* 2.6.34 Crash in dmaengine_put() @ 2010-06-22 2:57 Jeffrey Merkey 2010-06-22 3:28 ` Andrew Morton 0 siblings, 1 reply; 5+ messages in thread From: Jeffrey Merkey @ 2010-06-22 2:57 UTC (permalink / raw) To: linux-kernel If someone sets the IFF_UP flags in the netdev structure without going through ifup userspace stuff, during unregister of the the netdev the dmaengine-put code will decrement the reference counter negative, and crash at BUG! in the driver/dma/dmaengine.c code. This seems busted. Jeff ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: 2.6.34 Crash in dmaengine_put() 2010-06-22 2:57 2.6.34 Crash in dmaengine_put() Jeffrey Merkey @ 2010-06-22 3:28 ` Andrew Morton 2010-06-22 14:08 ` Jeffrey Merkey 0 siblings, 1 reply; 5+ messages in thread From: Andrew Morton @ 2010-06-22 3:28 UTC (permalink / raw) To: Jeffrey Merkey; +Cc: linux-kernel, Dan Williams On Mon, 21 Jun 2010 20:57:40 -0600 Jeffrey Merkey <jeffmerkey@gmail.com> wrote: > If someone sets the IFF_UP flags in the netdev structure without going > through ifup userspace stuff, during unregister of the the netdev > the dmaengine-put code will decrement the reference counter negative, > and crash at BUG! in the driver/dma/dmaengine.c code. This seems > busted. > Please send a copy of the kernel BUG trace. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: 2.6.34 Crash in dmaengine_put() 2010-06-22 3:28 ` Andrew Morton @ 2010-06-22 14:08 ` Jeffrey Merkey 2010-06-22 14:43 ` Eric Dumazet 0 siblings, 1 reply; 5+ messages in thread From: Jeffrey Merkey @ 2010-06-22 14:08 UTC (permalink / raw) To: Andrew Morton; +Cc: linux-kernel, Dan Williams OK. This bug occurs if you OR in the IFF_UP flag while creating virtual interfaces without going through the normal ifup/ifdown scripts. Looks like a hole. I will post the trace shortly. It's easy to reproduce, take the dummy net driver, OR in the IFF_UP flag in dummy_setup, and watch the kernel crash. Jeff On Mon, Jun 21, 2010 at 9:28 PM, Andrew Morton <akpm@linux-foundation.org> wrote: > On Mon, 21 Jun 2010 20:57:40 -0600 Jeffrey Merkey <jeffmerkey@gmail.com> wrote: > >> If someone sets the IFF_UP flags in the netdev structure without going >> through ifup userspace stuff, during unregister of the the netdev >> the dmaengine-put code will decrement the reference counter negative, >> and crash at BUG! in the driver/dma/dmaengine.c code. This seems >> busted. >> > > Please send a copy of the kernel BUG trace. > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: 2.6.34 Crash in dmaengine_put() 2010-06-22 14:08 ` Jeffrey Merkey @ 2010-06-22 14:43 ` Eric Dumazet 2010-06-22 16:36 ` Jeffrey Merkey 0 siblings, 1 reply; 5+ messages in thread From: Eric Dumazet @ 2010-06-22 14:43 UTC (permalink / raw) To: Jeffrey Merkey; +Cc: Andrew Morton, linux-kernel, Dan Williams, netdev Le mardi 22 juin 2010 à 08:08 -0600, Jeffrey Merkey a écrit : Please dont top post on lkml (or netdev) messages > OK. This bug occurs if you OR in the IFF_UP flag while creating > virtual interfaces without going through the normal ifup/ifdown > scripts. Looks like a hole. I will post the trace shortly. It's > easy to reproduce, take the dummy net driver, OR in the IFF_UP flag in > dummy_setup, and watch the kernel crash. > Then dont do that ? No need to send us a trace, unless you use a pristine kernel. IFF_UP changes rules are very strict, dont try to avoid them and claim there is a hole or something wrong. Check __dev_open() , __dev_close() and __dev_change_flags() were OR/AND IFF_UP is done by core network. Net drivers are not allowed to change IFF_UP themselves. (DE-600 & DE-620 being the exceptions to confirm this rule, of course) > Jeff > > On Mon, Jun 21, 2010 at 9:28 PM, Andrew Morton > <akpm@linux-foundation.org> wrote: > > On Mon, 21 Jun 2010 20:57:40 -0600 Jeffrey Merkey <jeffmerkey@gmail.com> wrote: > > > >> If someone sets the IFF_UP flags in the netdev structure without going > >> through ifup userspace stuff, during unregister of the the netdev > >> the dmaengine-put code will decrement the reference counter negative, > >> and crash at BUG! in the driver/dma/dmaengine.c code. This seems > >> busted. > >> > > > > Please send a copy of the kernel BUG trace. > > > - ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: 2.6.34 Crash in dmaengine_put() 2010-06-22 14:43 ` Eric Dumazet @ 2010-06-22 16:36 ` Jeffrey Merkey 0 siblings, 0 replies; 5+ messages in thread From: Jeffrey Merkey @ 2010-06-22 16:36 UTC (permalink / raw) To: Eric Dumazet; +Cc: Andrew Morton, linux-kernel, Dan Williams, netdev > >> OK. This bug occurs if you OR in the IFF_UP flag while creating >> virtual interfaces without going through the normal ifup/ifdown >> scripts. Looks like a hole. I will post the trace shortly. It's >> easy to reproduce, take the dummy net driver, OR in the IFF_UP flag in >> dummy_setup, and watch the kernel crash. >> > > Then dont do that ? > > No need to send us a trace, unless you use a pristine kernel. > > IFF_UP changes rules are very strict, dont try to avoid them and claim > there is a hole or something wrong. > > Check __dev_open() , __dev_close() and __dev_change_flags() were OR/AND > IFF_UP is done by core network. > > Net drivers are not allowed to change IFF_UP themselves. > > (DE-600 & DE-620 being the exceptions to confirm this rule, of course) > Gee. OK, its a bug. I see the crash when unregister_netdev is called. Changing a flag in a driver should not cause the kernel to crash. You should check the code. The dmaengine registration should have nothing to do with registering a netdev -- period. I have coded arounnd it but its damn convenient to create virtual drivers on the fly and mark them as UP without needing to configure a bunch of text scripts to bring one up or down. The code itself is busted because it has a check if the dmaengine ref count goes negative. If you are going to have a registration layer the rest of the OS should not have to wonder about its disconnected state. The busted code is right at the top of dmaengine_put where it decrements the ref count then immediately jumps to a bug. Need a better way here I think to prevent needless crashes. Someone could just alter this flag remotely and crash a server -- HOLE - :) Jeff ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-06-22 17:35 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-06-22 2:57 2.6.34 Crash in dmaengine_put() Jeffrey Merkey 2010-06-22 3:28 ` Andrew Morton 2010-06-22 14:08 ` Jeffrey Merkey 2010-06-22 14:43 ` Eric Dumazet 2010-06-22 16:36 ` Jeffrey Merkey
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).