lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sat, 29 Oct 2016 17:25:38 -0400 (EDT)
From:   David Miller <davem@...emloft.net>
To:     gvaradar@...co.com
Cc:     netdev@...r.kernel.org, benve@...co.com, _govind@....com
Subject: Re: [PATCH net] enic: fix rq disable

From: Govindarajulu Varadarajan <gvaradar@...co.com>
Date: Thu, 27 Oct 2016 16:01:03 -0700

> When MTU is changed from 9000 to 1500 while there is burst of inbound 9000
> bytes packets, adaptor sometimes delivers 9000 bytes packets to 1500 bytes
> buffers. This causes memory corruption and sometimes crash.
> 
> This is because of a race condition in adaptor between "RQ disable"
> clearing descriptor mini-cache and mini-cache valid bit being set by
> completion of descriptor fetch. This can result in stale RQ desc being
> cached and used when packets arrive. In this case, the stale descriptor
> have old MTU value.
> 
> Solution is to write RQ->disable twice. The first write will stop any
> further desc fetches, allowing the second disable to clear the mini-cache
> valid bit without danger of a race.
> 
> Also, the check for rq->running becoming 0 after writing rq->enable to 0
> is not done properly. When incoming packets are flooding the interface,
> rq->running will pulse high for each dropped packet. Since the driver was
> waiting for 10us between each poll, it is possible to see rq->running = 1
> 1000 times in a row, even though it is not actually stuck running.
> This results in false failure of vnic_rq_disable(). Fix is to try more
> than 1000 time without delay between polls to ensure we do not miss when
> running goes low.
> 
> In old adaptors rq->enable needs to be re-written to 0 when posted_index
> is reset in vnic_rq_clean() in order to keep rq->prefetch_index in sync.
> 
> Signed-off-by: Govindarajulu Varadarajan <_govind@....com>

Applied.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ