Re: UMASS USB bug? (getting the Sony disk-on-key device working)

Fri, 20 Dec 2002 04:11:58 -0800 

On Thu, Dec 19, 2002 at 05:11:32PM -0800, Matthew Dillon wrote:
>     I found another couple of bugs, this time in OHCI's DMA
>     buffer chaining code.

Great.

>     A patch for this with additional debugging code is 
>     included below (for current).  There are two bugs.
>     I do not know if -stable is effected.
> 
>     First, the calculation of dataphysend is totally bogus.
>     You can just take the physical address and add (len - 1)
>     to it.  You have to take the virtual address, add len - 1
>     to it, and convert it to a physical address.  I can
>     crash my machine simply by doing a 
> 
>       'newfs -f 1024 -b 8192 /dev/da2s1a'
> 
>     On the disk-on-key USB device.
> 
>     Second,  I believe the OpenBSD and NetBSD code is broken.
>     The range can be one or two pages, but the remaining bytes
>     may be less then one page and this has to be taken into 
>     account.

The NetBSD code is already different:
1.48         (augustss 15-Sep-99):              /* The OHCI hardware can handle at 
most one page crossing. */
1.48         (augustss 15-Sep-99):              if (OHCI_PAGE(dataphys) == dataphysend 
||
1.48         (augustss 15-Sep-99):                  OHCI_PAGE(dataphys) + 
OHCI_PAGE_SIZE == dataphysend) {
1.48         (augustss 15-Sep-99):                      /* we can handle it in this TD 
*/
1.48         (augustss 15-Sep-99):                      curlen = len;
1.48         (augustss 15-Sep-99):              } else {
1.48         (augustss 15-Sep-99):                      /* must use multiple TDs, fill 
as much as possible. */
1.120        (augustss 03-Feb-02):                      curlen = 2 * OHCI_PAGE_SIZE -
1.48         (augustss 15-Sep-99):                               (dataphys & 
(OHCI_PAGE_SIZE-1));
1.78         (augustss 20-Mar-00):                      /* the length must be a 
multiple of the max size */
1.78         (augustss 20-Mar-00):                      curlen -= curlen % 
UGETW(opipe->pipe.endpoint->edesc->wMaxPacketSize);
1.78         (augustss 20-Mar-00): #ifdef DIAGNOSTIC
1.78         (augustss 20-Mar-00):                      if (curlen == 0)
1.128        (provos   27-Sep-02):                              panic("ohci_alloc_std: 
curlen == 0");
1.78         (augustss 20-Mar-00): #endif
1.48         (augustss 15-Sep-99):              }


To bad we did not catch it.

-- 
B.Walter              COSMO-Project         http://www.cosmo-project.de
[EMAIL PROTECTED]         Usergroup           [EMAIL PROTECTED]


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to