| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Mar 2007 21:46:35 +0100
From: Bernhard Walle <bwalle@...e.de>
To: netdev@...r.kernel.org
Cc: linux-kernel@...r.kernel.org
Subject: [PATCH] Fix crash in tg3 when using irqpoll
When using irqpoll I had a crash when I loaded the tg3 network driver
(on IA64). The stack trace was:
ia64_leave_kernel
[tg3]tg3_interrupt_tagged
note_interrupt
__do_IRQ
ia64_handle_irq
ia64_leave_kernel
_spin_unlock_irqrestore
pci_bus_read_config_dword
pci_restore_state
[tg3]tg3_chip_reset
[tg3]tg3_reset_hw
[tg3]tg3_init_hw
[tg3]tg3_open
dev_open
dev_change_flags
devinet_ioctl
inet_ioctl
sock_ioctl
do_ioctl
vfs_ioctl
sys_ioctl
ia64_ret_from_syscall
__kernel_syscall_via_break
Also, I had a MCA that ended up in a read from a PCI address that belongs to the
tg3 driver.
This patch makes sure that even the tr32() instruction in the interrupt handler
is not executed which accesses PCI memory. Accessing PCI memory when
pci_restore_state() is called is a bad idea because that function modifies
the BARs of the PCI device.
I think the problem could also happen when using shared interrupts, not only
irqpoll.
Signed-off-by: Bernhard Walle <bwalle@...e.de>
---
drivers/net/tg3.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
Index: mainline-msi-init/drivers/net/tg3.c
===================================================================
--- mainline-msi-init.orig/drivers/net/tg3.c
+++ mainline-msi-init/drivers/net/tg3.c
@@ -3561,7 +3561,10 @@ static irqreturn_t tg3_interrupt(int irq
struct net_device *dev = dev_id;
struct tg3 *tp = netdev_priv(dev);
struct tg3_hw_status *sblk = tp->hw_status;
- unsigned int handled = 1;
+ unsigned int handled = 0;
+
+ if (tg3_irq_sync(tp))
+ goto out;
/* In INTx mode, it is possible for the interrupt to arrive at
* the CPU before the status block posted prior to the interrupt.
@@ -3579,8 +3582,6 @@ static irqreturn_t tg3_interrupt(int irq
*/
tw32_mailbox(MAILBOX_INTERRUPT_0 + TG3_64BIT_REG_LOW,
0x00000001);
- if (tg3_irq_sync(tp))
- goto out;
sblk->status &= ~SD_STATUS_UPDATED;
if (likely(tg3_has_work(tp))) {
prefetch(&tp->rx_rcb[tp->rx_rcb_ptr]);
@@ -3592,8 +3593,7 @@ static irqreturn_t tg3_interrupt(int irq
tw32_mailbox_f(MAILBOX_INTERRUPT_0 + TG3_64BIT_REG_LOW,
0x00000000);
}
- } else { /* shared interrupt */
- handled = 0;
+ handled = 1;
}
out:
return IRQ_RETVAL(handled);
@@ -3604,7 +3604,10 @@ static irqreturn_t tg3_interrupt_tagged(
struct net_device *dev = dev_id;
struct tg3 *tp = netdev_priv(dev);
struct tg3_hw_status *sblk = tp->hw_status;
- unsigned int handled = 1;
+ unsigned int handled = 0;
+
+ if (tg3_irq_sync(tp))
+ goto out;
/* In INTx mode, it is possible for the interrupt to arrive at
* the CPU before the status block posted prior to the interrupt.
@@ -3622,8 +3625,6 @@ static irqreturn_t tg3_interrupt_tagged(
*/
tw32_mailbox(MAILBOX_INTERRUPT_0 + TG3_64BIT_REG_LOW,
0x00000001);
- if (tg3_irq_sync(tp))
- goto out;
if (netif_rx_schedule_prep(dev)) {
prefetch(&tp->rx_rcb[tp->rx_rcb_ptr]);
/* Update last_tag to mark that this status has been
@@ -3634,8 +3635,7 @@ static irqreturn_t tg3_interrupt_tagged(
tp->last_tag = sblk->status_tag;
__netif_rx_schedule(dev);
}
- } else { /* shared interrupt */
- handled = 0;
+ handled = 1;
}
out:
return IRQ_RETVAL(handled);
@@ -7052,7 +7052,7 @@ static int tg3_open(struct net_device *d
return err;
}
- tg3_full_lock(tp, 0);
+ tg3_full_lock(tp, 1);
err = tg3_init_hw(tp, 1);
if (err) {
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists