From owner-freebsd-drivers@FreeBSD.ORG Wed Oct 8 07:21:35 2008 Return-Path: Delivered-To: freebsd-drivers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D92F41065695 for ; Wed, 8 Oct 2008 07:21:35 +0000 (UTC) (envelope-from dclark@engr.scu.edu) Received: from endor.engr.scu.edu (smtp.engr.scu.edu [129.210.16.13]) by mx1.freebsd.org (Postfix) with ESMTP id C26938FC24 for ; Wed, 8 Oct 2008 07:21:35 +0000 (UTC) (envelope-from dclark@engr.scu.edu) Received: from nova41.dc.engr.scu.edu (nova41.dc.engr.scu.edu [129.210.16.38]) by endor.engr.scu.edu (8.13.6/8.13.6) with ESMTP id m986HIE9001135 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 7 Oct 2008 23:17:21 -0700 Received: from localhost (dclark@localhost) by nova41.dc.engr.scu.edu (8.13.6/8.13.6) with ESMTP id m986HIV3005322; Tue, 7 Oct 2008 23:17:18 -0700 (PDT) X-Authentication-Warning: nova41.dc.engr.scu.edu: dclark owned process doing -bs Date: Tue, 7 Oct 2008 23:17:18 -0700 (PDT) From: "Dorr H. Clark" X-Sender: dclark@nova41.dc.engr.scu.edu To: freebsd-drivers@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-bugs@freebsd.org Subject: Driver crash with cardbus & auto-configuration X-BeenThere: freebsd-drivers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Writing device drivers for FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2008 07:21:35 -0000 Driver crash with cardbus & auto-configuration: This situation was encountered when trying to use a laptop with cardbus CIS for the COEN284 "UNIX Kernel Internals" class at SCU. The corruption was discovered after applying a patch to allow the cardbus CIS to be parsed (see BUG #115623 ). After a reboot of the laptop (DELL latitude CPx), the auto-configuration process of the cardbus XIRCOM RBEM56G provoked a crash. The root cause of the crash is the corruption of the malloc storage itself. The corruption happened in the auto-configuration process. As the kernel is probing various possible devices, one call corrupts memory, & it was found that bce_probe() is the culprit. The code causing the crash in the 'bce' driver is only to allow a debug printf, and therefore can be safely removed. The explanation of the corruption is as follows: while probing for child, we normally allocate and deallocate the softc structure of the corresponding driver. In this auto-configuration case, the 'sio' driver was probed prior to the 'bce' driver and the sio driver was allocating the original 'softc' memory. The softc is set with size of 812 bytes (the sio softc data struct), and the dev->flags is set with DF_EXTERNALSOFTC. This flag makes sure that the softc is not deallocated, and the following probe re-uses the same softc. However, when the bce_probe gets executed, it re-interprets the softc data structure into a 'struct bce_softc' of size 8852 and then scribbles beyond the end of the original allocation corrupting memory. While we encountered this issue with 7.0, it appears that this is an issue in the latest version and also could be a problem in the 6.3 release. A recommended patch for this problem is offered below. Charles Bransi Engineer Dorr H. Clark Advisor Graduate School of Engineering Santa Clara University Santa Clara, CA http://www.cse.scu.edu/~dclark/coen_284_FreeBSD/driver_crash.txt The change is the following: --- if_bce_orig.c 2008-07-30 21:47:15.000000000 -0700 +++ if_bce.c 2008-08-01 21:02:52.000000000 -0700 @@ -394,27 +394,17 @@ bce_probe(device_t dev) { struct bce_type *t; - struct bce_softc *sc; char *descbuf; u16 vid = 0, did = 0, svid = 0, sdid = 0; t = bce_devs; - sc = device_get_softc(dev); - bzero(sc, sizeof(struct bce_softc)); - sc->bce_unit = device_get_unit(dev); - sc->bce_dev = dev; - /* Get the data for the device to be probed. */ vid = pci_get_vendor(dev); did = pci_get_device(dev); svid = pci_get_subvendor(dev); sdid = pci_get_subdevice(dev); - DBPRINT(sc, BCE_VERBOSE_LOAD, - "%s(); VID = 0x%04X, DID = 0x%04X, SVID = 0x%04X, " - "SDID = 0x%04X\n", __FUNCTION__, vid, did, svid, sdid); - /* Look through the list of known devices for a match. */ while(t->bce_name != NULL) { From owner-freebsd-drivers@FreeBSD.ORG Wed Oct 8 08:10:23 2008 Return-Path: Delivered-To: freebsd-drivers@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ACCEE1065698; Wed, 8 Oct 2008 08:10:23 +0000 (UTC) (envelope-from imp@bsdimp.com) Received: from harmony.bsdimp.com (bsdimp.com [199.45.160.85]) by mx1.freebsd.org (Postfix) with ESMTP id 5A4EF8FC2C; Wed, 8 Oct 2008 08:10:22 +0000 (UTC) (envelope-from imp@bsdimp.com) Received: from localhost (localhost [127.0.0.1]) by harmony.bsdimp.com (8.14.2/8.14.1) with ESMTP id m9888q1Q017781; Wed, 8 Oct 2008 02:08:52 -0600 (MDT) (envelope-from imp@bsdimp.com) Date: Wed, 08 Oct 2008 02:09:52 -0600 (MDT) Message-Id: <20081008.020952.1525699914.imp@bsdimp.com> To: dclark@engr.scu.edu From: "M. Warner Losh" In-Reply-To: References: X-Mailer: Mew version 5.2 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-bugs@FreeBSD.org, freebsd-drivers@FreeBSD.org Subject: Re: Driver crash with cardbus & auto-configuration X-BeenThere: freebsd-drivers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Writing device drivers for FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2008 08:10:23 -0000 Sorry to top post, but this is really a bug in sio, and should be fixed there. I've added some comments to the driver, but didn't fix it since that's a little trickier than I'd thought when I dove in... Warner In message: "Dorr H. Clark" writes: : : Driver crash with cardbus & auto-configuration: : : This situation was encountered when trying to use a laptop with : cardbus CIS for the COEN284 "UNIX Kernel Internals" class at SCU. : : The corruption was discovered after applying a patch to allow : the cardbus CIS to be parsed (see BUG #115623 ). After a reboot of : the laptop (DELL latitude CPx), the auto-configuration process of : the cardbus XIRCOM RBEM56G provoked a crash. : : The root cause of the crash is the corruption of the malloc storage : itself. The corruption happened in the auto-configuration process. : As the kernel is probing various possible devices, one call : corrupts memory, & it was found that bce_probe() is the culprit. : The code causing the crash in the 'bce' driver is only to allow : a debug printf, and therefore can be safely removed. : : The explanation of the corruption is as follows: while : probing for child, we normally allocate and deallocate the : softc structure of the corresponding driver. In this : auto-configuration case, the 'sio' driver was probed prior : to the 'bce' driver and the sio driver was allocating the original : 'softc' memory. The softc is set with size of 812 bytes : (the sio softc data struct), and the dev->flags is set with : DF_EXTERNALSOFTC. This flag makes sure that the softc is not : deallocated, and the following probe re-uses the same softc. : However, when the bce_probe gets executed, it re-interprets : the softc data structure into a 'struct bce_softc' of size 8852 : and then scribbles beyond the end of the original allocation : corrupting memory. : : While we encountered this issue with 7.0, it appears that this : is an issue in the latest version and also could be a problem in : the 6.3 release. : : A recommended patch for this problem is offered below. : : Charles Bransi : Engineer : : Dorr H. Clark : Advisor : : Graduate School of Engineering : Santa Clara University : Santa Clara, CA : : http://www.cse.scu.edu/~dclark/coen_284_FreeBSD/driver_crash.txt : : The change is the following: : : --- if_bce_orig.c 2008-07-30 21:47:15.000000000 -0700 : +++ if_bce.c 2008-08-01 21:02:52.000000000 -0700 : @@ -394,27 +394,17 @@ : bce_probe(device_t dev) : { : struct bce_type *t; : - struct bce_softc *sc; : char *descbuf; : u16 vid = 0, did = 0, svid = 0, sdid = 0; : : t = bce_devs; : : - sc = device_get_softc(dev); : - bzero(sc, sizeof(struct bce_softc)); : - sc->bce_unit = device_get_unit(dev); : - sc->bce_dev = dev; : - : /* Get the data for the device to be probed. */ : vid = pci_get_vendor(dev); : did = pci_get_device(dev); : svid = pci_get_subvendor(dev); : sdid = pci_get_subdevice(dev); : : - DBPRINT(sc, BCE_VERBOSE_LOAD, : - "%s(); VID = 0x%04X, DID = 0x%04X, SVID = 0x%04X, " : - "SDID = 0x%04X\n", __FUNCTION__, vid, did, svid, sdid); : - : /* Look through the list of known devices for a match. */ : while(t->bce_name != NULL) { : : : : _______________________________________________ : freebsd-drivers@freebsd.org mailing list : http://lists.freebsd.org/mailman/listinfo/freebsd-drivers : To unsubscribe, send any mail to "freebsd-drivers-unsubscribe@freebsd.org" : : From owner-freebsd-drivers@FreeBSD.ORG Wed Oct 8 08:24:15 2008 Return-Path: Delivered-To: freebsd-drivers@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 641CC1065687; Wed, 8 Oct 2008 08:24:15 +0000 (UTC) (envelope-from dclark@engr.scu.edu) Received: from endor.engr.scu.edu (smtp.engr.scu.edu [129.210.16.13]) by mx1.freebsd.org (Postfix) with ESMTP id 4ADE68FC1B; Wed, 8 Oct 2008 08:24:15 +0000 (UTC) (envelope-from dclark@engr.scu.edu) Received: from nova41.dc.engr.scu.edu (nova41.dc.engr.scu.edu [129.210.16.38]) by endor.engr.scu.edu (8.13.6/8.13.6) with ESMTP id m988O7r7015292 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 8 Oct 2008 01:24:09 -0700 Received: from localhost (dclark@localhost) by nova41.dc.engr.scu.edu (8.13.6/8.13.6) with ESMTP id m988O7DZ008677; Wed, 8 Oct 2008 01:24:07 -0700 (PDT) X-Authentication-Warning: nova41.dc.engr.scu.edu: dclark owned process doing -bs Date: Wed, 8 Oct 2008 01:24:06 -0700 (PDT) From: "Dorr H. Clark" X-Sender: dclark@nova41.dc.engr.scu.edu To: "M. Warner Losh" In-Reply-To: <20081008.020952.1525699914.imp@bsdimp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-bugs@FreeBSD.org, freebsd-drivers@FreeBSD.org Subject: Re: Driver crash with cardbus & auto-configuration X-BeenThere: freebsd-drivers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Writing device drivers for FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2008 08:24:15 -0000 Hi Warner- Good to know we're not the only ones to run into this issue. Do you have a bug number for the problem? -dhc On Wed, 8 Oct 2008, M. Warner Losh wrote: > Sorry to top post, but this is really a bug in sio, and should be > fixed there. I've added some comments to the driver, but didn't fix > it since that's a little trickier than I'd thought when I dove in... > > Warner > > In message: > "Dorr H. Clark" writes: > : > : Driver crash with cardbus & auto-configuration: > : > : This situation was encountered when trying to use a laptop with > : cardbus CIS for the COEN284 "UNIX Kernel Internals" class at SCU. > : > : The corruption was discovered after applying a patch to allow > : the cardbus CIS to be parsed (see BUG #115623 ). After a reboot of > : the laptop (DELL latitude CPx), the auto-configuration process of > : the cardbus XIRCOM RBEM56G provoked a crash. > : > : The root cause of the crash is the corruption of the malloc storage > : itself. The corruption happened in the auto-configuration process. > : As the kernel is probing various possible devices, one call > : corrupts memory, & it was found that bce_probe() is the culprit. > : The code causing the crash in the 'bce' driver is only to allow > : a debug printf, and therefore can be safely removed. > : > : The explanation of the corruption is as follows: while > : probing for child, we normally allocate and deallocate the > : softc structure of the corresponding driver. In this > : auto-configuration case, the 'sio' driver was probed prior > : to the 'bce' driver and the sio driver was allocating the original > : 'softc' memory. The softc is set with size of 812 bytes > : (the sio softc data struct), and the dev->flags is set with > : DF_EXTERNALSOFTC. This flag makes sure that the softc is not > : deallocated, and the following probe re-uses the same softc. > : However, when the bce_probe gets executed, it re-interprets > : the softc data structure into a 'struct bce_softc' of size 8852 > : and then scribbles beyond the end of the original allocation > : corrupting memory. > : > : While we encountered this issue with 7.0, it appears that this > : is an issue in the latest version and also could be a problem in > : the 6.3 release. > : > : A recommended patch for this problem is offered below. > : > : Charles Bransi > : Engineer > : > : Dorr H. Clark > : Advisor > : > : Graduate School of Engineering > : Santa Clara University > : Santa Clara, CA > : > : http://www.cse.scu.edu/~dclark/coen_284_FreeBSD/driver_crash.txt > : > : The change is the following: > : > : --- if_bce_orig.c 2008-07-30 21:47:15.000000000 -0700 > : +++ if_bce.c 2008-08-01 21:02:52.000000000 -0700 > : @@ -394,27 +394,17 @@ > : bce_probe(device_t dev) > : { > : struct bce_type *t; > : - struct bce_softc *sc; > : char *descbuf; > : u16 vid = 0, did = 0, svid = 0, sdid = 0; > : > : t = bce_devs; > : > : - sc = device_get_softc(dev); > : - bzero(sc, sizeof(struct bce_softc)); > : - sc->bce_unit = device_get_unit(dev); > : - sc->bce_dev = dev; > : - > : /* Get the data for the device to be probed. */ > : vid = pci_get_vendor(dev); > : did = pci_get_device(dev); > : svid = pci_get_subvendor(dev); > : sdid = pci_get_subdevice(dev); > : > : - DBPRINT(sc, BCE_VERBOSE_LOAD, > : - "%s(); VID = 0x%04X, DID = 0x%04X, SVID = 0x%04X, " > : - "SDID = 0x%04X\n", __FUNCTION__, vid, did, svid, sdid); > : - > : /* Look through the list of known devices for a match. */ > : while(t->bce_name != NULL) { > : > : > : > : _______________________________________________ > : freebsd-drivers@freebsd.org mailing list > : http://lists.freebsd.org/mailman/listinfo/freebsd-drivers > : To unsubscribe, send any mail to "freebsd-drivers-unsubscribe@freebsd.org" > : > : >