From patchwork Wed Jul  6 16:56:19 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Eric Dumazet <eric.dumazet@gmail.com>
X-Patchwork-Id: 103536
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id E9F2DB6F69
	for <patchwork-incoming@ozlabs.org>;
	Thu,  7 Jul 2011 02:56:38 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753965Ab1GFQ4e (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 6 Jul 2011 12:56:34 -0400
Received: from mail-ww0-f44.google.com ([74.125.82.44]:45233 "EHLO
	mail-ww0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753342Ab1GFQ4d (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 6 Jul 2011 12:56:33 -0400
Received: by wwe5 with SMTP id 5so128030wwe.1
	for <netdev@vger.kernel.org>; Wed, 06 Jul 2011 09:56:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=subject:from:to:cc:in-reply-to:references:content-type:date
	:message-id:mime-version:x-mailer:content-transfer-encoding;
	bh=Kb1nrJ8UeKXHmgSisUEDvB2xARbMfa2doHB1xKiVO64=;
	b=rOxt22seH3qk/wAEKVMgFU+xpDBpghtm0zKP6Oflv3jKfEPFsbMRSj8vnM7Yx+ZTWa
	VYOyJyaKStgwVZtA3hIa7YXO/CNeKgVBN/T7Mw59IuIBrSHFjkF/gVw0DPn2qMbCoODu
	2s2YMtf59UKWSq5hvgYiGiPwQHdwnAD1HvFiE=
Received: by 10.216.237.15 with SMTP id x15mr2924881weq.110.1309971392162;
	Wed, 06 Jul 2011 09:56:32 -0700 (PDT)
Received: from [10.150.51.211] (gw0.net.jmsp.net [212.23.165.14])
	by mx.google.com with ESMTPS id d7sm4319255wek.45.2011.07.06.09.56.30
	(version=SSLv3 cipher=OTHER); Wed, 06 Jul 2011 09:56:31 -0700 (PDT)
Subject: Re: [Bugme-new] [Bug 38102] New: BUG kmalloc-2048: Poison
	overwritten
From: Eric Dumazet <eric.dumazet@gmail.com>
To: Michael =?ISO-8859-1?Q?B=FCsch?= <m@bues.ch>
Cc: Neil Horman <nhorman@tuxdriver.com>,
	Alexey Zaytsev <alexey.zaytsev@gmail.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	netdev@vger.kernel.org, Gary Zambrano <zambrano@broadcom.com>,
	bugme-daemon@bugzilla.kernel.org,
	"David S. Miller" <davem@davemloft.net>,
	Pekka Pietikainen <pp@ee.oulu.fi>, Florian Schirmer <jolt@tuxbox.org>,
	Felix Fietkau <nbd@openwrt.org>, Michael Buesch <mb@bu3sch.de>
In-Reply-To: <20110706173243.404d8599@maggie>
References: <1309882352.2271.19.camel@edumazet-HP-Compaq-6005-Pro-SFF-PC>
	<20110705164202.GD2959@hmsreliant.think-freely.org>
	<1309884441.2271.34.camel@edumazet-HP-Compaq-6005-Pro-SFF-PC>
	<20110705180650.GF2959@hmsreliant.think-freely.org>
	<1309889634.2545.2.camel@edumazet-laptop>
	<1309890775.2545.17.camel@edumazet-laptop>
	<1309891516.2545.23.camel@edumazet-laptop>
	<20110705195353.GG2959@hmsreliant.think-freely.org>
	<1309896147.2545.28.camel@edumazet-laptop>
	<1309896940.2545.34.camel@edumazet-laptop>
	<20110705220644.GB12118@hmsreliant.think-freely.org>
	<20110706173243.404d8599@maggie>
Date: Wed, 06 Jul 2011 18:56:19 +0200
Message-ID: <1309971379.2292.64.camel@edumazet-HP-Compaq-6005-Pro-SFF-PC>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.2 
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Le mercredi 06 juillet 2011 à 17:32 +0200, Michael Büsch a écrit :

> You guys are mixing up quite a bit of stuff here...

Well

> 
> The EOT bit has _nothing_ to do with the descriptor pointers.
> It simply marks the last descriptor in the (linear) descriptor
> page, so that it becomes an actual ring:
> 
>    DDDDDDDDDDDDDDDDDDDDDDDDDDDE
>    |                          O
>    |                          T
>    ^--------------------------|
> 
> It doesn't say anything about the read and write pointers
> to the ring.
> 
> The B44_DMARX_PTR is the write-end pointer. It points one entry
> beyond the end of the write area. Then there's the software pointer
> where we keep track of the read position.
> 


Thats not how b44_rx() works :

It writes on DMARX_PTR the last slot that driver _dequeued_ in its NAPI
run. Its not the end of the window that device is allowed to use.

bw32(bp, B44_DMARX_PTR, cons * sizeof(struct dma_desc));

The end of the 'allocated buffers' is in rx_prod. Problem is NIC have no
idea of where is the end of window. We never give rx_prod to NIC.

So NIC actually read old descriptors value. We need to clear them to
avoid memory corruption.
---
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/net/b44.c b/drivers/net/b44.c
index 6c4ef96..ec9773b 100644
--- a/drivers/net/b44.c
+++ b/drivers/net/b44.c
@@ -725,6 +725,7 @@ static void b44_recycle_rx(struct b44 *bp, int src_idx, u32 dest_idx_unmasked)
 			                 DMA_BIDIRECTIONAL);
 
 	ctrl = src_desc->ctrl;
+	src_desc->ctrl = ctrl & cpu_to_le32(DESC_CTRL_EOT);
 	if (dest_idx == (B44_RX_RING_SIZE - 1))
 		ctrl |= cpu_to_le32(DESC_CTRL_EOT);
 	else
@@ -732,6 +733,7 @@ static void b44_recycle_rx(struct b44 *bp, int src_idx, u32 dest_idx_unmasked)
 
 	dest_desc->ctrl = ctrl;
 	dest_desc->addr = src_desc->addr;
+	src_desc->addr = 0;
 
 	src_map->skb = NULL;
 
@@ -1118,6 +1120,7 @@ static void b44_init_rings(struct b44 *bp)
 		if (b44_alloc_rx_skb(bp, -1, i) < 0)
 			break;
 	}
+	bp->rx_prod = i;
 }
 
 /*
@@ -1406,7 +1409,6 @@ static void b44_init_hw(struct b44 *bp, int reset_kind)
 		bw32(bp, B44_DMARX_ADDR, bp->rx_ring_dma + bp->dma_offset);
 
 		bw32(bp, B44_DMARX_PTR, bp->rx_pending);
-		bp->rx_prod = bp->rx_pending;
 
 		bw32(bp, B44_MIB_CTRL, MIB_CTRL_CLR_ON_READ);
 	}