lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 8 Dec 2020 13:14:06 -0600
From:   Li Yang <leoyang.li@....com>
To:     Rasmus Villemoes <rasmus.villemoes@...vas.dk>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Zhao Qiang <qiang.zhao@....com>,
        Vladimir Oltean <vladimir.oltean@....com>,
        Netdev <netdev@...r.kernel.org>,
        linuxppc-dev <linuxppc-dev@...ts.ozlabs.org>,
        lkml <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 02/20] ethernet: ucc_geth: fix definition and size of ucc_geth_tx_global_pram

On Sat, Dec 5, 2020 at 1:21 PM Rasmus Villemoes
<rasmus.villemoes@...vas.dk> wrote:
>
> Table 8-53 in the QUICC Engine Reference manual shows definitions of
> fields up to a size of 192 bytes, not just 128. But in table 8-111,
> one does find the text
>
>   Base Address of the Global Transmitter Parameter RAM Page. [...]
>   The user needs to allocate 128 bytes for this page. The address must
>   be aligned to the page size.
>
> I've checked both rev. 7 (11/2015) and rev. 9 (05/2018) of the manual;
> they both have this inconsistency (and the table numbers are the
> same).

This does seem to be an inconsistency.  I will try to see if I can
find someone who is familiar with this as this is really an old IP.

Figure 8-61 does mention that size = 128 byte + 64 byte if ....    But
this part is not clear also.  Not sure if the size of the parameter
RAM is really conditional.

>
> Adding a bit of debug printing, on my board the struct
> ucc_geth_tx_global_pram is allocated at offset 0x880, while
> the (opaque) ucc_geth_thread_data_tx gets allocated immediately
> afterwards, at 0x900. So whatever the engine writes into the thread
> data overlaps with the tail of the global tx pram (and devmem says
> that something does get written during a simple ping).

The overlapping does seem to be a problem.  Maybe these global
parameters are not sampled at runtime or the parameter RAM is really
only using 128byte depending on the operation mode.

Are you getting useful information by reading from the additional 64
bytes, or getting changed behavior for setting these bytes after your
changes?

>
> I haven't observed any failure that could be attributed to this, but
> it seems to be the kind of thing that would be extremely hard to
> debug. So extend the struct definition so that we do allocate 192
> bytes.
>
> Signed-off-by: Rasmus Villemoes <rasmus.villemoes@...vas.dk>
> ---
>  drivers/net/ethernet/freescale/ucc_geth.h | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/freescale/ucc_geth.h b/drivers/net/ethernet/freescale/ucc_geth.h
> index 3fe903972195..c80bed2c995c 100644
> --- a/drivers/net/ethernet/freescale/ucc_geth.h
> +++ b/drivers/net/ethernet/freescale/ucc_geth.h
> @@ -575,7 +575,14 @@ struct ucc_geth_tx_global_pram {
>         u32 vtagtable[0x8];     /* 8 4-byte VLAN tags */
>         u32 tqptr;              /* a base pointer to the Tx Queues Memory
>                                    Region */
> -       u8 res2[0x80 - 0x74];
> +       u8 res2[0x78 - 0x74];
> +       u64 snums_en;
> +       u32 l2l3baseptr;        /* top byte consists of a few other bit fields */
> +
> +       u16 mtu[8];
> +       u8 res3[0xa8 - 0x94];
> +       u32 wrrtablebase;       /* top byte is reserved */
> +       u8 res4[0xc0 - 0xac];
>  } __packed;
>
>  /* structure representing Extended Filtering Global Parameters in PRAM */
> --
> 2.23.0
>

Powered by blists - more mailing lists