From: David Brownell <david-b@pacbell.net>
To: davidm@hpl.hp.com
Cc: Grant Grundler <iod00d@hp.com>, Greg KH <greg@kroah.com>,
vojtech@suse.cz, linux-usb-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org, linux-ia64@vger.kernel.org,
pochini@shiny.it
Subject: Re: [linux-usb-devel] Re: serious 2.6 bug in USB subsystem?
Date: Wed, 10 Mar 2004 08:22:26 -0800 [thread overview]
Message-ID: <404F40C2.3080003@pacbell.net> (raw)
In-Reply-To: <16462.48341.393442.583311@napali.hpl.hp.com>
I'll send out a revised patch later, thanks! It's also good
this code got a more careful read. It seems like some things
are not as obvious as I might like...
That patch will merge those list corruption fixes I sent, the
"else" you verified was needed (ugh!!!), and some of what you
include here. It won't add new BUG_ON calls (WARN at worst)
or a duplicate ED state (see next).
> >> ... add a new state
> >> ED_DESCHEDULED, which is treated exactly like ED_IDLE, except
> >> that in this state, the HC may still be referring to the ED in
> >> question. Thus, if
>
> David.B> Sounds exactly like ED_UNLINK -- except maybe that it's not
> David.B> been put onto ed_rm_list (with ED_DEQUEUE set). Why add
> David.B> another state?
> ...
>
> The current OHCI relies on the internals of the dma_pool()
> implementation. If the implementation changed to, say, modify the
> memory that is free or, heaven forbid, return the memory to the
> kernel, you'd get _extremely_ difficult to track down race conditions.
The current implementation _does_ poison memory on free, if
slab poisoning is enabled. (That's why I asked if you were
using it.)
And that's been quite handy for reporting list corruption bugs,
from races or otherwise. But those list corruption bugs hit a
blind spot in that code: it doesn't check for modify-after-free.
Which is why those bugs were able to hide for so long!
It'd be good if you said _how_ you think it relies on such
internals. Some of your debug diagnostics wrongly claimed
allocation of "new" EDs when they were just being re-used.
That'd make intentional/safe re-use look like a bug or race.
> Even so, the code isn't race-free, like I explained yesterday:
>
> - ed_alloc() clears the ED to 0 via memset()
> - the order in which memset() clears memory is undefined (various
> from platform to platform etc)
There's a wmb() before any ED is handed off to the OHCI silicon;
that forces a defined order. Top of ed_schedule(). First use,
or Nth re-use; no matter.
> - thus you might get a case where hwTailP is 0 but hwHeadP
> is non-zero, which would cause the HC to happily start
> dereferencing the descriptor
If you assume a bug where the ED is freed but still in use,
that's hardly the only thing that'd go wrong!! You can't
use such a potential bug to prove something else is broken.
- Dave
next prev parent reply other threads:[~2004-03-10 16:25 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-27 22:35 serious 2.6 bug in USB subsystem? David Mosberger
2003-10-28 1:30 ` Greg KH
2003-10-28 3:00 ` David Mosberger
2003-10-30 15:11 ` [linux-usb-devel] " David Brownell
2003-10-30 20:15 ` David Mosberger
[not found] ` <16289.55171.278494.17172@napali.hpl.hp.com>
2003-10-31 16:23 ` David Brownell
2003-10-31 18:34 ` David Mosberger
2003-10-31 18:50 ` Valdis.Kletnieks
2003-10-31 19:28 ` David Brownell
2003-10-31 19:50 ` David Mosberger
2003-10-31 20:06 ` David S. Miller
2004-03-06 2:08 ` David Mosberger
2004-03-06 2:13 ` David Mosberger
2004-03-06 4:55 ` David Brownell
2004-03-06 5:49 ` David Mosberger
2004-03-06 7:21 ` David Mosberger
2004-03-06 8:39 ` David Mosberger
2004-03-06 16:37 ` David Brownell
2004-03-08 6:18 ` Grant Grundler
2004-03-08 18:58 ` David Mosberger
2004-03-08 21:48 ` David Brownell
2004-03-09 9:15 ` David Mosberger
2004-03-09 17:36 ` David Brownell
2004-03-09 17:58 ` David Mosberger
2004-03-09 20:39 ` David Brownell
2004-03-09 23:32 ` David Mosberger
2004-03-10 2:53 ` David Brownell
2004-03-10 6:11 ` David Mosberger
2004-03-10 6:59 ` David Mosberger
2004-03-10 7:52 ` Wouter Lueks
2004-03-10 16:49 ` David Mosberger
2004-03-10 19:49 ` Wouter Lueks
2004-03-10 16:22 ` David Brownell [this message]
2004-03-10 18:04 ` David Mosberger
2004-03-11 2:43 ` David Brownell
2004-03-11 5:35 ` David Mosberger
2004-03-10 19:29 ` Colin Leroy
2004-03-06 9:17 ` [linux-usb-devel] " David Mosberger
2004-03-06 17:30 ` David Brownell
2004-03-07 13:48 ` Matthias Andree
2004-03-08 18:49 ` David Mosberger
2003-11-03 3:46 ` David Brownell
2003-11-03 21:25 ` David Mosberger
2004-03-03 12:33 ` Wouter Lueks
2004-03-03 15:30 ` Wouter Lueks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=404F40C2.3080003@pacbell.net \
--to=david-b@pacbell.net \
--cc=davidm@hpl.hp.com \
--cc=greg@kroah.com \
--cc=iod00d@hp.com \
--cc=linux-ia64@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb-devel@lists.sourceforge.net \
--cc=pochini@shiny.it \
--cc=vojtech@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox