User: Password:
Subscribe / Log in / New account

e1000e and the joy of development kernels

e1000e and the joy of development kernels

Posted Sep 25, 2008 5:28 UTC (Thu) by Thalience (subscriber, #4217)
Parent article: e1000e and the joy of development kernels

So far I've heard three different (but related) theories that seem plausible, as far as my limited knowledge of the hardware goes.

1) The e1000e driver leaves the EEPROM mmio area mapped read-write. Then a rogue pointer from another kernel subsystem leads to tickling the control registers in a way that corrupts the EEPROM, or overwrites the mapped EEPROM data directly.

2) Same thing but with the X server somehow creating its own rw mapping of the mmio area (since the kernel's mapping should not be valid for a user process). Then a rogue pointer into that area.....

3) A wild DMA into the mmio area. This may be the nastiest possibility, since DMA writes may not respect the permissions on the mapping (could write through a mapping that is read-only for the cpu) unless there is an IOMMU involved.

These all lead to the natural thoughts, "Why would you design hardware where this can happen?" and "Is this issue lurking in other drivers for devices with EEPROMs?"

(Log in to post comments)

e1000e and the joy of development kernels

Posted Sep 25, 2008 19:54 UTC (Thu) by iabervon (subscriber, #722) [Link]

My guess is that the X driver is getting too much mmio space mapped, and accidentally writing into whatever's next; the kernel panics regardless, but it's only particularly notable if the ethernet driver happens to have just done the special ritual to start writing to the eeprom (which it's doing to reprogram it correctly), and then the graphics driver happens to hit it.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds