[PATCH] forcedeth: fix random memory scribbling bug

From: Manfred Spraul
Date: Sat Dec 24 2005 - 08:21:28 EST


Two critical bugs were found in forcedeth 0.47:
- TSO doesn't work.
- pci_map_single() for the rx buffers is called with size==0. This bug is critical, it causes random memory corruptions on systems with an iommu.

Below is a minimal fix for both bugs, for inclusion into 2.6.15.
TSO will be fixed properly in the next version.
Tested on x86-64.

Signed-Off-By: Manfred Spraul <manfred@xxxxxxxxxxxxxxxx> --- 2.6/drivers/net/forcedeth.c 2005-12-19 01:36:54.000000000 +0100
+++ x64/drivers/net/forcedeth.c 2005-12-24 12:16:30.000000000 +0100
@@ -10,7 +10,7 @@
* trademarks of NVIDIA Corporation in the United States and other
* countries.
*
- * Copyright (C) 2003,4 Manfred Spraul
+ * Copyright (C) 2003,4,5 Manfred Spraul
* Copyright (C) 2004 Andrew de Quincey (wol support)
* Copyright (C) 2004 Carl-Daniel Hailfinger (invalid MAC handling, insane
* IRQ rate fixes, bigendian fixes, cleanups, verification)
@@ -100,6 +100,7 @@
* 0.45: 18 Sep 2005: Remove nv_stop/start_rx from every link check
* 0.46: 20 Oct 2005: Add irq optimization modes.
* 0.47: 26 Oct 2005: Add phyaddr 0 in phy scan.
+ * 0.48: 24 Dec 2005: Disable TSO, bugfix for pci_map_single
*
* Known bugs:
* We suspect that on some hardware no TX done interrupts are generated.
@@ -111,7 +112,7 @@
* DEV_NEED_TIMERIRQ will not harm you on sane hardware, only generating a few
* superfluous timer interrupts from the nic.
*/
-#define FORCEDETH_VERSION "0.47"
+#define FORCEDETH_VERSION "0.48"
#define DRV_NAME "forcedeth"

#include <linux/module.h>
@@ -871,8 +872,8 @@
} else {
skb = np->rx_skbuff[nr];
}
- np->rx_dma[nr] = pci_map_single(np->pci_dev, skb->data, skb->len,
- PCI_DMA_FROMDEVICE);
+ np->rx_dma[nr] = pci_map_single(np->pci_dev, skb->data,
+ skb->end-skb->data, PCI_DMA_FROMDEVICE);
if (np->desc_ver == DESC_VER_1 || np->desc_ver == DESC_VER_2) {
np->rx_ring.orig[nr].PacketBuffer = cpu_to_le32(np->rx_dma[nr]);
wmb();
@@ -999,7 +1000,7 @@
wmb();
if (np->rx_skbuff[i]) {
pci_unmap_single(np->pci_dev, np->rx_dma[i],
- np->rx_skbuff[i]->len,
+ np->rx_skbuff[i]->end-np->rx_skbuff[i]->data,
PCI_DMA_FROMDEVICE);
dev_kfree_skb(np->rx_skbuff[i]);
np->rx_skbuff[i] = NULL;
@@ -1334,7 +1335,7 @@
* the performance.
*/
pci_unmap_single(np->pci_dev, np->rx_dma[i],
- np->rx_skbuff[i]->len,
+ np->rx_skbuff[i]->end-np->rx_skbuff[i]->data,
PCI_DMA_FROMDEVICE);

{
@@ -2455,7 +2456,7 @@
np->txrxctl_bits |= NVREG_TXRXCTL_RXCHECK;
dev->features |= NETIF_F_HW_CSUM | NETIF_F_SG;
#ifdef NETIF_F_TSO
- dev->features |= NETIF_F_TSO;
+ /* disabled dev->features |= NETIF_F_TSO; */
#endif
}