| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 05 Jul 2011 18:12:32 +0200 From: Eric Dumazet <eric.dumazet@...il.com> To: Neil Horman <nhorman@...driver.com> Cc: Alexey Zaytsev <alexey.zaytsev@...il.com>, Michael Büsch <m@...s.ch>, Andrew Morton <akpm@...ux-foundation.org>, netdev@...r.kernel.org, Gary Zambrano <zambrano@...adcom.com>, bugme-daemon@...zilla.kernel.org, "David S. Miller" <davem@...emloft.net>, Pekka Pietikainen <pp@...oulu.fi>, Florian Schirmer <jolt@...box.org>, Felix Fietkau <nbd@...nwrt.org>, Michael Buesch <mb@...sch.de> Subject: Re: [Bugme-new] [Bug 38102] New: BUG kmalloc-2048: Poison overwritten Le mardi 05 juillet 2011 à 12:05 -0400, Neil Horman a écrit : > On Tue, Jul 05, 2011 at 07:59:33AM +0200, Eric Dumazet wrote: > > Le mardi 05 juillet 2011 à 07:33 +0200, Eric Dumazet a écrit : > > > Le mardi 05 juillet 2011 à 09:18 +0400, Alexey Zaytsev a écrit : > > > > > > > Actually, I've added a trace to show b44_init_rings and b44_free_rings > > > > calls, and they are only called once, right after the driver is > > > > loaded. So it can't be related to START_RFO. Will attach the diff and > > > > dmesg. > > > > > > Thanks > > > > > > I was wondering if DMA could be faster if providing word aligned > > > addresses, could you try : > > > > > > -#define RX_PKT_OFFSET (RX_HEADER_LEN + 2) > > > +#define RX_PKT_OFFSET (RX_HEADER_LEN + NET_IP_ALIGN) > > > > > > (On x86, we now have NET_IP_ALIGN = 0 since commit ea812ca1) > > > > > > > I suspect a hardware bug. > > > I'm not sure if this helps, but I've been reading over this bug, and it seems > that the rx path never checks the status of a buffers rx header prior to > unmapping it or otherwise modifying it in hardware. If we were to start munging > pointers in the rx channel while a dma was active in it still, it sems like the > observed corruption might be the result. The docs aren't super clear on this, > but I think a descriptor needs to be in the idle wait or stopped state prior to > being acessed. This patch might help out there (although I don't have hardware > to test) > Neil > > diff --git a/drivers/net/b44.c b/drivers/net/b44.c > index 3d247f3..48540ad 100644 > --- a/drivers/net/b44.c > +++ b/drivers/net/b44.c > @@ -769,7 +769,19 @@ static int b44_rx(struct b44 *bp, int budget) > dma_addr_t map = rp->mapping; > struct rx_header *rh; > u16 len; > - > + u32 state = br32(bp, B44_DMARX_STAT) & DMARX_STAT_SMASK; > + state >>= 12; > + > + /* > + * I _think_ descriptors need to be in the idle or stopped state > + * before its safe to access them. If the current buffer > + * pointed to by the dma channel is in state 1 or lower (active > + * or disabled), then we should just stop receving until the > + * next interrupt kicks us again (I think) > + */ > + if (state < 2) > + return; > + > dma_sync_single_for_cpu(bp->sdev->dev, map, > RX_PKT_BUF_SZ, > DMA_FROM_DEVICE); Hmm... We are in a NAPI handler... There wont be a new interrupt. Plus, we do at start of b44_rx() : prod = br32(bp, B44_DMARX_STAT) & DMARX_STAT_CDMASK; So all descriptors before prod are guaranteed to be ready for host consume... Fact that a dma access is running on 'next descriptor' should be irrelevant. IMHO Peeking B44_DMARX_STAT for each packet would be a waste of time. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists