lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 28 Dec 2023 13:56:45 +0100
From: Adrian Cinal <adriancinal1@...il.com>
To: Florian Fainelli <florian.fainelli@...adcom.com>
Cc: Doug Berger <opendmb@...il.com>, netdev@...r.kernel.org, 
	bcm-kernel-feedback-list@...adcom.com
Subject: Re: [PATCH v2] net: bcmgenet: Fix FCS generation for fragmented skbuffs

I attach a minimal reproducible example (largely inspired by
https://github.com/OpenDataPlane/odp/blob/master/platform/linux-generic/pktio/socket_mmap.c).
It sets up the "Packet MMAP" interface to the kernel and sends a
single broadcast frame.

If payload_size (parsed from argv[2]) is smaller than 46, then

    payload_size + sizeof(struct ether_header) + sizeof(struct llc_header) < 64

and the receiver sees a runt packet (without DMA_TX_APPEND_CRC in the
last descriptor
padding to 64 bytes is not performed either). Otherwise the packet is
rejected on the
grounds of bad (actually missing) CRC.

gcc bcmgenet_mre.c
./a.out end0 40  -->  runt packet
./a.out end0 50  -->  bad CRC

--
Adrian

On Thu, 28 Dec 2023 at 09:25, Florian Fainelli
<florian.fainelli@...adcom.com> wrote:
>
>
>
> On 12/28/2023 9:10 AM, Adrian Cinal wrote:
> > On Wed, 27 Dec 2023 at 21:39, Doug Berger <opendmb@...il.com> wrote:
> >>
> >> On 12/27/2023 4:04 AM, Adrian Cinal wrote:
> >>> The flag DMA_TX_APPEND_CRC was written to the first (instead of the last)
> >>> DMA descriptor in the TX path, with each descriptor corresponding to a
> >>> single skbuff fragment (or the skbuff head). This led to packets with no
> >>> FCS appearing on the wire if the kernel allocated the packet in fragments,
> >>> which would always happen when using PACKET_MMAP/TPACKET
> >>> (cf. tpacket_fill_skb() in af_packet.c).
> >>>
> >>> Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
> >>> Signed-off-by: Adrian Cinal <adriancinal1@...il.com>
> >>> ---
> >>>    drivers/net/ethernet/broadcom/genet/bcmgenet.c | 10 +++++-----
> >>>    1 file changed, 5 insertions(+), 5 deletions(-)
> >>>
> >>> diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
> >>> index 1174684a7f23..df4b0e557c76 100644
> >>> --- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
> >>> +++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
> >>> @@ -2137,16 +2137,16 @@ static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev)
> >>>                len_stat = (size << DMA_BUFLENGTH_SHIFT) |
> >>>                           (priv->hw_params->qtag_mask << DMA_TX_QTAG_SHIFT);
> >>>
> >>> -             /* Note: if we ever change from DMA_TX_APPEND_CRC below we
> >>> -              * will need to restore software padding of "runt" packets
> >>> -              */
> >>>                if (!i) {
> >>> -                     len_stat |= DMA_TX_APPEND_CRC | DMA_SOP;
> >>> +                     len_stat |= DMA_SOP;
> >>>                        if (skb->ip_summed == CHECKSUM_PARTIAL)
> >>>                                len_stat |= DMA_TX_DO_CSUM;
> >>>                }
> >>> +             /* Note: if we ever change from DMA_TX_APPEND_CRC below we
> >>> +              * will need to restore software padding of "runt" packets
> >>> +              */
> >>>                if (i == nr_frags)
> >>> -                     len_stat |= DMA_EOP;
> >>> +                     len_stat |= DMA_TX_APPEND_CRC | DMA_EOP;
> >>>
> >>>                dmadesc_set(priv, tx_cb_ptr->bd_addr, mapping, len_stat);
> >>>        }
> >> Hmm... this is a little surprising since the documentation is actually
> >> pretty specific that the hardware signal derived from this flag be set
> >> along with the SOP signal.
> >>
> >> Based on that I think I would prefer the flag to be set for all
> >> descriptors of a packet rather than just the last, but let me look into
> >> this a little further.
> >>
> >> Thanks for bringing this to my attention,
> >>       Doug
> >
> > Hello,
> >
> > I confirm that it works just as well when the flag is set for all
> > descriptors rather than just the last. Tested on a BCM2711.
>
> Could you share how you triggered the problematic path? Thanks!
> --
> Florian

View attachment "bcmgenet_mre.c" of type "text/x-csrc" (6090 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ