Unaligned accesses w/ generic segmentation/rx/tx offloading

[Brad Spengler <spender@grsecurity.net>]

[-- Attachment #1: Type: text/plain, Size: 1798 bytes --]

Hi all,

I'm running the 2.6.32.15 kernel on a Sun Blade 2500 with the tg3 
driver.
gcc version is:
gcc --version
gcc (Debian 4.3.2-1.1) 4.3.2

When rx/tx/generic segmentation offloading is disabled:
ethtool -k eth0
Offload parameters for eth0:
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp segmentation offload: off
udp fragmentation offload: off
generic segmentation offload: off
large receive offload: off

I've received several unaligned access messages:
Kernel unaligned access at TPC[6dae50]
Kernel unaligned access at TPC[6dae58]
Kernel unaligned access at TPC[6c8788]
Kernel unaligned access at TPC[6c8798]
Kernel unaligned access at TPC[704864]
They've only occurred once so far in a week or so, so I won't be able to 
reproduce it at will.

The unaligned accesses appear to come from the following sources:

net/ipv4/tcp_output.c:tcp_transmit_skb():
6dae50:       c2 26 e0 04     st  %g1, [ %i3 + 4 ]
6dae58:       c2 26 e0 08     st  %g1, [ %i3 + 8 ]
If my analysis is correct, these are the two lines at 666 in 2.6.32.15:
        th->seq                 = htonl(tcb->seq);
        th->ack_seq             = htonl(tp->rcv_nxt);
the problem being the unaligned th.
net/ipv4/ip_output.c:ip_queue_xmit():
6c8788:       c2 24 20 0c     st  %g1, [ %l0 + 0xc ]
6c8798:       c2 24 20 10     st  %g1, [ %l0 + 0x10 ]
If my analysis is correct, these are the two lines at 376 in 2.6.32.15:
        iph->saddr    = rt->rt_src;
        iph->daddr    = rt->rt_dst;
the problem being an unaligned iph.
arch/sparc/lib/ipcsum.S:ip_fast_csum() (2nd asm instruction, unaligned iph)

I've uploaded the associated vmlinux for analysis to:
http://grsecurity.net/unaligned-vmlinux

Please keep me on CC for any replies.

Thanks,
-Brad

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]