From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
To: Erhard Furtner <erhard_f@mailbox.org>
Cc: linux-kernel@vger.kernel.org, linux1394-devel@lists.sourceforge.net
Subject: Re: BUG: spinlock bad magic on CPU#1, irq/39-firewire/245 (v6.18-rc4, ppc64)
Date: Wed, 12 Nov 2025 00:00:30 +0900 [thread overview]
Message-ID: <20251111150030.GA210402@workstation.local> (raw)
In-Reply-To: <5145f071-c8bd-4b9d-94b1-2afe651cf25a@mailbox.org>
Hi,
Thanks for the report, and sorry for your inconvenience.
On Tue, Nov 11, 2025 at 01:41:21PM +0100, Erhard Furtner wrote:
> On 11/9/25 15:17, Erhard Furtner wrote:
> > [...]
> > firewire_ohci 0001:03:0e.0: added OHCI v1.0 device as card 0, 8 IR + 8
> > IT contexts, quirks 0x0
> > BUG: spinlock bad magic on CPU#1, irq/39-firewire/245
> > lock: 0xc00000001f672618, .magic: 00000000, .owner: irq/39-
> > firewire/245, .owner_cpu: 1
> > CPU: 1 UID: 0 PID: 245 Comm: irq/39-firewire Tainted: G N 6.18.0-rc4-
> > PMacG5 #1 PREEMPTLAZY
> > Tainted: [N]=TEST
> > Hardware name: PowerMac11,2 PPC970MP 0x440101 PowerMac
> > Call Trace:
> > [c000000005dafb20] [c000000000bc054c] __dump_stack+0x30/0x54 (unreliable)
> > [c000000005dafb50] [c000000000bc04e4] dump_stack_lvl+0x98/0xd0
> > [c000000005dafb90] [c0000000000f22a8] spin_dump+0x88/0xb4
> > [c000000005dafc10] [c0000000000f1d4c] do_raw_spin_unlock+0xdc/0x164
> > [c000000005dafc50] [c000000000bf65d0] _raw_spin_unlock+0x18/0x68
> > [c000000005dafc70] [c0003d0013ce1d5c]
> > fw_core_handle_bus_reset+0xa98/0xb64 [firewire_core]
> > [c000000005dafdc0] [c0003d0013d19aec]
> > handle_selfid_complete_event+0x610/0x764 [firewire_ohci]
> > [c000000005dafe80] [c000000000106050] irq_thread_fn+0x40/0x9c
> > [c000000005dafec0] [c000000000105ecc] irq_thread+0x1c0/0x298
> > [c000000005daff60] [c0000000000b5e54] kthread+0x250/0x280
> > [c000000005daffe0] [c00000000000bd30] start_kernel_thread+0x14/0x18
> I bisected the issue. First bad commit is:
>
> # git bisect good
> 7d138cb269dbd2fa9b0da89a9c10503d1cf269d5 is the first bad commit
> commit 7d138cb269dbd2fa9b0da89a9c10503d1cf269d5
> Author: Takashi Sakamoto <o-takashi@sakamocchi.jp>
> Date: Tue Sep 16 08:47:44 2025 +0900
>
> firewire: core: use spin lock specific to topology map
>
> At present, the operation for read transaction to topology map register
> is
> not protected by any kind of lock primitives. This causes a potential
> problem to result in the mixed content of topology map.
>
> This commit adds and uses spin lock specific to topology map.
>
> Link:
> https://lore.kernel.org/r/20250915234747.915922-4-o-takashi@sakamocchi.jp
> Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
>
> drivers/firewire/core-topology.c | 22 ++++++++++++++--------
> drivers/firewire/core-transaction.c | 6 +++++-
> include/linux/firewire.h | 6 +++++-
> 3 files changed, 24 insertions(+), 10 deletions(-)
>
>
> Bisect.log attached.
At present, I suspect the buffer overflow over 'struct
fw_card.topology_map.buffer[256]' and the cause would be unexpected value
of 'self_id_count' variable provided to 'fw_core_handle_bus_reset()'. It
means that in your machine the 1394 OHCI PCI driver computes the
unexpected value.
Would I ask you to retrieve verbose data by the following steps?
Step 1. Applying the following patch to avoid the suspicious buffer
overflow by limiting the pointer cursor within the buffer.
```
diff --git a/drivers/firewire/core-topology.c b/drivers/firewire/core-topology.c
index 2f73bcd5696f..5e66428ec4b0 100644
--- a/drivers/firewire/core-topology.c
+++ b/drivers/firewire/core-topology.c
@@ -442,6 +442,7 @@ static void update_topology_map(__be32 *buffer, size_t buffer_size, int root_nod
{
__be32 *map = buffer;
int node_count = (root_node_id & 0x3f) + 1;
+ size_t count;
memset(map, 0, buffer_size);
@@ -449,7 +450,10 @@ static void update_topology_map(__be32 *buffer, size_t buffer_size, int root_nod
*map++ = cpu_to_be32(be32_to_cpu(buffer[1]) + 1);
*map++ = cpu_to_be32((node_count << 16) | self_id_count);
- while (self_id_count--)
+ count = buffer_size / sizeof(*buffer) - 3;
+ if (self_id_count > 0 && count > self_id_count)
+ count = self_id_count;
+ while (count--)
*map++ = cpu_to_be32p(self_ids++);
fw_compute_block_crc(buffer);
```
Step 2. The value of self_id_count can be retrieved as the part of
'firewire:bus_reset_handle' tracepoint event. Please work with Linux
tracepoints framework[1] and store the event log. I think unbind/bind
operation to firewire-ohci driver is useful[2].
[1] https://docs.kernel.org/trace/events.html
[2] https://lwn.net/Articles/143397/
Thanks
Takashi Sakamoto
next prev parent reply other threads:[~2025-11-11 15:00 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-09 14:17 BUG: spinlock bad magic on CPU#1, irq/39-firewire/245 (v6.18-rc4, ppc64) Erhard Furtner
2025-11-11 12:41 ` Erhard Furtner
2025-11-11 15:00 ` Takashi Sakamoto [this message]
2025-11-14 23:54 ` Erhard Furtner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251111150030.GA210402@workstation.local \
--to=o-takashi@sakamocchi.jp \
--cc=erhard_f@mailbox.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux1394-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox