lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070322204635.GA27152@strauss.suse.de>
Date:	Thu, 22 Mar 2007 21:46:35 +0100
From:	Bernhard Walle <bwalle@...e.de>
To:	netdev@...r.kernel.org
Cc:	linux-kernel@...r.kernel.org
Subject: [PATCH] Fix crash in tg3 when using irqpoll

When using irqpoll I had a crash when I loaded the tg3 network driver
(on IA64). The stack trace was:

        ia64_leave_kernel
        [tg3]tg3_interrupt_tagged
        note_interrupt
        __do_IRQ
        ia64_handle_irq
        ia64_leave_kernel
        _spin_unlock_irqrestore
        pci_bus_read_config_dword
        pci_restore_state
        [tg3]tg3_chip_reset
        [tg3]tg3_reset_hw
        [tg3]tg3_init_hw
        [tg3]tg3_open
        dev_open
        dev_change_flags
        devinet_ioctl
        inet_ioctl
        sock_ioctl
        do_ioctl
        vfs_ioctl
        sys_ioctl
        ia64_ret_from_syscall
        __kernel_syscall_via_break

Also, I had a MCA that ended up in a read from a PCI address that belongs to the
tg3 driver.

This patch makes sure that even the tr32() instruction in the interrupt handler
is not executed which accesses PCI memory. Accessing PCI memory when
pci_restore_state() is called is a bad idea because that function modifies
the BARs of the PCI device.

I think the problem could also happen when using shared interrupts, not only
irqpoll.


Signed-off-by: Bernhard Walle <bwalle@...e.de>

---
 drivers/net/tg3.c |   22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

Index: mainline-msi-init/drivers/net/tg3.c
===================================================================
--- mainline-msi-init.orig/drivers/net/tg3.c
+++ mainline-msi-init/drivers/net/tg3.c
@@ -3561,7 +3561,10 @@ static irqreturn_t tg3_interrupt(int irq
 	struct net_device *dev = dev_id;
 	struct tg3 *tp = netdev_priv(dev);
 	struct tg3_hw_status *sblk = tp->hw_status;
-	unsigned int handled = 1;
+	unsigned int handled = 0;
+
+	if (tg3_irq_sync(tp))
+		goto out;
 
 	/* In INTx mode, it is possible for the interrupt to arrive at
 	 * the CPU before the status block posted prior to the interrupt.
@@ -3579,8 +3582,6 @@ static irqreturn_t tg3_interrupt(int irq
 		 */
 		tw32_mailbox(MAILBOX_INTERRUPT_0 + TG3_64BIT_REG_LOW,
 			     0x00000001);
-		if (tg3_irq_sync(tp))
-			goto out;
 		sblk->status &= ~SD_STATUS_UPDATED;
 		if (likely(tg3_has_work(tp))) {
 			prefetch(&tp->rx_rcb[tp->rx_rcb_ptr]);
@@ -3592,8 +3593,7 @@ static irqreturn_t tg3_interrupt(int irq
 			tw32_mailbox_f(MAILBOX_INTERRUPT_0 + TG3_64BIT_REG_LOW,
 			     	0x00000000);
 		}
-	} else {	/* shared interrupt */
-		handled = 0;
+		handled = 1;
 	}
 out:
 	return IRQ_RETVAL(handled);
@@ -3604,7 +3604,10 @@ static irqreturn_t tg3_interrupt_tagged(
 	struct net_device *dev = dev_id;
 	struct tg3 *tp = netdev_priv(dev);
 	struct tg3_hw_status *sblk = tp->hw_status;
-	unsigned int handled = 1;
+	unsigned int handled = 0;
+
+	if (tg3_irq_sync(tp))
+		goto out;
 
 	/* In INTx mode, it is possible for the interrupt to arrive at
 	 * the CPU before the status block posted prior to the interrupt.
@@ -3622,8 +3625,6 @@ static irqreturn_t tg3_interrupt_tagged(
 		 */
 		tw32_mailbox(MAILBOX_INTERRUPT_0 + TG3_64BIT_REG_LOW,
 			     0x00000001);
-		if (tg3_irq_sync(tp))
-			goto out;
 		if (netif_rx_schedule_prep(dev)) {
 			prefetch(&tp->rx_rcb[tp->rx_rcb_ptr]);
 			/* Update last_tag to mark that this status has been
@@ -3634,8 +3635,7 @@ static irqreturn_t tg3_interrupt_tagged(
 			tp->last_tag = sblk->status_tag;
 			__netif_rx_schedule(dev);
 		}
-	} else {	/* shared interrupt */
-		handled = 0;
+		handled = 1;
 	}
 out:
 	return IRQ_RETVAL(handled);
@@ -7052,7 +7052,7 @@ static int tg3_open(struct net_device *d
 		return err;
 	}
 
-	tg3_full_lock(tp, 0);
+	tg3_full_lock(tp, 1);
 
 	err = tg3_init_hw(tp, 1);
 	if (err) {
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ