* [PATCH] linux,tce-size property is 32 bits
@ 2006-10-05 3:28 Nathan Lynch
2006-10-05 9:18 ` Benjamin Herrenschmidt
2006-10-05 15:36 ` Olof Johansson
0 siblings, 2 replies; 7+ messages in thread
From: Nathan Lynch @ 2006-10-05 3:28 UTC (permalink / raw)
To: linuxppc-dev; +Cc: Paul Mackerras, matthltc
The "linux,tce-size" property is only 32 bits (see
prom_initialize_tce_table() in arch/powerpc/kernel/prom_init.c).
Treating it as an unsigned long in iommu_table_setparms() leads to
access beyond the end of the property's buffer, so we pass garbage to
the memset() in that function.
[boot]0020 XICS Init
i8259 legacy interrupt controller initialized
[boot]0021 XICS Done
PID hash table entries: 4096 (order: 12, 32768 bytes)
cpu 0x0: Vector: 300 (Data Access) at [c0000000fe783850]
pc: c000000000035e90: .memset+0x60/0xfc
lr: c000000000044fa4: .iommu_table_setparms+0xb0/0x158
sp: c0000000fe783ad0
msr: 9000000000009032
dar: c000000100000000
dsisr: 42010000
current = 0xc00000000450e810
paca = 0xc000000000411580
pid = 1, comm = swapper
enter ? for help
[link register ] c000000000044fa4 .iommu_table_setparms+0xb0/0x158
[c0000000fe783ad0] c000000000044f4c .iommu_table_setparms+0x58/0x158
(unreliable)
[c0000000fe783b70] c00000000004529c
.iommu_bus_setup_pSeries+0x1c4/0x254
[c0000000fe783c00] c00000000002b8ac .do_bus_setup+0x3c/0xe4
[c0000000fe783c80] c00000000002c924 .pcibios_fixup_bus+0x64/0xd8
[c0000000fe783d00] c0000000001a2d5c .pci_scan_child_bus+0x6c/0x10c
[c0000000fe783da0] c00000000002be28 .scan_phb+0x17c/0x1b4
[c0000000fe783e40] c0000000003cfa00 .pcibios_init+0x58/0x19c
[c0000000fe783ec0] c0000000000094b4 .init+0x1e8/0x3d8
[c0000000fe783f90] c000000000026e54 .kernel_thread+0x4c/0x68
Signed-off-by: Nathan Lynch <ntl@pobox.com>
---
I believe this is a regression since 2.6.18, so please push for
inclusion in 2.6.19.
--- linux-2.6.git.orig/arch/powerpc/platforms/pseries/iommu.c
+++ linux-2.6.git/arch/powerpc/platforms/pseries/iommu.c
@@ -267,7 +267,8 @@ static void iommu_table_setparms(struct
struct iommu_table *tbl)
{
struct device_node *node;
- const unsigned long *basep, *sizep;
+ const unsigned long *basep;
+ const u32 *sizep;
node = (struct device_node *)phb->arch_data;
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] linux,tce-size property is 32 bits
2006-10-05 3:28 [PATCH] linux,tce-size property is 32 bits Nathan Lynch
@ 2006-10-05 9:18 ` Benjamin Herrenschmidt
2006-10-05 14:32 ` Nathan Lynch
2006-10-05 15:36 ` Olof Johansson
1 sibling, 1 reply; 7+ messages in thread
From: Benjamin Herrenschmidt @ 2006-10-05 9:18 UTC (permalink / raw)
To: Nathan Lynch; +Cc: linuxppc-dev, Paul Mackerras, matthltc
On Wed, 2006-10-04 at 22:28 -0500, Nathan Lynch wrote:
> The "linux,tce-size" property is only 32 bits (see
> prom_initialize_tce_table() in arch/powerpc/kernel/prom_init.c).
> Treating it as an unsigned long in iommu_table_setparms() leads to
> access beyond the end of the property's buffer, so we pass garbage to
> the memset() in that function.
Probably needs to go into stable as well. Do you know if RHEL5 is
affected too ?
Cheers
Ben.
> [boot]0020 XICS Init
> i8259 legacy interrupt controller initialized
> [boot]0021 XICS Done
> PID hash table entries: 4096 (order: 12, 32768 bytes)
> cpu 0x0: Vector: 300 (Data Access) at [c0000000fe783850]
> pc: c000000000035e90: .memset+0x60/0xfc
> lr: c000000000044fa4: .iommu_table_setparms+0xb0/0x158
> sp: c0000000fe783ad0
> msr: 9000000000009032
> dar: c000000100000000
> dsisr: 42010000
> current = 0xc00000000450e810
> paca = 0xc000000000411580
> pid = 1, comm = swapper
> enter ? for help
> [link register ] c000000000044fa4 .iommu_table_setparms+0xb0/0x158
> [c0000000fe783ad0] c000000000044f4c .iommu_table_setparms+0x58/0x158
> (unreliable)
> [c0000000fe783b70] c00000000004529c
> .iommu_bus_setup_pSeries+0x1c4/0x254
> [c0000000fe783c00] c00000000002b8ac .do_bus_setup+0x3c/0xe4
> [c0000000fe783c80] c00000000002c924 .pcibios_fixup_bus+0x64/0xd8
> [c0000000fe783d00] c0000000001a2d5c .pci_scan_child_bus+0x6c/0x10c
> [c0000000fe783da0] c00000000002be28 .scan_phb+0x17c/0x1b4
> [c0000000fe783e40] c0000000003cfa00 .pcibios_init+0x58/0x19c
> [c0000000fe783ec0] c0000000000094b4 .init+0x1e8/0x3d8
> [c0000000fe783f90] c000000000026e54 .kernel_thread+0x4c/0x68
>
> Signed-off-by: Nathan Lynch <ntl@pobox.com>
>
> ---
>
> I believe this is a regression since 2.6.18, so please push for
> inclusion in 2.6.19.
>
>
> --- linux-2.6.git.orig/arch/powerpc/platforms/pseries/iommu.c
> +++ linux-2.6.git/arch/powerpc/platforms/pseries/iommu.c
> @@ -267,7 +267,8 @@ static void iommu_table_setparms(struct
> struct iommu_table *tbl)
> {
> struct device_node *node;
> - const unsigned long *basep, *sizep;
> + const unsigned long *basep;
> + const u32 *sizep;
>
> node = (struct device_node *)phb->arch_data;
>
> _______________________________________________
> Linuxppc-dev mailing list
> Linuxppc-dev@ozlabs.org
> https://ozlabs.org/mailman/listinfo/linuxppc-dev
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] linux,tce-size property is 32 bits
2006-10-05 9:18 ` Benjamin Herrenschmidt
@ 2006-10-05 14:32 ` Nathan Lynch
2006-10-06 2:16 ` Jeremy Kerr
0 siblings, 1 reply; 7+ messages in thread
From: Nathan Lynch @ 2006-10-05 14:32 UTC (permalink / raw)
To: Benjamin Herrenschmidt; +Cc: linuxppc-dev, Paul Mackerras, matthltc
Benjamin Herrenschmidt wrote:
> On Wed, 2006-10-04 at 22:28 -0500, Nathan Lynch wrote:
> > The "linux,tce-size" property is only 32 bits (see
> > prom_initialize_tce_table() in arch/powerpc/kernel/prom_init.c).
> > Treating it as an unsigned long in iommu_table_setparms() leads to
> > access beyond the end of the property's buffer, so we pass garbage to
> > the memset() in that function.
>
> Probably needs to go into stable as well. Do you know if RHEL5 is
> affected too ?
AFAICT this was introduced by the "Constify & voidify get_property()"
series which went in post-2.6.18 so no backport for -stable is
needed. Not sure about RHEL5.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] linux,tce-size property is 32 bits
2006-10-05 14:32 ` Nathan Lynch
@ 2006-10-06 2:16 ` Jeremy Kerr
2006-10-06 2:22 ` Olof Johansson
0 siblings, 1 reply; 7+ messages in thread
From: Jeremy Kerr @ 2006-10-06 2:16 UTC (permalink / raw)
To: linuxppc-dev; +Cc: Nathan Lynch, matthltc, Paul Mackerras
> AFAICT this was introduced by the "Constify & voidify get_property()"
> series which went in post-2.6.18 so no backport for -stable is
> needed. Not sure about RHEL5.
That patch (954a46e2d5aec6f59976ddeb1d232b486e59b54a) did touch the
declaration of sizep, but only changed it from an unsigned long * to an
const unsigned long *.
Looking at the git log, it's been an unsigned long from the beginning
(ie, being moved from arch/ppc64). You may need to check the stable and
RHEL trees explicitly.
Regards,
Jeremy
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] linux,tce-size property is 32 bits
2006-10-06 2:16 ` Jeremy Kerr
@ 2006-10-06 2:22 ` Olof Johansson
2006-10-06 2:27 ` Jeremy Kerr
0 siblings, 1 reply; 7+ messages in thread
From: Olof Johansson @ 2006-10-06 2:22 UTC (permalink / raw)
To: Jeremy Kerr; +Cc: linuxppc-dev, Nathan Lynch, matthltc, Paul Mackerras
On Fri, 6 Oct 2006 12:16:30 +1000 Jeremy Kerr <jk@ozlabs.org> wrote:
>
> > AFAICT this was introduced by the "Constify & voidify get_property()"
> > series which went in post-2.6.18 so no backport for -stable is
> > needed. Not sure about RHEL5.
>
> That patch (954a46e2d5aec6f59976ddeb1d232b486e59b54a) did touch the
> declaration of sizep, but only changed it from an unsigned long * to an
> const unsigned long *.
No it didn't:
file:d67af2c657544ef5b0a6386a9c45a31de2fb4681 -> file:bbf2e34dc3582442a9e65c2a404c4e7ddd31619e
--- a/arch/powerpc/platforms/pseries/iommu.c
+++ b/arch/powerpc/platforms/pseries/iommu.c
@@ -267,13 +267,12 @@ static void iommu_table_setparms(struct
struct iommu_table *tbl)
{
struct device_node *node;
- unsigned long *basep;
- unsigned int *sizep;
+ const unsigned long *basep, *sizep;
-Olof
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] linux,tce-size property is 32 bits
2006-10-05 3:28 [PATCH] linux,tce-size property is 32 bits Nathan Lynch
2006-10-05 9:18 ` Benjamin Herrenschmidt
@ 2006-10-05 15:36 ` Olof Johansson
1 sibling, 0 replies; 7+ messages in thread
From: Olof Johansson @ 2006-10-05 15:36 UTC (permalink / raw)
To: Nathan Lynch; +Cc: linuxppc-dev, Paul Mackerras, matthltc
On Wed, 4 Oct 2006 22:28:00 -0500 Nathan Lynch <ntl@pobox.com> wrote:
> The "linux,tce-size" property is only 32 bits (see
> prom_initialize_tce_table() in arch/powerpc/kernel/prom_init.c).
> Treating it as an unsigned long in iommu_table_setparms() leads to
> access beyond the end of the property's buffer, so we pass garbage to
> the memset() in that function.
>
> [boot]0020 XICS Init
> i8259 legacy interrupt controller initialized
> [boot]0021 XICS Done
> PID hash table entries: 4096 (order: 12, 32768 bytes)
> cpu 0x0: Vector: 300 (Data Access) at [c0000000fe783850]
> pc: c000000000035e90: .memset+0x60/0xfc
> lr: c000000000044fa4: .iommu_table_setparms+0xb0/0x158
> sp: c0000000fe783ad0
> msr: 9000000000009032
> dar: c000000100000000
> dsisr: 42010000
> current = 0xc00000000450e810
> paca = 0xc000000000411580
> pid = 1, comm = swapper
> enter ? for help
> [link register ] c000000000044fa4 .iommu_table_setparms+0xb0/0x158
> [c0000000fe783ad0] c000000000044f4c .iommu_table_setparms+0x58/0x158
> (unreliable)
> [c0000000fe783b70] c00000000004529c
> .iommu_bus_setup_pSeries+0x1c4/0x254
> [c0000000fe783c00] c00000000002b8ac .do_bus_setup+0x3c/0xe4
> [c0000000fe783c80] c00000000002c924 .pcibios_fixup_bus+0x64/0xd8
> [c0000000fe783d00] c0000000001a2d5c .pci_scan_child_bus+0x6c/0x10c
> [c0000000fe783da0] c00000000002be28 .scan_phb+0x17c/0x1b4
> [c0000000fe783e40] c0000000003cfa00 .pcibios_init+0x58/0x19c
> [c0000000fe783ec0] c0000000000094b4 .init+0x1e8/0x3d8
> [c0000000fe783f90] c000000000026e54 .kernel_thread+0x4c/0x68
>
> Signed-off-by: Nathan Lynch <ntl@pobox.com>
It does not reproduce on the OpenPower box I have, but it's clearly a
bug. Good catch.
Acked-by: Olof Johansson <olof@lixom.net>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2006-10-06 2:27 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-05 3:28 [PATCH] linux,tce-size property is 32 bits Nathan Lynch
2006-10-05 9:18 ` Benjamin Herrenschmidt
2006-10-05 14:32 ` Nathan Lynch
2006-10-06 2:16 ` Jeremy Kerr
2006-10-06 2:22 ` Olof Johansson
2006-10-06 2:27 ` Jeremy Kerr
2006-10-05 15:36 ` Olof Johansson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).