1001806 – DMA-API: device driver maps memory fromstack

Bug 1001806 - DMA-API: device driver maps memory fromstack

Summary: DMA-API: device driver maps memory fromstack

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-27 19:43 UTC by Richard Ryniker
Modified:	2014-01-08 14:47 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-01-08 14:47:46 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Formatted system journal. (106.04 KB, text/x-vhdl) 2013-08-27 19:43 UTC, Richard Ryniker	no flags	Details
rdsosreport.txt (115.99 KB, text/plain) 2013-08-27 19:46 UTC, Richard Ryniker	no flags	Details
View All

Description Richard Ryniker 2013-08-27 19:43:08 UTC

Created attachment 791158 [details]
Formatted system journal.

Description of problem:

Aug 26 16:11:36 localhost kernel: ------------[ cut here ]------------
Aug 26 16:11:36 localhost kernel: WARNING: CPU: 0 PID: 54 at lib/dma-debug.c:950 check_for_stack+0xa0/0x100()
Aug 26 16:11:36 localhost kernel: ehci-pci 0000:00:1a.0: DMA-API: device driver maps memory fromstack [addr=ffff880427629376]
Aug 26 16:11:36 localhost kernel: Modules linked in: floppy(+) scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi squashfs cramfs edd dm_multipath
Aug 26 16:11:36 localhost kernel: CPU: 0 PID: 54 Comm: khubd Not tainted 3.11.0-0.rc6.git4.1.fc20.x86_64 #1
Aug 26 16:11:36 localhost kernel: Hardware name: LENOVO 7745/7745, BIOS DUKT31AUS 05/23/2011
Aug 26 16:11:36 localhost kernel:  0000000000000009 ffff880427629028 ffffffff81723846 ffff880427629070
Aug 26 16:11:36 localhost kernel:  ffff880427629060 ffffffff8107464d ffff880427f9c5b8 ffff88042752bae0
Aug 26 16:11:36 localhost kernel:  ffff880427629376 ffff880427f9c5b8 ffffffff81c27440 ffff8804276290c0
Aug 26 16:11:36 localhost kernel: Call Trace:
Aug 26 16:11:36 localhost kernel:  [<ffffffff81723846>] dump_stack+0x54/0x74
Aug 26 16:11:36 localhost kernel:  [<ffffffff8107464d>] warn_slowpath_common+0x7d/0xa0
Aug 26 16:11:36 localhost kernel:  [<ffffffff810746bc>] warn_slowpath_fmt+0x4c/0x50
Aug 26 16:11:36 localhost kernel:  [<ffffffff81392550>] check_for_stack+0xa0/0x100
Aug 26 16:11:36 localhost kernel:  [<ffffffff813928f0>] debug_dma_map_page+0x100/0x140
Aug 26 16:11:36 localhost kernel:  [<ffffffff815029d0>] usb_hcd_map_urb_for_dma+0x5d0/0x700
Aug 26 16:11:36 localhost kernel:  [<ffffffff81502d95>] usb_hcd_submit_urb+0x295/0x8f0
Aug 26 16:11:36 localhost kernel:  [<ffffffff810e434c>] ? lockdep_init_map+0xac/0x4a0
Aug 26 16:11:36 localhost kernel:  [<ffffffff815043b5>] usb_submit_urb+0x155/0x3d0
Aug 26 16:11:36 localhost kernel:  [<ffffffff81504dc4>] usb_start_wait_urb+0x74/0x190
Aug 26 16:11:36 localhost kernel:  [<ffffffff811cfe41>] ? kmem_cache_alloc_trace+0x111/0x350
Aug 26 16:11:36 localhost kernel:  [<ffffffff81504fa5>] usb_control_msg+0xc5/0x110
Aug 26 16:11:36 localhost kernel:  [<ffffffff815b2164>] usbhid_get_raw_report+0x94/0xb0
Aug 26 16:11:36 localhost kernel:  [<ffffffff815a6fbd>] hidinput_get_battery_property+0x6d/0x100
Aug 26 16:11:36 localhost kernel:  [<ffffffff81565e36>] power_supply_show_property+0x56/0x1f0
Aug 26 16:11:36 localhost kernel:  [<ffffffff815660e2>] power_supply_uevent+0xd2/0x2a0
Aug 26 16:11:36 localhost kernel:  [<ffffffff81485339>] dev_uevent+0xb9/0x2b0
Aug 26 16:11:36 localhost kernel:  [<ffffffff813706b0>] kobject_uevent_env+0x290/0x600
Aug 26 16:11:36 localhost kernel:  [<ffffffff810e6cfd>] ? trace_hardirqs_on_caller+0xfd/0x1c0
Aug 26 16:11:36 localhost kernel:  [<ffffffff81370a2b>] kobject_uevent+0xb/0x10
Aug 26 16:11:36 localhost kernel:  [<ffffffff81484bc2>] device_add+0x4c2/0x7a0
Aug 26 16:11:36 localhost kernel:  [<ffffffff81565b98>] power_supply_register+0x118/0x250
Aug 26 16:11:36 localhost kernel:  [<ffffffff815a75e7>] hidinput_setup_battery+0x167/0x200
Aug 26 16:11:36 localhost kernel:  [<ffffffff814846ca>] ? device_private_init+0x4a/0x80
Aug 26 16:11:36 localhost kernel:  [<ffffffff815a8423>] hidinput_connect+0xa63/0x2960
Aug 26 16:11:36 localhost kernel:  [<ffffffff810e6cfd>] ? trace_hardirqs_on_caller+0xfd/0x1c0
Aug 26 16:11:36 localhost kernel:  [<ffffffff815a657d>] hid_connect+0x2fd/0x380
Aug 26 16:11:36 localhost kernel:  [<ffffffff815b4542>] ? usbhid_set_leds+0x92/0xc0
Aug 26 16:11:36 localhost kernel:  [<ffffffff815b4c95>] ? usbhid_start+0x545/0x600
Aug 26 16:11:36 localhost kernel:  [<ffffffff815a6d84>] hid_device_probe+0x144/0x160
Aug 26 16:11:36 localhost kernel:  [<ffffffff81487db7>] driver_probe_device+0x87/0x390
Aug 26 16:11:36 localhost kernel:  [<ffffffff814880c0>] ? driver_probe_device+0x390/0x390
Aug 26 16:11:36 localhost kernel:  [<ffffffff814880fb>] __device_attach+0x3b/0x40
Aug 26 16:11:36 localhost kernel:  [<ffffffff81485cc3>] bus_for_each_drv+0x63/0xa0
Aug 26 16:11:36 localhost kernel:  [<ffffffff81487cb0>] device_attach+0x90/0xb0
Aug 26 16:11:36 localhost kernel:  [<ffffffff81486fb8>] bus_probe_device+0xa8/0xd0
Aug 26 16:11:36 localhost kernel:  [<ffffffff81484bca>] device_add+0x4ca/0x7a0
Aug 26 16:11:36 localhost kernel:  [<ffffffff815a6984>] hid_add_device+0x174/0x380
Aug 26 16:11:36 localhost kernel:  [<ffffffff815b3a30>] usbhid_probe+0x3b0/0x4e0
Aug 26 16:11:36 localhost kernel:  [<ffffffff815092ff>] usb_probe_interface+0x1cf/0x300
Aug 26 16:11:36 localhost kernel:  [<ffffffff81487db7>] driver_probe_device+0x87/0x390
Aug 26 16:11:36 localhost kernel:  [<ffffffff814880c0>] ? driver_probe_device+0x390/0x390
Aug 26 16:11:36 localhost kernel:  [<ffffffff814880fb>] __device_attach+0x3b/0x40
Aug 26 16:11:36 localhost kernel:  [<ffffffff81485cc3>] bus_for_each_drv+0x63/0xa0
Aug 26 16:11:36 localhost kernel:  [<ffffffff81487cb0>] device_attach+0x90/0xb0
Aug 26 16:11:36 localhost kernel:  [<ffffffff81486fb8>] bus_probe_device+0xa8/0xd0
Aug 26 16:11:36 localhost kernel:  [<ffffffff81484bca>] device_add+0x4ca/0x7a0
Aug 26 16:11:36 localhost kernel:  [<ffffffff8150736b>] usb_set_configuration+0x52b/0x840
Aug 26 16:11:36 localhost kernel:  [<ffffffff815119fe>] generic_probe+0x2e/0xa0
Aug 26 16:11:36 localhost kernel:  [<ffffffff815090e2>] usb_probe_device+0x32/0x80
Aug 26 16:11:36 localhost kernel:  [<ffffffff81487db7>] driver_probe_device+0x87/0x390
Aug 26 16:11:36 localhost kernel:  [<ffffffff814880c0>] ? driver_probe_device+0x390/0x390
Aug 26 16:11:36 localhost kernel:  [<ffffffff814880fb>] __device_attach+0x3b/0x40
Aug 26 16:11:36 localhost kernel:  [<ffffffff81485cc3>] bus_for_each_drv+0x63/0xa0
Aug 26 16:11:36 localhost kernel:  [<ffffffff81487cb0>] device_attach+0x90/0xb0
Aug 26 16:11:36 localhost kernel:  [<ffffffff81486fb8>] bus_probe_device+0xa8/0xd0
Aug 26 16:11:36 localhost kernel:  [<ffffffff81484bca>] device_add+0x4ca/0x7a0
Aug 26 16:11:36 localhost kernel:  [<ffffffff814fcd50>] usb_new_device+0x220/0x3b0
Aug 26 16:11:36 localhost kernel:  [<ffffffff814fe630>] hub_thread+0x950/0x1710
Aug 26 16:11:36 localhost kernel:  [<ffffffff810a1350>] ? wake_up_atomic_t+0x30/0x30
Aug 26 16:11:36 localhost kernel:  [<ffffffff814fdce0>] ? hub_port_debounce+0x130/0x130
Aug 26 16:11:36 localhost kernel:  [<ffffffff810a008d>] kthread+0xed/0x100
Aug 26 16:11:36 localhost kernel:  [<ffffffff8109ffa0>] ? insert_kthread_work+0x80/0x80
Aug 26 16:11:36 localhost kernel:  [<ffffffff8173666c>] ret_from_fork+0x7c/0xb0
Aug 26 16:11:36 localhost kernel:  [<ffffffff8109ffa0>] ? insert_kthread_work+0x80/0x80
Aug 26 16:11:36 localhost kernel: ---[ end trace 2c4fd31445b18099 ]---


Version-Release number of selected component (if applicable):
kernel 3.11.0-0.rc6.git4.1.fc20.x86_64

How reproducible:
always

Steps to Reproduce:
1. Boot from F20 alpha TC1 on a USB flash drive
2.
3.

Actual results:
See description.

Expected results:
No warning, no stack trace.

Additional info:
Similar problems appear to have been reported in old (no longer supported)
Fedora releases... example:  https://bugzilla.redhat.com/show_bug.cgi?id=797369

Comment 1 Richard Ryniker 2013-08-27 19:46:11 UTC

Created attachment 791168 [details]
rdsosreport.txt

Comment 2 Richard Ryniker 2013-08-28 19:50:54 UTC

Here is a patch to address the problem... but it is difficult for me to test
without an installed system.  How feasible would it be to include it in
a future alpha test compose?


Date: Wed, 28 Aug 2013 17:07:03 +0200 (CEST)
From: Jiri Kosina <jkosina>
To: Alan Stern <stern.edu>,
        Richard Ryniker <ryniker.edu>
Cc: USB list <linux-usb.org>
Subject: Re: ehci-pci 0000:00:1a.0: DMA-API: device driver maps memory
 fromstack
In-Reply-To: <Pine.LNX.4.44L0.1308281042560.1541-100000.org>
References: <Pine.LNX.4.44L0.1308281042560.1541-100000.org>

On Wed, 28 Aug 2013, Alan Stern wrote:

> > Aug 26 16:11:36 localhost kernel: ------------[ cut here ]------------
> > Aug 26 16:11:36 localhost kernel: WARNING: CPU: 0 PID: 54 at
> > lib/dma-debug.c:950 check_for_stack+0xa0/0x100()
> > Aug 26 16:11:36 localhost kernel: ehci-pci 0000:00:1a.0: DMA-API: device
> > driver maps memory fromstack [addr=ffff880427629376]
> > Aug 26 16:11:36 localhost kernel: Modules linked in: floppy(+) scsi_dh_rdac
> > scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua iscsi_tcp libiscsi_tcp libiscsi
> > scsi_transport_iscsi squashfs cramfs edd dm_multipath
> > Aug 26 16:11:36 localhost kernel: CPU: 0 PID: 54 Comm: khubd Not tainted
> > 3.11.0-0.rc6.git4.1.fc20.x86_64 #1
> > Aug 26 16:11:36 localhost kernel: Hardware name: LENOVO 7745/7745, BIOS
> > DUKT31AUS 05/23/2011
> > Aug 26 16:11:36 localhost kernel:  0000000000000009 ffff880427629028
> > ffffffff81723846 ffff880427629070
> > Aug 26 16:11:36 localhost kernel:  ffff880427629060 ffffffff8107464d
> > ffff880427f9c5b8 ffff88042752bae0
> > Aug 26 16:11:36 localhost kernel:  ffff880427629376 ffff880427f9c5b8
> > ffffffff81c27440 ffff8804276290c0
> > Aug 26 16:11:36 localhost kernel: Call Trace:
> > Aug 26 16:11:36 localhost kernel:  [<ffffffff81723846>] dump_stack+0x54/0x74
> > Aug 26 16:11:36 localhost kernel:  [<ffffffff8107464d>]
> > warn_slowpath_common+0x7d/0xa0
> > Aug 26 16:11:36 localhost kernel:  [<ffffffff810746bc>]
> > warn_slowpath_fmt+0x4c/0x50
> > Aug 26 16:11:36 localhost kernel:  [<ffffffff81392550>]
> > check_for_stack+0xa0/0x100
> > Aug 26 16:11:36 localhost kernel:  [<ffffffff813928f0>]
> > debug_dma_map_page+0x100/0x140
> > Aug 26 16:11:36 localhost kernel:  [<ffffffff815029d0>]
> > usb_hcd_map_urb_for_dma+0x5d0/0x700
> > Aug 26 16:11:36 localhost kernel:  [<ffffffff81502d95>]
> > usb_hcd_submit_urb+0x295/0x8f0
> > Aug 26 16:11:36 localhost kernel:  [<ffffffff810e434c>] ?
> > lockdep_init_map+0xac/0x4a0
> > Aug 26 16:11:36 localhost kernel:  [<ffffffff815043b5>]
> > usb_submit_urb+0x155/0x3d0
> > Aug 26 16:11:36 localhost kernel:  [<ffffffff81504dc4>]
> > usb_start_wait_urb+0x74/0x190
> > Aug 26 16:11:36 localhost kernel:  [<ffffffff811cfe41>] ?
> > kmem_cache_alloc_trace+0x111/0x350
> > Aug 26 16:11:36 localhost kernel:  [<ffffffff81504fa5>]
> > usb_control_msg+0xc5/0x110
> > Aug 26 16:11:36 localhost kernel:  [<ffffffff815b2164>]
> > usbhid_get_raw_report+0x94/0xb0
> > Aug 26 16:11:36 localhost kernel:  [<ffffffff815a6fbd>]
> > hidinput_get_battery_property+0x6d/0x100
> 
> This is where the bug lies.  hidinput_get_battery_property() needs to 
> allocate a buffer with kmalloc() instead of using on that's on the 
> stack.

Indeed. Could you please test with the patch below, so that I could add 
your Tested-by?

Thanks.



From: Jiri Kosina <jkosina>
Subject: [PATCH] HID: battery: don't do DMA from stack

Instead of using data from stack for DMA in hidinput_get_battery_property(),
allocate the buffer dynamically.

Reported-by: Richard Ryniker <ryniker.edu>
Reported-by: Alan Stern <stern.edu>
Signed-off-by: Jiri Kosina <jkosina>
---
 drivers/hid/hid-input.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index 7480799..3fc4034 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -340,7 +340,7 @@ static int hidinput_get_battery_property(struct power_supply *psy,
 {
 	struct hid_device *dev = container_of(psy, struct hid_device, battery);
 	int ret = 0;
-	__u8 buf[2] = {};
+	__u8 *buf;
 
 	switch (prop) {
 	case POWER_SUPPLY_PROP_PRESENT:
@@ -349,12 +349,19 @@ static int hidinput_get_battery_property(struct power_supply *psy,
 		break;
 
 	case POWER_SUPPLY_PROP_CAPACITY:
+
+		buf = kmalloc(2 * sizeof(__u8), GFP_KERNEL);
+		if (!buf) {
+			ret = -ENOMEM;
+			break;
+		}
 		ret = dev->hid_get_raw_report(dev, dev->battery_report_id,
-					      buf, sizeof(buf),
+					      buf, 2,
 					      dev->battery_report_type);
 
 		if (ret != 2) {
 			ret = -ENODATA;
+			kfree(buf);
 			break;
 		}
 		ret = 0;
@@ -364,6 +371,7 @@ static int hidinput_get_battery_property(struct power_supply *psy,
 		    buf[1] <= dev->battery_max)
 			val->intval = (100 * (buf[1] - dev->battery_min)) /
 				(dev->battery_max - dev->battery_min);
+		kfree(buf);
 		break;
 
 	case POWER_SUPPLY_PROP_MODEL_NAME:

-- 
Jiri Kosina
SUSE Labs

Comment 3 Josh Boyer 2013-09-23 18:14:45 UTC

That patch went upstream with commit 6c2794a2984f4c17a58117a68703cc7640f01c5a in 3.12-rc1.  It's CC'd to stable so it should show up in 3.11.2 or soon thereafter.

Comment 4 Josh Boyer 2013-09-27 12:35:54 UTC

F20 was rebased to 3.11.2 in git this morning.

Note You need to log in before you can comment on or make changes to this bug.