netdev
[Top] [All Lists]

Re: [PATCH] forcedeth: fix random memory scribbling bug

To: Manfred Spraul <manfred@xxxxxxxxxxxxxxxx>
Subject: Re: [PATCH] forcedeth: fix random memory scribbling bug
From: Linus Torvalds <torvalds@xxxxxxxx>
Date: Sat, 24 Dec 2005 11:52:25 -0800 (PST)
Cc: Jeff Garzik <jgarzik@xxxxxxxxx>, Ayaz Abdulla <AAbdulla@xxxxxxxxxx>, Linux Kernel Mailing List <linux-kernel@xxxxxxxxxxxxxxx>, Netdev <netdev@xxxxxxxxxxx>
In-reply-to: <43AD4ADC.8050004@colorfullife.com>
References: <43AD4ADC.8050004@colorfullife.com>
Sender: netdev-bounce@xxxxxxxxxxx

On Sat, 24 Dec 2005, Manfred Spraul wrote:
>
> Two critical bugs were found in forcedeth 0.47:
> - TSO doesn't work.
> - pci_map_single() for the rx buffers is called with size==0. This bug is
> critical, it causes random memory corruptions on systems with an iommu.

Good catch. Btw, should we perhaps disallow (or at least WARN_ON()) 
pci_map_single() with a length of zero? I think it's always likely a bug..

However, that

        "skb->end - skb->data"

calculation is a bit strange. It correctly maps the whole skb, but 
wouldn't it make more sense to use the length we actually tell the card to 
use? 

In other words, wouldn't it be a whole lot more sensible and logical to 
use

        np->rx_buf_sz

instead? That's the value we use for allocation and that's the size we 
tell the card we have.

Of course, on the alloc path, it seems to add an additional 
"NV_RX_ALLOC_PAD" thing, so maybe the "end-data" thing makes sense.

                Linus

<Prev in Thread] Current Thread [Next in Thread>