Re: [PATCH] forcedeth: fix random memory scribbling bug

[Linus Torvalds]

On Sat, 24 Dec 2005, Manfred Spraul wrote:
>
> Two critical bugs were found in forcedeth 0.47:
> - TSO doesn't work.
> - pci_map_single() for the rx buffers is called with size==0. This bug is
> critical, it causes random memory corruptions on systems with an iommu.

Good catch. Btw, should we perhaps disallow (or at least WARN_ON()) 
pci_map_single() with a length of zero? I think it's always likely a bug..

However, that

	"skb->end - skb->data"

calculation is a bit strange. It correctly maps the whole skb, but 
wouldn't it make more sense to use the length we actually tell the card to 
use? 

In other words, wouldn't it be a whole lot more sensible and logical to 
use

	np->rx_buf_sz

instead? That's the value we use for allocation and that's the size we 
tell the card we have.

Of course, on the alloc path, it seems to add an additional 
"NV_RX_ALLOC_PAD" thing, so maybe the "end-data" thing makes sense.

		Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/