lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 17 Sep 2019 14:36:59 -0700
From:   Arlie Davis <>
To:     Andrew Lunn <>
Subject: Re: Bug report (with fix) for DEC Tulip driver (de2104x.c)

I checked QEMU v3.1, and I don't see any Tulip implementation for it.
I haven't checked any other emulators. A few cursory searches didn't
turn up anything.

I checked the FreeBSD driver for the same device. It just treats the
control field as a write-only field; the driver just uses its own
internal state, rather than reading anything from the transfer
descriptor, aside from the relevant status bits.

My guess is that the hardware just always sets bit 30 = 1, in the
status field. In this Linux driver, for a normal packet (non-SETUP,
non-DUMMY), all packets use a single TX descriptor, so LastFrag=1 is
always true. Because of this, I considered changing the Linux driver
to just remove the "if (status & LastFrag)" check, and make it
unconditional, since this driver never uses more than 1 descriptor per
transmitted packet. Would you support that change?

Likewise, I'm at a loss for testing with real hardware. It's hard to
find such things, now.

On Tue, Sep 17, 2019 at 2:28 PM Andrew Lunn <> wrote:
> On Mon, Sep 16, 2019 at 02:50:53PM -0700, Arlie Davis wrote:
> > Hello. I'm a developer on GCE, Google's virtual machine platform. As
> > part of my work, we needed to emulate a DEC Tulip 2104x NIC, so I
> > implemented a basic virtual device for it.
> >
> > While doing so, I believe I found a bug in the Linux driver for this
> > device, in de2104x.c. I see in MAINTAINERS that this is an orphaned
> > device driver, but I was wondering if the kernel would still accept a
> > patch for it.  Should I submit this patch, and if so, where should I
> > submit it?
> >
> > Below is the commit text from my local repo, and the patch diffs
> > (they're quite short).
> >
> >     Fix a bug in DEC Tulip driver (de2104x.c)
> >
> >     The DEC Tulip Ethernet controller uses a 16-byte transfer descriptor for
> >     both its transmit (tx) and receive (rx) rings. Each descriptor has a
> >     "status" uint32 field (called opts1 in de2104x.c, and called TDES0 /
> >     Status in the DEC hardware specifications) and a "control" field (called
> >     opts2 in de2104x.c and called TDES1 / Control in the DEC
> >     specifications). In the "control" field, bit 30 is the LastSegment bit,
> >     which indicates that this is the last transfer descriptor in a sequence
> >     of descriptors (in case a single Ethernet frame spans more than one
> >     descriptor).
> >
> >     The de2104x driver correctly sets LastSegment, in the de_start_xmit
> >     function. (The code calls it LastFrag, not LastSegment). However, in the
> >     interrupt handler (in function de_tx), the driver incorrectly checks for
> >     this bit in the status field, not the control field. This means that the
> >     driver is reading bits that are undefined in the specification; the
> >     spec does not make any guarantees at all about the contents of bits 29
> >     and bits 30 in the "status" field.
> >
> >     The effect of the bug is that the driver may think that a TX ring entry
> >     is never finished, even though a compliant DEC Tulip hardware device (or
> >     a virtualized device, in a VM) actually did finish sending the Ethernet
> >     frame.
> >
> >     The fix is to read the correct "control" field from the TX descriptor.
> >
> >     DEC Tulip programming specification:
> >
> >
> Hi Arlie
> Without having access to real hardware, it is hard to verify
> this. Maybe the programming specification is wrong? It could be, the
> hardware designer thought the control field should be write only from
> the CPU side, and the status field read only from the CPU side, to
> avoid race conditions. So in practice it does mirror the LastSegment
> bit from control to status?
> Are there any other emulators of this out there? Any silicon vendor
> who produces devices which claim to be compatible?
>     Andrew

Powered by blists - more mailing lists