| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 May 2007 01:29:29 +0400
From: Sergei Shtylyov <sshtylyov@...mvista.com>
To: jgarzik@...ox.com
Cc: netdev@...r.kernel.org, mhuth@...sta.com,
kgdb-bugreport@...ts.sourceforge.net
Subject: Re: [Kgdb-bugreport] [PATCH] 8139too: harden against TX ring overflow
Hello, I wrote:
> This driver's 4-packet deep TX queue is too sensible to the "careless" callers
> ignoring its state (like netpoll in trapped mode), so add "queue full" check at
> the start of the hard_start_xmit() method (only under #ifndef RTL8139_NDEBUG,
> otherwise the queue will get stuck once dirty pointer gets out of sync); switch
> to using appropriate mnemonics for the return values while at it.
> Also, the out-of-sync dirty pointer check is misplaced in rtl8139_tx_interrupt()
> which causes TX descriptors to be inspected more than once in case the pointer
> really gets out-of-sync (and incrementing the dirty pointer always by 4 is just
> not enough, e.g. KGDBoE managed to stuff 20+ extra buffers into the queue) --
> place it before the loop and limit the loop to only look through 4 descriptors
> at most, so that already overwritten descriptors are just not counted.
> Signed-off-by: Sergei Shtylyov <sshtylyov@...mvista.com>
Jeff, do you have any opinion on this patch?
> Index: linux-2.6/drivers/net/8139too.c
> ===================================================================
> --- linux-2.6.orig/drivers/net/8139too.c
> +++ linux-2.6/drivers/net/8139too.c
> @@ -90,7 +90,7 @@
> */
>
> #define DRV_NAME "8139too"
> -#define DRV_VERSION "0.9.28"
> +#define DRV_VERSION "0.9.31"
>
>
> #include <linux/module.h>
> @@ -1708,6 +1708,13 @@ static int rtl8139_start_xmit (struct sk
> unsigned int len = skb->len;
> unsigned long flags;
>
> +#ifndef RTL8139_NDEBUG
> + if (unlikely((tp->cur_tx - tp->dirty_tx) >= NUM_TX_DESC)) {
> + printk(KERN_ERR "%s: TX queue full!\n", dev->name);
> + return NETDEV_TX_BUSY;
> + }
> +#endif
> +
> /* Calculate the next Tx descriptor entry. */
> entry = tp->cur_tx % NUM_TX_DESC;
>
> @@ -1720,7 +1727,7 @@ static int rtl8139_start_xmit (struct sk
> } else {
> dev_kfree_skb(skb);
> tp->stats.tx_dropped++;
> - return 0;
> + return NETDEV_TX_OK;
> }
>
> spin_lock_irqsave(&tp->lock, flags);
> @@ -1740,7 +1747,7 @@ static int rtl8139_start_xmit (struct sk
> printk (KERN_DEBUG "%s: Queued Tx packet size %u to slot %d.\n",
> dev->name, len, entry);
>
> - return 0;
> + return NETDEV_TX_OK;
> }
>
>
> @@ -1755,6 +1762,16 @@ static void rtl8139_tx_interrupt (struct
>
> dirty_tx = tp->dirty_tx;
> tx_left = tp->cur_tx - dirty_tx;
> +
> +#ifndef RTL8139_NDEBUG
> + if (unlikely(tx_left > NUM_TX_DESC)) {
> + printk(KERN_ERR "%s: Out-of-sync dirty pointer, %ld vs. %ld.\n",
> + dev->name, dirty_tx, tp->cur_tx);
> + tx_left = NUM_TX_DESC;
> + dirty_tx = tp->cur_tx - NUM_TX_DESC;
> + }
> +#endif /* RTL8139_NDEBUG */
> +
> while (tx_left > 0) {
> int entry = dirty_tx % NUM_TX_DESC;
> int txstatus;
> @@ -1797,14 +1814,6 @@ static void rtl8139_tx_interrupt (struct
> tx_left--;
> }
>
> -#ifndef RTL8139_NDEBUG
> - if (tp->cur_tx - dirty_tx > NUM_TX_DESC) {
> - printk (KERN_ERR "%s: Out-of-sync dirty pointer, %ld vs. %ld.\n",
> - dev->name, dirty_tx, tp->cur_tx);
> - dirty_tx += NUM_TX_DESC;
> - }
> -#endif /* RTL8139_NDEBUG */
> -
> /* only wake the queue if we did work, and the queue is stopped */
> if (tp->dirty_tx != dirty_tx) {
> tp->dirty_tx = dirty_tx;
>
WBR, Sergei
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists