| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Jul 2010 15:45:42 -0700
From: Jeff Kirsher <jeffrey.t.kirsher@...el.com>
To: Sonny Rao <sonnyrao@...ibm.com>
Cc: netdev@...r.kernel.org, e1000-devel@...ts.sf.net
Subject: Re: [PATCHv2] Add missing memory barriers to clean_rx_irq functions
in Intel Drivers
On Tue, Jul 27, 2010 at 15:44, Sonny Rao <sonnyrao@...ibm.com> wrote:
> Add missing memory barriers to clean_rx_irq functions in Intel Drivers
>
> This patch is similar to what was fixed in ixgbe in this patch:
>
> http://marc.info/?l=e1000-devel&m=126593062701537&w=3
>
> We should add read memory barriers to all the similar cases across the
> Intel ethernet driver family. In the case of ixgbevf I've also added
> a missing barrier to the clean_tx_irq path because I missed it in my
> last patch.
>
> Without the barrier a processor can speculate a load ahead of the load
> which looks at the status bit and get stale information causing a
> number of different issues including invalid packet length, NULL
> pointers, or bad data since checksumming was assumed to be done
> in hardware.
>
> v2: I missed the e100 the first time
>
> Signed-off-by: Milton Miller <miltonm@....com>
> Signed-off-by: Sonny Rao <sonnyrao@...ibm.com>
> cc: stable <stable@...nel.org>
>
> Index: linux-2.6.35-rc5/drivers/net/e1000/e1000_main.c
> ===================================================================
> --- linux-2.6.35-rc5.orig/drivers/net/e1000/e1000_main.c 2010-07-27 16:15:18.000000000 -0500
> +++ linux-2.6.35-rc5/drivers/net/e1000/e1000_main.c 2010-07-27 16:22:21.000000000 -0500
> @@ -3638,6 +3638,7 @@ static bool e1000_clean_jumbo_rx_irq(str
> if (*work_done >= work_to_do)
> break;
> (*work_done)++;
> + rmb(); /* read descriptor and rx_buffer_info after status DD */
>
> status = rx_desc->status;
> skb = buffer_info->skb;
> @@ -3844,6 +3845,7 @@ static bool e1000_clean_rx_irq(struct e1
> if (*work_done >= work_to_do)
> break;
> (*work_done)++;
> + rmb(); /* read descriptor and rx_buffer_info after status DD */
>
> status = rx_desc->status;
> skb = buffer_info->skb;
> Index: linux-2.6.35-rc5/drivers/net/e1000e/netdev.c
> ===================================================================
> --- linux-2.6.35-rc5.orig/drivers/net/e1000e/netdev.c 2010-07-27 16:22:38.000000000 -0500
> +++ linux-2.6.35-rc5/drivers/net/e1000e/netdev.c 2010-07-27 16:25:23.000000000 -0500
> @@ -774,6 +774,7 @@ static bool e1000_clean_rx_irq(struct e1
> if (*work_done >= work_to_do)
> break;
> (*work_done)++;
> + rmb(); /* read descriptor and rx_buffer_info after status DD */
>
> status = rx_desc->status;
> skb = buffer_info->skb;
> @@ -1081,6 +1082,7 @@ static bool e1000_clean_rx_irq_ps(struct
> break;
> (*work_done)++;
> skb = buffer_info->skb;
> + rmb(); /* read descriptor and rx_buffer_info after status DD */
>
> /* in the packet split case this is header only */
> prefetch(skb->data - NET_IP_ALIGN);
> @@ -1280,6 +1282,7 @@ static bool e1000_clean_jumbo_rx_irq(str
> if (*work_done >= work_to_do)
> break;
> (*work_done)++;
> + rmb(); /* read descriptor and rx_buffer_info after status DD */
>
> status = rx_desc->status;
> skb = buffer_info->skb;
> Index: linux-2.6.35-rc5/drivers/net/ixgb/ixgb_main.c
> ===================================================================
> --- linux-2.6.35-rc5.orig/drivers/net/ixgb/ixgb_main.c 2010-07-27 16:27:23.000000000 -0500
> +++ linux-2.6.35-rc5/drivers/net/ixgb/ixgb_main.c 2010-07-27 16:41:57.000000000 -0500
> @@ -1977,6 +1977,7 @@ ixgb_clean_rx_irq(struct ixgb_adapter *a
> break;
>
> (*work_done)++;
> + rmb(); /* read descriptor and rx_buffer_info after status DD */
> status = rx_desc->status;
> skb = buffer_info->skb;
> buffer_info->skb = NULL;
> Index: linux-2.6.35-rc5/drivers/net/ixgbevf/ixgbevf_main.c
> ===================================================================
> --- linux-2.6.35-rc5.orig/drivers/net/ixgbevf/ixgbevf_main.c 2010-07-27 16:30:51.000000000 -0500
> +++ linux-2.6.35-rc5/drivers/net/ixgbevf/ixgbevf_main.c 2010-07-27 16:40:19.000000000 -0500
> @@ -231,6 +231,7 @@ static bool ixgbevf_clean_tx_irq(struct
> while ((eop_desc->wb.status & cpu_to_le32(IXGBE_TXD_STAT_DD)) &&
> (count < tx_ring->work_limit)) {
> bool cleaned = false;
> + rmb(); /* read buffer_info after eop_desc */
> for ( ; !cleaned; count++) {
> struct sk_buff *skb;
> tx_desc = IXGBE_TX_DESC_ADV(*tx_ring, i);
> @@ -518,6 +519,7 @@ static bool ixgbevf_clean_rx_irq(struct
> break;
> (*work_done)++;
>
> + rmb(); /* read descriptor and rx_buffer_info after status DD */
> if (adapter->flags & IXGBE_FLAG_RX_PS_ENABLED) {
> hdr_info = le16_to_cpu(ixgbevf_get_hdr_info(rx_desc));
> len = (hdr_info & IXGBE_RXDADV_HDRBUFLEN_MASK) >>
> Index: linux-2.6.35-rc5/drivers/net/e100.c
> ===================================================================
> --- linux-2.6.35-rc5.orig/drivers/net/e100.c 2010-07-27 17:36:44.000000000 -0500
> +++ linux-2.6.35-rc5/drivers/net/e100.c 2010-07-27 17:41:38.000000000 -0500
> @@ -1928,6 +1928,7 @@ static int e100_rx_indicate(struct nic *
>
> netif_printk(nic, rx_status, KERN_DEBUG, nic->netdev,
> "status=0x%04X\n", rfd_status);
> + rmb(); /* read size after status bit */
>
> /* If data isn't ready, nothing to indicate */
> if (unlikely(!(rfd_status & cb_complete))) {
> --
You also seem to be missing igb.
--
Cheers,
Jeff
Powered by blists - more mailing lists