[PATCH] bnx2x: dont dereference tcp header on non tcp frames

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: Eric Dumazet <eric.dumazet@gmail.com>
To: Dmitry Kravkov <dmitry@broadcom.com>, David Miller <davem@davemloft.net>
Cc: Eilon Greenstein <eilong@broadcom.com>, netdev <netdev@vger.kernel.org>
Subject: [PATCH] bnx2x: dont dereference tcp header on non tcp frames
Date: Wed, 20 Apr 2011 09:31:53 +0200	[thread overview]
Message-ID: <1303284713.3186.13.camel@edumazet-laptop> (raw)
In-Reply-To: <1303229503.3480.386.camel@edumazet-laptop>

Le mardi 19 avril 2011 à 18:11 +0200, Eric Dumazet a écrit :
> Hi guys
> 
> bnx2x_set_pbd_csum() / bnx2x_set_pbd_csum_e2() seem to read
> tcp_hdrlen(skb) even for non TCP frames ?
> 
> Also, (skb_network_header(skb) - skb->data) is signed, so 
> 	(skb_network_header(skb) - skb->data) / 2 is a bit expensive...
> 

I managed to trigger a kmemcheck fault using netperf -t UDP_RR

02:00.1 Ethernet controller: Broadcom Corporation NetXtreme II BCM57711E 10Gigabit PCIe

[  341.246514] WARNING: kmemcheck: Caught 8-bit read from uninitialized memory (ffff88011800ec30)
[  341.247155] c0a8146ea907c4550009aa456ed2000008000400040000001400030000000000
[  341.249789]  i i i i i i i i i i i i i u u u u u u u u u u u u u u u u u u u
[  341.252425]                                  ^
[  341.252773] 
[  341.252937] Pid: 4122, comm: netperf Not tainted 2.6.39-rc4-00237-ge3de956-dirty #549 HP ProLiant BL460c G6
[  341.253768] RIP: 0010:[<ffffffff812f5224>]  [<ffffffff812f5224>] bnx2x_start_xmit+0xce4/0x13f0
[  341.254476] RSP: 0018:ffff8801158b38b8  EFLAGS: 00010286
[  341.254879] RAX: ffff88011800ec24 RBX: ffff880118e44820 RCX: 0000000000000007
[  341.255400] RDX: 000000000000000a RSI: ffff880118e44820 RDI: ffff88011800ec40
[  341.255918] RBP: ffff8801158b39b8 R08: ffff88011800ec40 R09: ffff88011800ec00
[  341.256439] R10: 0000000000000000 R11: 000000006e14a8c0 R12: ffff880118f4db00
[  341.256958] R13: 0000000000000481 R14: 0000000000000040 R15: ffff880118ff18e0
[  341.257479] FS:  0000000000000000(0000) GS:ffff88011fc00000(0063) knlGS:00000000f77e16c0
[  341.258081] CS:  0010 DS: 002b ES: 002b CR0: 000000008005003b
[  341.258511] CR2: ffff880119856058 CR3: 0000000115879000 CR4: 00000000000006f0
[  341.259033] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  341.259551] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
[  341.260072]  [<ffffffff8137fac5>] dev_hard_start_xmit+0x365/0x690
[  341.260593]  [<ffffffff81398bf7>] sch_direct_xmit+0xb7/0x1c0
[  341.261091]  [<ffffffff81383da8>] dev_queue_xmit+0x1a8/0x5d0
[  341.261583]  [<ffffffff813c2842>] ip_finish_output+0x122/0x2f0
[  341.262122]  [<ffffffff813c163e>] ip_output+0x7e/0xc0
[  341.262609]  [<ffffffff813c1194>] ip_local_out+0x24/0x30
[  341.263114]  [<ffffffff813c11b6>] ip_send_skb+0x16/0x70
[  341.263611]  [<ffffffff813e1326>] udp_send_skb+0x126/0x380
[  341.264129]  [<ffffffff813e300c>] udp_sendmsg+0x2cc/0x790
[  341.264637]  [<ffffffff813eaf44>] inet_sendmsg+0x84/0xc0
[  341.265143]  [<ffffffff8136d98b>] sock_sendmsg+0xbb/0xf0
[  341.265646]  [<ffffffff8136e1e5>] sys_sendto+0x105/0x140
[  341.266151]  [<ffffffff8136e22f>] sys_send+0xf/0x20
[  341.266625]  [<ffffffff813969fd>] compat_sys_socketcall+0xfd/0x1f0
[  341.267186]  [<ffffffff8146b8e9>] sysenter_dispatch+0x7/0x27

[PATCH] bnx2x: dont dereference tcp header on non tcp frames

bnx2x_set_pbd_csum() & bnx2x_set_pbd_csum_e2() use 
tcp_hdrlen(skb) even for non TCP frames

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Dmitry Kravkov <dmitry@broadcom.com>
Cc: Eilon Greenstein <eilong@broadcom.com>
---
 drivers/net/bnx2x/bnx2x_cmn.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/net/bnx2x/bnx2x_cmn.c b/drivers/net/bnx2x/bnx2x_cmn.c
index e83ac6d..a16a638 100644
--- a/drivers/net/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/bnx2x/bnx2x_cmn.c
@@ -2019,7 +2019,9 @@ static inline void bnx2x_set_pbd_gso(struct sk_buff *skb,
 static inline  u8 bnx2x_set_pbd_csum_e2(struct bnx2x *bp, struct sk_buff *skb,
 	u32 *parsing_data, u32 xmit_type)
 {
-	*parsing_data |= ((tcp_hdrlen(skb)/4) <<
+	u8 tcphlen = (xmit_type & XMIT_CSUM_TCP) ? tcp_hdrlen(skb) : 0;
+
+	*parsing_data |= ((tcphlen/4) <<
 		ETH_TX_PARSE_BD_E2_TCP_HDR_LENGTH_DW_SHIFT) &
 		ETH_TX_PARSE_BD_E2_TCP_HDR_LENGTH_DW;
 
@@ -2027,7 +2029,7 @@ static inline  u8 bnx2x_set_pbd_csum_e2(struct bnx2x *bp, struct sk_buff *skb,
 		ETH_TX_PARSE_BD_E2_TCP_HDR_START_OFFSET_W_SHIFT) &
 		ETH_TX_PARSE_BD_E2_TCP_HDR_START_OFFSET_W;
 
-	return skb_transport_header(skb) + tcp_hdrlen(skb) - skb->data;
+	return skb_transport_header(skb) + tcphlen - skb->data;
 }
 
 /**
@@ -2044,6 +2046,7 @@ static inline u8 bnx2x_set_pbd_csum(struct bnx2x *bp, struct sk_buff *skb,
 	u32 xmit_type)
 {
 	u8 hlen = (skb_network_header(skb) - skb->data) / 2;
+	u8 tcphlen = (xmit_type & XMIT_CSUM_TCP) ? tcp_hdrlen(skb) : 0;
 
 	/* for now NS flag is not used in Linux */
 	pbd->global_data =
@@ -2053,7 +2056,7 @@ static inline u8 bnx2x_set_pbd_csum(struct bnx2x *bp, struct sk_buff *skb,
 	pbd->ip_hlen_w = (skb_transport_header(skb) -
 			skb_network_header(skb)) / 2;
 
-	hlen += pbd->ip_hlen_w + tcp_hdrlen(skb) / 2;
+	hlen += pbd->ip_hlen_w + tcphlen / 2;
 
 	pbd->total_hlen_w = cpu_to_le16(hlen);
 	hlen = hlen*2;

next prev parent reply	other threads:[~2011-04-20  7:31 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-04-19 16:11 [BUG] bnx2x: bnx2x_set_pbd_csum() random accesses Eric Dumazet
2011-04-20  7:31 ` Eric Dumazet [this message]
2011-04-20  8:46   ` [PATCH] bnx2x: dont dereference tcp header on non tcp frames David Miller
2011-04-20  9:40     ` Dmitry Kravkov
2011-04-20 15:08       ` Dmitry Kravkov
2011-04-22  0:20       ` David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e83ac6d dfblob:a16a638 )
 OR (
bs:"[PATCH] bnx2x: dont dereference tcp header on non tcp frames" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1303284713.3186.13.camel@edumazet-laptop \
    --to=eric.dumazet@gmail.com \
    --cc=davem@davemloft.net \
    --cc=dmitry@broadcom.com \
    --cc=eilong@broadcom.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox