lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu,  6 Nov 2014 15:21:39 +0530
From:	Govindarajulu Varadarajan <_govind@....com>
To:	ssujith@...co.com, netdev@...r.kernel.org, davem@...emloft.net
Cc:	Govindarajulu Varadarajan <_govind@....com>
Subject: [PATCH net 2/2] enic: update desc properly in rx_copybreak

When we reuse the rx buffer, we need to update the desc. If not hardware sees
stale value.

In the following crash, when mtu is changed, hardware sees old rx buffer value
and crashes on skb_put.

Fix this by using enic_queue_rq_desc helper function which updates the necessary
desc.

[   64.657376] skbuff: skb_over_panic: text:ffffffffa041f55d len:9010 put:9010 head:ffff8800d3ca9fc0 data:ffff8800d3caa000 tail:0x2372 end:0x640 dev:enp0s3
[   64.659965] ------------[ cut here ]------------
[   64.661322] kernel BUG at net/core/skbuff.c:100!
[   64.662644] invalid opcode: 0000 [#1] PREEMPT SMP
[   64.664001] Modules linked in: rpcsec_gss_krb5 auth_rpcgss oid_registry nfsv4 cirrus ttm drm_kms_helper drm enic psmouse microcode evdev serio_raw syscopyarea sysfillrect sysimgblt i2c_piix4 i2c_core pcspkr nfs lockd grace sunrpc fscache ext4 crc16 mbcache jbd2 sd_mod ata_generic virtio_balloon ata_piix libata uhci_hcd virtio_pci virtio_ring usbcore usb_common virtio scsi_mod
[   64.664834] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G        W      3.17.0-netnext-10335-g942396b-dirty #273
[   64.664834] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   64.664834] task: ffffffff81a1d580 ti: ffffffff81a00000 task.ti: ffffffff81a00000
[   64.664834] RIP: 0010:[<ffffffff81392cf1>]  [<ffffffff81392cf1>] skb_panic+0x61/0x70
[   64.664834] RSP: 0018:ffff880210603d48  EFLAGS: 00010292
[   64.664834] RAX: 000000000000008c RBX: ffff88020b0f6930 RCX: 0000000000000000
[   64.664834] RDX: 000000000000008c RSI: ffffffff8178b288 RDI: 00000000ffffffff
[   64.664834] RBP: ffff880210603d68 R08: 0000000000000001 R09: 0000000000000001
[   64.664834] R10: 00000000000005ce R11: 0000000000000001 R12: ffff88020b1f0b40
[   64.664834] R13: 000000000000a332 R14: ffff880209a1a000 R15: 0000000000000001
[   64.664834] FS:  0000000000000000(0000) GS:ffff880210600000(0000) knlGS:0000000000000000
[   64.664834] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[   64.664834] CR2: 00007f6752935e48 CR3: 0000000035743000 CR4: 00000000000006f0
[   64.664834] Stack:
[   64.664834]  ffff8800d3caa000 0000000000002372 0000000000000640 ffff88020b1f0000
[   64.664834]  ffff880210603d78 ffffffff81392d54 ffff880210603e08 ffffffffa041f55d
[   64.664834]  0000000000000296 ffffffff00000000 00008e7e00008e7e ffff880200002332
[   64.664834] Call Trace:
[   64.664834]  <IRQ>
[   64.664834]
[   64.664834]  [<ffffffff81392d54>] skb_put+0x54/0x60
[   64.664834]  [<ffffffffa041f55d>] enic_rq_service.constprop.47+0x3ad/0x730 [enic]
[   64.664834]  [<ffffffffa041fa79>] enic_poll_msix_rq+0x199/0x370 [enic]
[   64.664834]  [<ffffffff813a5499>] net_rx_action+0x139/0x210
[   64.664834]  [<ffffffff81290db3>] ? __this_cpu_preempt_check+0x13/0x20
[   64.664834]  [<ffffffff8106110e>] __do_softirq+0x14e/0x280
[   64.664834]  [<ffffffff8106152e>] irq_exit+0x8e/0xb0
[   64.664834]  [<ffffffff8100fd21>] do_IRQ+0x61/0x100
[   64.664834]  [<ffffffff814a2bf2>] common_interrupt+0x72/0x72

fixes: a03bb56e67c357980dae886683733dab5583dc14 ("enic: implement rx_copybreak")
Signed-off-by: Govindarajulu Varadarajan <_govind@....com>
---
 drivers/net/ethernet/cisco/enic/enic_main.c | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
index cd254d1..73cf165 100644
--- a/drivers/net/ethernet/cisco/enic/enic_main.c
+++ b/drivers/net/ethernet/cisco/enic/enic_main.c
@@ -940,18 +940,8 @@ static int enic_rq_alloc_buf(struct vnic_rq *rq)
 	struct vnic_rq_buf *buf = rq->to_use;
 
 	if (buf->os_buf) {
-		buf = buf->next;
-		rq->to_use = buf;
-		rq->ring.desc_avail--;
-		if ((buf->index & VNIC_RQ_RETURN_RATE) == 0) {
-			/* Adding write memory barrier prevents compiler and/or
-			 * CPU reordering, thus avoiding descriptor posting
-			 * before descriptor is initialized. Otherwise, hardware
-			 * can read stale descriptor fields.
-			 */
-			wmb();
-			iowrite32(buf->index, &rq->ctrl->posted_index);
-		}
+		enic_queue_rq_desc(rq, buf->os_buf, os_buf_index, buf->dma_addr,
+				   buf->len);
 
 		return 0;
 	}
-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ