Re: [RFC PATCH 02/12] On Tue, 23 Sep 2008, David Miller wrote:

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Thomas Gleixner <tglx@linutronix.de>
To: Jiri Kosina <jkosina@suse.cz>
Cc: Jesse Brandeburg <jesse.brandeburg@gmail.com>,
	Jesse Barnes <jbarnes@virtuousgeek.org>,
	David Miller <davem@davemloft.net>,
	jesse.brandeburg@intel.com, linux-kernel@vger.kernel.org,
	linux-netdev@vger.kernel.org, kkeil@suse.de, agospoda@redhat.com,
	arjan@linux.intel.com, david.graham@intel.com,
	bruce.w.allan@intel.com, john.ronciak@intel.com,
	chris.jones@canonical.com, tim.gardner@intel.com,
	airlied@gmail.com, Olaf Kirch <okir@suse.de>,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [RFC PATCH 02/12] On Tue, 23 Sep 2008, David Miller wrote:
Date: Sat, 4 Oct 2008 13:02:18 +0200 (CEST)	[thread overview]
Message-ID: <alpine.LFD.2.00.0810041236250.4404@apollo> (raw)
In-Reply-To: <alpine.LNX.1.10.0810041219130.26779@jikos.suse.cz>

On Sat, 4 Oct 2008, Jiri Kosina wrote:
> On Fri, 3 Oct 2008, Jesse Brandeburg wrote:
> > Our experience is different.  We are also testing with the "protection 
> > patch" reverted.
> > We see that the problem specifically comes and goes when
> > removing/adding the use of set_memory_ro/set_memory_rw to the driver.
> 
> But if this patch (which is an obvious workaround, compared to the other 
> patches which fix real bugs, right?) would be catching some malicious 
> accessess to the mapped EEPROM, there should be stacktraces present in the 
> kernel log, right?

Exactly. The access to a ro region results in a fault. I have nowhere
seen that trigger, but I can reproduce the trylock() WARN_ON, which
confirms that there is concurrent access to the NVRAM registers. The
backtrace pattern is similar to the one you have seen.

There are two possible bad results from that concurrent access:

1) Task A issues command A
				Task B issues command B
   Task A writes data for A
   which end up in B

2) Task A acquires the software flag
   ......

				Task B acquires the software flag

   Task A releases the software flag

   The firmware accesses NVRAM  Task B accesses the NVRAM

Both are probably serious enough to result in random NVRAM corruption.
There is no doubt: The missing serialization is a real bug.

Your question why this just happens now, while the bug is there for
ever, is definitely a good one. My opinion on that is that we just
have been lucky or some minor modification somewhere else in the
e1000e code or even in the generic/architecture code removed an
accidental serializing effect.

I was not able to reproduce the trylock warning on Fedora 8, but
Fedora 10-Beta triggers it once in 50 boots. I'm not going to remove
the mutex to verify whether it actually would corrupt the NVRAM :)

In theory we should be able to reproduce the problem with older kernel
versions as well. Maybe not the corruption, but we might see the
mutex_trylock check trigger.

Thanks,

	tglx

next prev parent reply	other threads:[~2008-10-04 11:04 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-30  3:19 [RFC PATCH 00/12] e1000e debug and protection patches Jesse Brandeburg
2008-09-30  3:19 ` [RFC PATCH 01/12] x86: export set_memory_ro and set_memory_rw Jesse Brandeburg
2008-09-30  7:07   ` Ingo Molnar
2008-09-30  3:19 ` [RFC PATCH 02/12] On Tue, 23 Sep 2008, David Miller wrote: Jesse Brandeburg
2008-10-02 22:23   ` Jesse Barnes
2008-10-03 20:46     ` David Miller
2008-10-03 21:29       ` Jesse Barnes
2008-10-03 21:45         ` Jiri Kosina
2008-10-03 23:28           ` Jesse Brandeburg
2008-10-03 23:30             ` Jesse Brandeburg
2008-10-04 10:21             ` Jiri Kosina
2008-10-04 11:02               ` Thomas Gleixner [this message]
2008-10-05  1:24                 ` Jesse Brandeburg
2008-10-05  8:51                   ` Thomas Gleixner
2008-10-05 15:05                     ` Arjan van de Ven
2008-10-05 15:55                       ` Thomas Gleixner
2008-10-05 16:02                         ` Arjan van de Ven
2008-10-05 16:16                           ` Thomas Gleixner
2008-10-05 17:01                             ` Arjan van de Ven
2008-10-07 23:19     ` David Miller
2008-09-30  3:19 ` [RFC PATCH 03/12] e1000e: reset swflag after resetting hardware Jesse Brandeburg
2008-09-30  3:19 ` [RFC PATCH 04/12] e1000e: do not ever sleep in interrupt context Jesse Brandeburg
2008-09-30  3:19 ` [RFC PATCH 05/12] e1000e: fix lockdep issues Jesse Brandeburg
2008-09-30  3:19 ` [RFC PATCH 06/12] e1000e: drop stats lock Jesse Brandeburg
2008-09-30  3:19 ` [RFC PATCH 07/12] e1000e: debug contention on NVM SWFLAG Jesse Brandeburg
2008-10-02 14:28   ` Jiri Kosina
2008-10-02 15:03     ` Olaf Kirch
2008-10-02 16:27       ` Brandeburg, Jesse
2008-10-02 17:33         ` Olaf Kirch
2008-10-02 18:58           ` Thomas Gleixner
2008-10-02 19:07             ` Olaf Kirch
2008-10-02 19:08               ` Olaf Kirch
2008-10-02 18:02         ` Thomas Gleixner
2008-10-02 23:42       ` [PATCH] e1000e: prevent concurrent access to NVRAM Thomas Gleixner
2008-10-03  0:19         ` Jesse Brandeburg
2008-10-03  0:28           ` Thomas Gleixner
2008-09-30  3:19 ` [RFC PATCH 08/12] e1000e: allow bad checksum Jesse Brandeburg
2008-09-30  8:38   ` Jiri Kosina
2008-09-30  3:20 ` [RFC PATCH 09/12] e1000e: dump eeprom to dmesg for ich8/9 Jesse Brandeburg
2008-09-30  3:20 ` [RFC PATCH 10/12] e1000e: Use set_memory_ro()/set_memory_rw() to protect flash memory Jesse Brandeburg
2008-09-30  3:20 ` [RFC PATCH 11/12] e1000e: write protect ICHx NVM to prevent malicious write/erase Jesse Brandeburg
2008-09-30 12:40   ` Jiri Kosina
2008-09-30 15:47     ` Allan, Bruce W
2008-10-01 13:29       ` Jiri Kosina
2008-10-01 19:13         ` Allan, Bruce W
2008-09-30  3:20 ` [RFC PATCH 12/12] update version Jesse Brandeburg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.LFD.2.00.0810041236250.4404@apollo \
    --to=tglx@linutronix.de \
    --cc=agospoda@redhat.com \
    --cc=airlied@gmail.com \
    --cc=arjan@linux.intel.com \
    --cc=bruce.w.allan@intel.com \
    --cc=chris.jones@canonical.com \
    --cc=davem@davemloft.net \
    --cc=david.graham@intel.com \
    --cc=jbarnes@virtuousgeek.org \
    --cc=jesse.brandeburg@gmail.com \
    --cc=jesse.brandeburg@intel.com \
    --cc=jkosina@suse.cz \
    --cc=john.ronciak@intel.com \
    --cc=kkeil@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-netdev@vger.kernel.org \
    --cc=okir@suse.de \
    --cc=tim.gardner@intel.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox