Date: Mon, 5 Apr 2010 11:50:25 -0700 From: Pyun YongHyeon <pyunyh@gmail.com> To: freebsd-current@FreeBSD.org Subject: Re: Call for testers: fxp(4) Rx buffer use after free Message-ID: <20100405185025.GE1225@michelle.cdnetworks.com> In-Reply-To: <20100405010054.GA1225@michelle.cdnetworks.com> References: <20100405010054.GA1225@michelle.cdnetworks.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 04, 2010 at 06:00:54PM -0700, Pyun YongHyeon wrote: > Hi, > > It seems that fxp(4) has a long standing races between controller > and driver. The exotic RFD handling of controller is race prone as > we had seen old ethernet controllers. I could easily reproduce this > by rebooting system while netperf 64bytes UDP test is in progress. > If heavy RX frames hit the controller while interface UP is in > progress, controller started DMAing to freed mbufs such that > "Memory modified after free" message showed up. Based on OpenBSD's > patch I made a patch which seems to fix the issue. > If you saw this type of issue please give it try and let me how > it goes on your box. The patch has effect only on interrupt mode so > if you're using polling(4) you would have no effects. > You can get download the patch at the following URL. > http://people.freebsd.org/~yongari/fxp/fxp.rx.race.patch > > After applying the patch you may see somewhat increased RNR counter > value from sysctl node(dev.fxp.0.rnr). Previously fxp(4) might have > lower RNR counter value but that fake value came from DMAing to > freed mbufs which was completely wrong. > Hmm, it seems there are other issues in the patch. I'll post new patch after fixing this. > Thanks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100405185025.GE1225>