Date: Fri, 20 Dec 2002 13:11:01 +0100 From: Bernd Walter <ticso@cicely8.cicely.de> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: Nate Lawson <nate@root.org>, freebsd-current@FreeBSD.ORG Subject: Re: UMASS USB bug? (getting the Sony disk-on-key device working) Message-ID: <20021220121100.GA658@cicely8.cicely.de> In-Reply-To: <200212200111.gBK1BW0h026510@apollo.backplane.com> References: <Pine.BSF.4.21.0212191442450.60085-100000@root.org> <200212200111.gBK1BW0h026510@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 19, 2002 at 05:11:32PM -0800, Matthew Dillon wrote:
> I found another couple of bugs, this time in OHCI's DMA
> buffer chaining code.
Great.
> A patch for this with additional debugging code is
> included below (for current). There are two bugs.
> I do not know if -stable is effected.
>
> First, the calculation of dataphysend is totally bogus.
> You can just take the physical address and add (len - 1)
> to it. You have to take the virtual address, add len - 1
> to it, and convert it to a physical address. I can
> crash my machine simply by doing a
>
> 'newfs -f 1024 -b 8192 /dev/da2s1a'
>
> On the disk-on-key USB device.
>
> Second, I believe the OpenBSD and NetBSD code is broken.
> The range can be one or two pages, but the remaining bytes
> may be less then one page and this has to be taken into
> account.
The NetBSD code is already different:
1.48 (augustss 15-Sep-99): /* The OHCI hardware can handle at most one page crossing. */
1.48 (augustss 15-Sep-99): if (OHCI_PAGE(dataphys) == dataphysend ||
1.48 (augustss 15-Sep-99): OHCI_PAGE(dataphys) + OHCI_PAGE_SIZE == dataphysend) {
1.48 (augustss 15-Sep-99): /* we can handle it in this TD */
1.48 (augustss 15-Sep-99): curlen = len;
1.48 (augustss 15-Sep-99): } else {
1.48 (augustss 15-Sep-99): /* must use multiple TDs, fill as much as possible. */
1.120 (augustss 03-Feb-02): curlen = 2 * OHCI_PAGE_SIZE -
1.48 (augustss 15-Sep-99): (dataphys & (OHCI_PAGE_SIZE-1));
1.78 (augustss 20-Mar-00): /* the length must be a multiple of the max size */
1.78 (augustss 20-Mar-00): curlen -= curlen % UGETW(opipe->pipe.endpoint->edesc->wMaxPacketSize);
1.78 (augustss 20-Mar-00): #ifdef DIAGNOSTIC
1.78 (augustss 20-Mar-00): if (curlen == 0)
1.128 (provos 27-Sep-02): panic("ohci_alloc_std: curlen == 0");
1.78 (augustss 20-Mar-00): #endif
1.48 (augustss 15-Sep-99): }
To bad we did not catch it.
--
B.Walter COSMO-Project http://www.cosmo-project.de
ticso@cicely.de Usergroup info@cosmo-project.de
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021220121100.GA658>