| To: | Manfred Spraul <manfred@xxxxxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: [PATCH] forcedeth: fix random memory scribbling bug |
| From: | Linus Torvalds <torvalds@xxxxxxxx> |
| Date: | Sat, 24 Dec 2005 11:52:25 -0800 (PST) |
| Cc: | Jeff Garzik <jgarzik@xxxxxxxxx>, Ayaz Abdulla <AAbdulla@xxxxxxxxxx>, Linux Kernel Mailing List <linux-kernel@xxxxxxxxxxxxxxx>, Netdev <netdev@xxxxxxxxxxx> |
| In-reply-to: | <43AD4ADC.8050004@xxxxxxxxxxxxxxxx> |
| References: | <43AD4ADC.8050004@xxxxxxxxxxxxxxxx> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
On Sat, 24 Dec 2005, Manfred Spraul wrote:
>
> Two critical bugs were found in forcedeth 0.47:
> - TSO doesn't work.
> - pci_map_single() for the rx buffers is called with size==0. This bug is
> critical, it causes random memory corruptions on systems with an iommu.
Good catch. Btw, should we perhaps disallow (or at least WARN_ON())
pci_map_single() with a length of zero? I think it's always likely a bug..
However, that
"skb->end - skb->data"
calculation is a bit strange. It correctly maps the whole skb, but
wouldn't it make more sense to use the length we actually tell the card to
use?
In other words, wouldn't it be a whole lot more sensible and logical to
use
np->rx_buf_sz
instead? That's the value we use for allocation and that's the size we
tell the card we have.
Of course, on the alloc path, it seems to add an additional
"NV_RX_ALLOC_PAD" thing, so maybe the "end-data" thing makes sense.
Linus
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [PATCH] forcedeth: fix random memory scribbling bug, Manfred Spraul |
|---|---|
| Next by Date: | Re: [PATCH] forcedeth: fix random memory scribbling bug, Manfred Spraul |
| Previous by Thread: | Re: [PATCH] forcedeth: fix random memory scribbling bug, Linus Torvalds |
| Next by Thread: | Re: [PATCH] forcedeth: fix random memory scribbling bug, Manfred Spraul |
| Indexes: | [Date] [Thread] [Top] [All Lists] |