| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Mar 2014 23:04:20 -0300
From: Marcelo Tosatti <mtosatti@...hat.com>
To: Jeff Kirsher <jeffrey.t.kirsher@...el.com>,
Vladimir Davydov <VDavydov@...allels.com>
Cc: e1000-devel@...ts.sourceforge.net, netdev@...r.kernel.org
Subject: [PATCH] e1000: do not allow watchdog to reenable transmits on
shutdown
There is a race on the shutdown path of the e1000 driver
that allows the card to DMA into free'd memory.
The symptoms are similar to those described at
commit d5bc77a223b0e9b9dfb002048d2b34a79e7d0b48,
"e1000: don't enable dma receives until after dma address has been
setup", where memory corruption is visible due to E1000_RXD_STAT_DD
being written to the DMA transfer descriptor.
Fix by not allowing the watchdog and tx fifo stall detector
to re-enable E1000_TCTL_EN.
Signed-off-by: Marcelo Tosatti <mtosatti@...hat.com>
diff --git a/drivers/net/ethernet/intel/e1000/e1000.h b/drivers/net/ethernet/intel/e1000/e1000.h
index 10a0f22..bb5dc1a 100644
--- a/drivers/net/ethernet/intel/e1000/e1000.h
+++ b/drivers/net/ethernet/intel/e1000/e1000.h
@@ -321,7 +321,8 @@ struct e1000_adapter {
enum e1000_state_t {
__E1000_TESTING,
__E1000_RESETTING,
- __E1000_DOWN
+ __E1000_DOWN,
+ __E1000_NOTX = 4,
};
#undef pr_fmt
diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
index 46e6544..b20ce98 100644
--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
@@ -414,6 +414,7 @@ int e1000_up(struct e1000_adapter *adapter)
e1000_configure(adapter);
clear_bit(__E1000_DOWN, &adapter->flags);
+ clear_bit(__E1000_NOTX, &adapter->flags);
napi_enable(&adapter->napi);
@@ -524,6 +525,10 @@ void e1000_down(struct e1000_adapter *adapter)
netif_tx_disable(netdev);
+ /* do not allow watchdog to reenable transmits between
+ clearing E1000_TCTL_EN below and setting E1000_DOWN */
+ set_bit(__E1000_NOTX, &adapter->flags);
+
/* disable transmits in the hardware */
tctl = er32(TCTL);
tctl &= ~E1000_TCTL_EN;
@@ -2339,6 +2344,9 @@ static void e1000_82547_tx_fifo_stall_task(struct work_struct *work)
struct net_device *netdev = adapter->netdev;
u32 tctl;
+ if (test_bit(__E1000_NOTX, &adapter->flags))
+ return;
+
if (atomic_read(&adapter->tx_fifo_stall)) {
if ((er32(TDT) == er32(TDH)) &&
(er32(TDFT) == er32(TDFH)) &&
@@ -2412,6 +2420,9 @@ static void e1000_watchdog(struct work_struct *work)
struct e1000_tx_ring *txdr = adapter->tx_ring;
u32 link, tctl;
+ if (test_bit(__E1000_NOTX, &adapter->flags))
+ return;
+
link = e1000_has_link(adapter);
if ((netif_carrier_ok(netdev)) && link)
goto link_up;
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists