user frobbable escd file can cause oops

user frobbable escd file can cause oops

Post by Zwane Mwaikamb » Mon, 22 Jul 2002 17:20:04



patch applies to 2.4-ac but tested on 2.5.26

I don't think this breaks any userland apps so If there aren't any
objections, Alan, Linus please apply


uid=500(zwane) gid=500(zwane) groups=500(zwane)


Segmentation fault
PnPBIOS: get_stat_res: Unexpected status 0x8d
Unable to handle kernel paging request at virtual address ffffa00a
 printing eip:
00007138
*pde = 00003063
Oops: 0000
CPU:    0
EIP:    0068:[<00007138>]    Not tainted
EFLAGS: 00010086
eax: 000022ff   ebx: 00806aea   ecx: 00000070   edx: 00000000
esi: 0000000a   edi: 00000000   ebp: ce3e72df   esp: ce3e1e38
ds: 0080   es: 0078   ss: 0018
Process cat (pid: 705, threadinfo=ce3e0000 task=cebc66a0)
Stack: 000a0002 0080ce3e 00060078 72e9711a 00000000 685a0070 6b031e6c 00180000
       00000018 69580000 00860078 00000246 0060000b 00000042 00800078 00000070
       00000000 c025a835 00000010 00000082 00040000 00700000 c0250018 00000018
Call Trace: [<c025a835>] [<c0250018>] [<c0130018>] [<c025a8e0>] [<c025b2b0>]
   [<c0175a4e>] [<c014b9cc>] [<c014bc1a>] [<c01075cb>]

Code:  Bad EIP value.

Quote:>>EIP; 00007138 Before first symbol   <=====

Trace; c025a835 <__pnp_bios_read_escd+115/1b0>
Trace; c0250018 <sg_proc_debug_info+408/7d0>
Trace; c0130018 <get_user_pages+1a8/220>
Trace; c025a8e0 <pnp_bios_read_escd+10/30>
Trace; c025b2b0 <proc_read_escd+80/f0>
Trace; c0175a4e <proc_file_read+ce/190>
Trace; c014b9cc <vfs_read+9c/160>
Trace; c014bc1a <sys_read+2a/40>
Trace; c01075cb <syscall_call+7/b>

Index: linux-2.5.26/drivers/pnp//pnpbios_proc.c
===================================================================
RCS file: /build/cvsroot/linux-2.5.26/drivers/pnp/pnpbios_proc.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 pnpbios_proc.c
--- linux-2.5.26/drivers/pnp//pnpbios_proc.c    17 Jul 2002 16:08:09 -0000      1.1.1.1

        create_proc_read_entry("devices", 0, proc_pnp, proc_read_devices, NULL);
        create_proc_read_entry("configuration_info", 0, proc_pnp, proc_read_pnpconfig, NULL);
        create_proc_read_entry("escd_info", 0, proc_pnp, proc_read_escdinfo, NULL);
-       create_proc_read_entry("escd", 0, proc_pnp, proc_read_escd, NULL);
+       create_proc_read_entry("escd", S_IRUSR, proc_pnp, proc_read_escd, NULL);
        create_proc_read_entry("legacy_device_resources", 0, proc_pnp, proc_read_legacyres, NULL);

        node = pnpbios_kmalloc(node_info.max_node_size, GFP_KERNEL);

--
function.linuxpower.ca

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

user frobbable escd file can cause oops

Post by Alan Co » Mon, 22 Jul 2002 21:30:08



> patch applies to 2.4-ac but tested on 2.5.26

> I don't think this breaks any userland apps so If there aren't any
> objections, Alan, Linus please apply

I made the same change a few -ac patches ago, for the same reason that
some BIOSes are not safe for escd accesses

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

1. oops while read accessing to /proc/bus/pnp/escd

cat /proc/bus/pnp/escd couses an oops.
oops caused while executing this func.
static int __pnp_bios_read_escd(char *data, u32 nvram_base)
{
        u16 status;
        if (!pnp_bios_present())
                return ESCD_FUNCTION_NOT_SUPPORTED;
        status = call_pnp_bios(PNP_READ_ESCD, 0, PNP_TS1, PNP_TS2, PNP_DS, 0, 0, 0,
                               data, 65536, (void *)nvram_base, 65536);
        return status;
but i don't have access to my computer and can't send full oops.
I've tried to solve this problem myself, but couldn't.
I think that the problem is in nvram_base because we don't alocate
memory page for it. We get address from pnp_bios_escd_info, but in PnP
BIOS spec wrote that
  "In this case, it is the responsibility of the caller to construct a
16-bit data segment descriptor with base = NVStorageBase, a limit
of 64K and read/write access."
I didn't find something like memory aloc between getting escd info and
calling this func.
Best regards.
             Ruslan.
PS And please CC patch to me if it'll be fixed before I do it myself.
PS And last, any comments and explanations will be desirable.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

2. Linux 2.4.21-rc1-ac3

3. New: reading /proc/bus/pnp/escd results in oops

4. linux as router

5. oops when catting info from /proc/bus/pnp/escd

6. INI-Files

7. 2.4.19: deleting files on hfs causes oops

8. modem Harm56 on Mandrake

9. Swapoff w/regular file causes Oops

10. insmod causing oops in 2.1.105/modutils 2.1.85

11. New: Removal of USB flash drive causes oops in khupd

12. pcmcia_bus_type changes cause oops...

13. New: PPP (PPPoE) causes OOPS on interface initialization, 2.5.64