   = 1, comm = swapper
> enter ? for help
> [link register   ] c000000000044fa4 .iommu_table_setparms+0xb0/0x158
> [c0000000fe783ad0] c000000000044f4c .iommu_table_setparms+0x58/0x158
> (unreliable)
> [c0000000fe783b70] c00000000004529c
> .iommu_bus_setup_pSeries+0x1c4/0x254
> [c0000000fe783c00] c00000000002b8ac .do_bus_setup+0x3c/0xe4
> [c0000000fe783c80] c00000000002c924 .pcibios_fixup_bus+0x64/0xd8
> [c0000000fe783d00] c0000000001a2d5c .pci_scan_child_bus+0x6c/0x10c
> [c0000000fe783da0] c00000000002be28 .scan_phb+0x17c/0x1b4
> [c0000000fe783e40] c0000000003cfa00 .pcibios_init+0x58/0x19c
> [c0000000fe783ec0] c0000000000094b4 .init+0x1e8/0x3d8
> [c0000000fe783f90] c000000000026e54 .kernel_thread+0x4c/0x68
> 
> Signed-off-by: Nathan Lynch <ntl@pobox.com>

It does not reproduce on the OpenPower box I have, but it's clearly a
bug. Good catch.

Acked-by: Olof Johansson <olof@lixom.net>

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH] linux,tce-size property is 32 bits
  2006-10-05 14:32   ` Nathan Lynch
@ 2006-10-06  2:16     ` Jeremy Kerr
  2006-10-06  2:22       ` Olof Johansson
  0 siblings, 1 reply; 7+ messages in thread
From: Jeremy Kerr @ 2006-10-06  2:16 UTC (permalink / raw)
  To: linuxppc-dev; +Cc: Nathan Lynch, matthltc, Paul Mackerras


> AFAICT this was introduced by the "Constify & voidify get_property()"
> series which went in post-2.6.18 so no backport for -stable is
> needed.  Not sure about RHEL5.

That patch (954a46e2d5aec6f59976ddeb1d232b486e59b54a) did touch the 
declaration of sizep, but only changed it from an unsigned long * to an 
const unsigned long *.

Looking at the git log, it's been an unsigned long from the beginning 
(ie, being moved from arch/ppc64). You may need to check the stable and 
RHEL trees explicitly.

Regards,


Jeremy

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH] linux,tce-size property is 32 bits
  2006-10-06  2:16     ` Jeremy Kerr
@ 2006-10-06  2:22       ` Olof Johansson
  2006-10-06  2:27         ` Jeremy Kerr
  0 siblings, 1 reply; 7+ messages in thread
From: Olof Johansson @ 2006-10-06  2:22 UTC (permalink / raw)
  To: Jeremy Kerr; +Cc: linuxppc-dev, Nathan Lynch, matthltc, Paul Mackerras

On Fri, 6 Oct 2006 12:16:30 +1000 Jeremy Kerr <jk@ozlabs.org> wrote:

> 
> > AFAICT this was introduced by the "Constify & voidify get_property()"
> > series which went in post-2.6.18 so no backport for -stable is
> > needed.  Not sure about RHEL5.
> 
> That patch (954a46e2d5aec6f59976ddeb1d232b486e59b54a) did touch the 
> declaration of sizep, but only changed it from an unsigned long * to an 
> const unsigned long *.

No it didn't:

file:d67af2c657544ef5b0a6386a9c45a31de2fb4681 -> file:bbf2e34dc3582442a9e65c2a404c4e7ddd31619e
--- a/arch/powerpc/platforms/pseries/iommu.c
+++ b/arch/powerpc/platforms/pseries/iommu.c
@@ -267,13 +267,12 @@ static void iommu_table_setparms(struct
 					struct iommu_table *tbl)
 {
 	struct device_node *node;
-	unsigned long *basep;
-	unsigned int *sizep;
+	const unsigned long *basep, *sizep;


-Olof

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH] linux,tce-size property is 32 bits
  2006-10-06  2:22       ` Olof Johansson
@ 2006-10-06  2:27         ` Jeremy Kerr
  0 siblings, 0 replies; 7+ messages in thread
From: Jeremy Kerr @ 2006-10-06  2:27 UTC (permalink / raw)
  To: Olof Johansson; +Cc: linuxppc-dev, Nathan Lynch, matthltc, Paul Mackerras


> No it didn't:

Wow, looks like I can't read :)

Acked-by: Jeremy Kerr <jk@ozlabs.org>


Jeremy

^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2006-10-06  2:27 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-05  3:28 [PATCH] linux,tce-size property is 32 bits Nathan Lynch
2006-10-05  9:18 ` Benjamin Herrenschmidt
2006-10-05 14:32   ` Nathan Lynch
2006-10-06  2:16     ` Jeremy Kerr
2006-10-06  2:22       ` Olof Johansson
2006-10-06  2:27         ` Jeremy Kerr
2006-10-05 15:36 ` Olof Johansson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).