lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 27 Apr 2007 20:17:00 -0400
From:	Jeff Garzik <jeff@...zik.org>
To:	Neil Horman <nhorman@...driver.com>
CC:	netdev@...r.kernel.org, davem@...emloft.net, venza@...wnhat.org
Subject: Re: [PATCH] sis900: Allocate rx replacement buffer before rx operation

Neil Horman wrote:
> On Tue, Apr 24, 2007 at 12:43:20PM -0400, Jeff Garzik wrote:
>> Neil Horman wrote:
>>> Hey there-
>>> 	The sis900 driver appears to have a bug in which the receive routine
>>> passes the skbuff holding the received frame to the network stack before
>>> refilling the buffer in the rx ring.  If a new skbuff cannot be allocated, 
>>> the
>>> driver simply leaves a hole in the rx ring, which causes the driver to stop
>>> receiving frames and become non-recoverable without an rmmod/insmod 
>>> according to
>>> reporters.  This patch reverses that order, attempting to allocate a 
>>> replacement
>>> buffer first, and receiving the new frame only if one can be allocated.  
>>> If no
>>> skbuff can be allocated, the current skbuf in the rx ring is recycled, 
>>> dropping
>>> the current frame, but keeping the NIC operational.
>>>
>>> Thanks & Regards
>>> Neil
> 
> 
> 
> Just found a hole in my last patch.  It was reported to me that shortly after we
> integrated this patch.  The report was of an oops that took place inside of
> netif_rx when using the sis900 driver.  Looking at my origional patch I noted
> that there was a spot between the new skb_alloc and the refill_rx_ring label
> where skb got reassigned to the pointer currently held in the rx_ring for the
> purposes of receiveing the frame.  The result of this is however that the buffer
> that gets passed to netif_rx (if it is called), then gets placed right back into
> the rx_ring.  So if you receive frames fast enough the skb being processed by
> the network stack can get corrupted.  The reporter is testing out the fix I've
> written for this below (I'm not near my hardware at the moment to test myself),
> but I wanted to post it for review ASAP.  I'll post test results when I hear
> them, but I think this is a pretty straightforward fix.  It just uses a separate
> pointer to do the rx operation, so that we don't improperly reassign the pointer
> that we use to refill the rx ring.
> 
> Thanks & Regards
> Neil
> 
> Signed-off-by: Neil Horman <nhorman@...driver.com>
> 
> 
>  sis900.c |    9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> 
> diff --git a/drivers/net/sis900.c b/drivers/net/sis900.c
> index a6a0f09..7e44939 100644
> --- a/drivers/net/sis900.c
> +++ b/drivers/net/sis900.c
> @@ -1754,6 +1754,7 @@ static int sis900_rx(struct net_device *net_dev)
>  			sis_priv->rx_ring[entry].cmdsts = RX_BUF_SIZE;
>  		} else {
>  			struct sk_buff * skb;
> +			struct sk_buff * rx_skb;
>  
>  			pci_unmap_single(sis_priv->pci_dev,
>  				sis_priv->rx_ring[entry].bufptr, RX_BUF_SIZE,
> @@ -1787,10 +1788,10 @@ static int sis900_rx(struct net_device *net_dev)
>  			}
>  
>  			/* give the socket buffer to upper layers */
> -			skb = sis_priv->rx_skbuff[entry];
> -			skb_put(skb, rx_size);
> -			skb->protocol = eth_type_trans(skb, net_dev);
> -			netif_rx(skb);
> +			rx_skb = sis_priv->rx_skbuff[entry];
> +			skb_put(rx_skb, rx_size);
> +			skb->protocol = eth_type_trans(rx_skb, net_dev);

applied this, and the one-line fix to this


-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists