lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 13 Jan 2020 10:29:26 +0000
From:   Jose Abreu <Jose.Abreu@...opsys.com>
To:     Ong Boon Leong <boon.leong.ong@...el.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC:     Giuseppe Cavallaro <peppe.cavallaro@...com>,
        Alexandre Torgue <alexandre.torgue@...com>,
        "David S . Miller" <davem@...emloft.net>,
        "Maxime Coquelin" <mcoquelin.stm32@...il.com>,
        Tan Tee Min <tee.min.tan@...el.com>,
        Voon Weifeng <weifeng.voon@...el.com>,
        "linux-stm32@...md-mailman.stormreply.com" 
        <linux-stm32@...md-mailman.stormreply.com>,
        "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH net 1/7] net: stmmac: fix error in updating rx tail
 pointer to last free entry

From: Ong Boon Leong <boon.leong.ong@...el.com>
Date: Jan/14/2020, 02:01:10 (UTC+00:00)

> DMA_CH(#i)_RxDesc_Tail_Pointer points to an offset from the base and
> indicates the location of the last valid descriptor.
> 
> The change introduced by "net: stmmac: Update RX Tail Pointer to last
> free entry" incorrectly updates the RxDesc_Tail_Pointer and causess
> Rx operation to freeze in corner case. The issue is explained as
> follow:-
> 
> Say, cur_rx=1 and dirty_rx=0, then we have dirty=1 and entry=0 before
> the while (dirty-- > 0) loop of stmmac_rx_refill() is entered. When
> the while loop is 1st entered, Rx buffer[entry=0] is refilled and after
> entry++, then, entry=1. Now, the while loop condition check "dirty-- > 0"
> and the while loop bails out because dirty=0. Up to this point, the
> driver code works correctly.
> 
> However, the current implementation sets the Rx Tail Pointer to the
> location pointed by dirty_rx, just updated to the value of entry(=1).
> This is incorrect because the last Rx buffer that is refileld with empty
> buffer is with entry=0. In another words, the current logics always sets
> Rx Tail Pointer to the next Rx buffer to be refilled (too early).
> 
> So, we fix this by tracking the index of the most recently refilled Rx
> buffer by using "last_refill" and use "last_refill" to update the Rx Tail
> Pointer instead of using "entry" which points to the next dirty_rx to be
> refilled in future.

I'm not sure about this ...

RX Tail points to last valid descriptor but it doesn't point to the base 
address of that one, it points to the end address.

Let's say we have a ring buffer with just 1 descriptor. With your new 
logic then: RX base == RX tail (== RX base), so the IP will not see any 
descriptor. But with old logic: RX base == (RX base + 1), which causes 
the IP to correctly see the descriptor.

Can you provide more information on the Rx operation freeze you 
mentioned ? Can it be another issue ?

---
Thanks,
Jose Miguel Abreu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ