linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Thomas Gleixner <tglx@linutronix.de>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Olaf Kirch <okir@suse.de>, Jiri Kosina <jkosina@suse.cz>,
	Jesse Brandeburg <jesse.brandeburg@intel.com>,
	LKML <linux-kernel@vger.kernel.org>,
	linux-netdev@vger.kernel.org, kkeil@suse.de, agospoda@redhat.com,
	arjan@linux.intel.com, david.graham@intel.com,
	bruce.w.allan@intel.com, john.ronciak@intel.com,
	chris.jones@canonical.com, tim.gardner@intel.com,
	airlied@gmail.com, Ingo Molnar <mingo@elte.hu>
Subject: [PATCH] e1000e: prevent concurrent access to NVRAM
Date: Fri, 3 Oct 2008 01:42:14 +0200 (CEST)	[thread overview]
Message-ID: <alpine.LFD.1.10.0810030041060.5549@apollo.tec.linutronix.de> (raw)
In-Reply-To: <200810021703.43770.okir@suse.de>

On Thu, 2 Oct 2008, Olaf Kirch wrote:

> On Thursday 02 October 2008 16:28:42 Jiri Kosina wrote:
> >
> > 15:50:52 linux-pr0e kernel: WARNING: at drivers/net/e1000e/ich8lan.c:424 e1000_acquire_swflag_ich8lan+0x5a/0xdc [e1000e]()
> > 15:50:52 linux-pr0e kernel: e1000e mutex contention. Owned by pid 4162
> > 15:50:52 linux-pr0e kernel: Call Trace:
> > 15:50:52 linux-pr0e kernel:  [<ffffffff8020e41e>] show_trace_log_lvl+0x41/0x58
> > 15:50:52 linux-pr0e kernel:  [<ffffffff80493716>] dump_stack+0x69/0x6f
> > 15:50:52 linux-pr0e kernel:  [<ffffffff8023ee54>] warn_slowpath+0xb4/0xdc
> > 15:50:52 linux-pr0e kernel:  [<ffffffffa022ce2e>] e1000_acquire_swflag_ich8lan+0x5a/0xdc [e1000e]
> > 15:50:52 linux-pr0e kernel:  [<ffffffffa02317ba>] e1000e_read_phy_reg_igp+0x19/0x64 [e1000e]
> > 15:50:52 linux-pr0e kernel:  [<ffffffffa02319f8>] e1000e_phy_has_link_generic+0x50/0xcc [e1000e]
> > 15:50:52 linux-pr0e kernel:  [<ffffffffa02306f9>] e1000e_check_for_copper_link+0x24/0x86 [e1000e]
> > 15:50:52 linux-pr0e kernel:  [<ffffffffa0236982>] e1000_watchdog_task+0x5c/0x5eb [e1000e]
> > 15:50:52 linux-pr0e kernel:  [<ffffffff8024ecdb>] run_workqueue+0xa4/0x14c
> > 15:50:52 linux-pr0e kernel:  [<ffffffff8024ee5b>] worker_thread+0xd8/0xe7
> > 15:50:52 linux-pr0e kernel:  [<ffffffff80251fe5>] kthread+0x47/0x73
> > 15:50:52 linux-pr0e kernel:  [<ffffffff8020d7a9>] child_rip+0xa/0x11
> 
> Looks like the e1000 watchdog racing with some dhclient activity (upping the interface).
> 
> I just noticed that the driver actually uses register pages. So it looks like it's
> possible to have something like this without the mutex:
> 
> 	process A selects page A
> 	process B selects page B
> 	process A writes to register at offset A'
> 
> So we may end up writing to the wrong register. I think I heard Vojtech mention
> that the e1000e also has a register based interface to erase/rewrite the NVM
> programmatically. Do we know at which offsets these registers live?

Linus,

can you please apply the patch below which prevents the concurrent
access to the NVRAM. It triggered the trace which Olaf reported above.

I worked out that patch on Sept 24th and it triggered a couple of
problems in the e1000e code right away. These have been addressed by
Jesse and are part of the patch series he posted in the last days.

Still, all we have in mainline is some "hopefully bug preventing"
patch which does not address the root cause at all.

The confirmed bugs where the nvram acquire code was called
concurrently are still in your tree and the prevention patch along
with the resulting bugfixes are stuck in some obscure intel QA
process.

Please apply at least the bug prevention patch below.

Thanks,

	tglx
---
Subject: e1000e prevent concurrent access and debug contention on NVM SWFALG
Date: Wed, 24 Sep 2008 00:45:08 -0700
From: Thomas Gleixner <tglx@linutronix.de>

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: jesse.brandeburg@intel.com
---

 drivers/net/e1000e/ich8lan.c |   17 +++++++++++++++++
 1 file changed, 17 insertions(+)

Index: linux-2.6/drivers/net/e1000e/ich8lan.c
===================================================================
--- linux-2.6.orig/drivers/net/e1000e/ich8lan.c
+++ linux-2.6/drivers/net/e1000e/ich8lan.c
@@ -382,6 +382,9 @@ static s32 e1000_get_variants_ich8lan(st
 	return 0;
 }
 
+static DEFINE_MUTEX(nvm_mutex);
+static pid_t nvm_owner = -1;
+
 /**
  *  e1000_acquire_swflag_ich8lan - Acquire software control flag
  *  @hw: pointer to the HW structure
@@ -395,6 +398,15 @@ static s32 e1000_acquire_swflag_ich8lan(
 	u32 extcnf_ctrl;
 	u32 timeout = PHY_CFG_TIMEOUT;
 
+	WARN_ON(preempt_count());
+
+	if (!mutex_trylock(&nvm_mutex)) {
+		WARN(1, KERN_ERR "e1000e mutex contention. Owned by pid %d\n",
+		     nvm_owner);
+		mutex_lock(&nvm_mutex);
+	}
+	nvm_owner = current->pid;
+
 	while (timeout) {
 		extcnf_ctrl = er32(EXTCNF_CTRL);
 		extcnf_ctrl |= E1000_EXTCNF_CTRL_SWFLAG;
@@ -409,6 +421,8 @@ static s32 e1000_acquire_swflag_ich8lan(
 
 	if (!timeout) {
 		hw_dbg(hw, "FW or HW has locked the resource for too long.\n");
+		nvm_owner = -1;
+		mutex_unlock(&nvm_mutex);
 		return -E1000_ERR_CONFIG;
 	}
 
@@ -430,6 +444,9 @@ static void e1000_release_swflag_ich8lan
 	extcnf_ctrl = er32(EXTCNF_CTRL);
 	extcnf_ctrl &= ~E1000_EXTCNF_CTRL_SWFLAG;
 	ew32(EXTCNF_CTRL, extcnf_ctrl);
+
+	nvm_owner = -1;
+	mutex_unlock(&nvm_mutex);
 }
 
 /**




  parent reply	other threads:[~2008-10-02 23:43 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-30  3:19 [RFC PATCH 00/12] e1000e debug and protection patches Jesse Brandeburg
2008-09-30  3:19 ` [RFC PATCH 01/12] x86: export set_memory_ro and set_memory_rw Jesse Brandeburg
2008-09-30  7:07   ` Ingo Molnar
2008-09-30  3:19 ` [RFC PATCH 02/12] On Tue, 23 Sep 2008, David Miller wrote: Jesse Brandeburg
2008-10-02 22:23   ` Jesse Barnes
2008-10-03 20:46     ` David Miller
2008-10-03 21:29       ` Jesse Barnes
2008-10-03 21:45         ` Jiri Kosina
2008-10-03 23:28           ` Jesse Brandeburg
2008-10-03 23:30             ` Jesse Brandeburg
2008-10-04 10:21             ` Jiri Kosina
2008-10-04 11:02               ` Thomas Gleixner
2008-10-05  1:24                 ` Jesse Brandeburg
2008-10-05  8:51                   ` Thomas Gleixner
2008-10-05 15:05                     ` Arjan van de Ven
2008-10-05 15:55                       ` Thomas Gleixner
2008-10-05 16:02                         ` Arjan van de Ven
2008-10-05 16:16                           ` Thomas Gleixner
2008-10-05 17:01                             ` Arjan van de Ven
2008-10-07 23:19     ` David Miller
2008-09-30  3:19 ` [RFC PATCH 03/12] e1000e: reset swflag after resetting hardware Jesse Brandeburg
2008-09-30  3:19 ` [RFC PATCH 04/12] e1000e: do not ever sleep in interrupt context Jesse Brandeburg
2008-09-30  3:19 ` [RFC PATCH 05/12] e1000e: fix lockdep issues Jesse Brandeburg
2008-09-30  3:19 ` [RFC PATCH 06/12] e1000e: drop stats lock Jesse Brandeburg
2008-09-30  3:19 ` [RFC PATCH 07/12] e1000e: debug contention on NVM SWFLAG Jesse Brandeburg
2008-10-02 14:28   ` Jiri Kosina
2008-10-02 15:03     ` Olaf Kirch
2008-10-02 16:27       ` Brandeburg, Jesse
2008-10-02 17:33         ` Olaf Kirch
2008-10-02 18:58           ` Thomas Gleixner
2008-10-02 19:07             ` Olaf Kirch
2008-10-02 19:08               ` Olaf Kirch
2008-10-02 18:02         ` Thomas Gleixner
2008-10-02 23:42       ` Thomas Gleixner [this message]
2008-10-03  0:19         ` [PATCH] e1000e: prevent concurrent access to NVRAM Jesse Brandeburg
2008-10-03  0:28           ` Thomas Gleixner
2008-09-30  3:19 ` [RFC PATCH 08/12] e1000e: allow bad checksum Jesse Brandeburg
2008-09-30  8:38   ` Jiri Kosina
2008-09-30  3:20 ` [RFC PATCH 09/12] e1000e: dump eeprom to dmesg for ich8/9 Jesse Brandeburg
2008-09-30  3:20 ` [RFC PATCH 10/12] e1000e: Use set_memory_ro()/set_memory_rw() to protect flash memory Jesse Brandeburg
2008-09-30  3:20 ` [RFC PATCH 11/12] e1000e: write protect ICHx NVM to prevent malicious write/erase Jesse Brandeburg
2008-09-30 12:40   ` Jiri Kosina
2008-09-30 15:47     ` Allan, Bruce W
2008-10-01 13:29       ` Jiri Kosina
2008-10-01 19:13         ` Allan, Bruce W
2008-09-30  3:20 ` [RFC PATCH 12/12] update version Jesse Brandeburg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.LFD.1.10.0810030041060.5549@apollo.tec.linutronix.de \
    --to=tglx@linutronix.de \
    --cc=agospoda@redhat.com \
    --cc=airlied@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=arjan@linux.intel.com \
    --cc=bruce.w.allan@intel.com \
    --cc=chris.jones@canonical.com \
    --cc=david.graham@intel.com \
    --cc=jesse.brandeburg@intel.com \
    --cc=jkosina@suse.cz \
    --cc=john.ronciak@intel.com \
    --cc=kkeil@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-netdev@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=okir@suse.de \
    --cc=tim.gardner@intel.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).