From owner-freebsd-current@FreeBSD.ORG Mon Apr 5 01:01:00 2010 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 632081065673 for ; Mon, 5 Apr 2010 01:01:00 +0000 (UTC) (envelope-from pyunyh@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by mx1.freebsd.org (Postfix) with ESMTP id 1A94F8FC20 for ; Mon, 5 Apr 2010 01:00:59 +0000 (UTC) Received: by qw-out-2122.google.com with SMTP id 3so1262955qwe.7 for ; Sun, 04 Apr 2010 18:00:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:received:from:date:to:subject :message-id:reply-to:mime-version:content-type:content-disposition :user-agent; bh=BSEeYrZfT54CLT7VVgYdRnLyML3cfjGNrlrM9o6DT9Q=; b=IC++kRefebjDXkOw7nAl7ybF8feah2HQxeu6LgVPyU2YZ+s2Twe39bapZgTt3slY7g g/2ek9ZxPF7Gts0OSuK/7JQAwrVizthKZjtbMxnSlu4U1zmS5KPyotdjesPVapKetawb JJ+e2s4I7N7KIx2lYsk65oJpXHgAtYTtsVan4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:date:to:subject:message-id:reply-to:mime-version:content-type :content-disposition:user-agent; b=GtJgfQoAk5ZrG8fffvgYsHjmDuaMAPXNDopStqzltnDNW91h/2eiNoCHdcJXMQkfRw XlrhqIEo9p1XpiNjoG0wbizxtiKgCa6MN1s2vdOv1SpylCSKikiJAmMUkGfdE+INKoRS EnxGboTACHgyl3ktomxB0lO5hj9k8lyFG66cs= Received: by 10.229.217.206 with SMTP id hn14mr7788204qcb.70.1270429259206; Sun, 04 Apr 2010 18:00:59 -0700 (PDT) Received: from pyunyh@gmail.com ([174.35.1.224]) by mx.google.com with ESMTPS id v37sm4477851qce.12.2010.04.04.18.00.57 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 04 Apr 2010 18:00:58 -0700 (PDT) Received: by pyunyh@gmail.com (sSMTP sendmail emulation); Sun, 4 Apr 2010 18:00:54 -0700 From: Pyun YongHyeon Date: Sun, 4 Apr 2010 18:00:54 -0700 To: freebsd-current@FreeBSD.org Message-ID: <20100405010054.GA1225@michelle.cdnetworks.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i Cc: Subject: Call for testers: fxp(4) Rx buffer use after free X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: pyunyh@gmail.com List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2010 01:01:00 -0000 Hi, It seems that fxp(4) has a long standing races between controller and driver. The exotic RFD handling of controller is race prone as we had seen old ethernet controllers. I could easily reproduce this by rebooting system while netperf 64bytes UDP test is in progress. If heavy RX frames hit the controller while interface UP is in progress, controller started DMAing to freed mbufs such that "Memory modified after free" message showed up. Based on OpenBSD's patch I made a patch which seems to fix the issue. If you saw this type of issue please give it try and let me how it goes on your box. The patch has effect only on interrupt mode so if you're using polling(4) you would have no effects. You can get download the patch at the following URL. http://people.freebsd.org/~yongari/fxp/fxp.rx.race.patch After applying the patch you may see somewhat increased RNR counter value from sysctl node(dev.fxp.0.rnr). Previously fxp(4) might have lower RNR counter value but that fake value came from DMAing to freed mbufs which was completely wrong. Thanks.