From owner-svn-src-all@FreeBSD.ORG Wed May 19 21:12:11 2010 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 617281065670; Wed, 19 May 2010 21:12:11 +0000 (UTC) (envelope-from yongari@FreeBSD.org) Received: from svn.freebsd.org (unknown [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 386A08FC0C; Wed, 19 May 2010 21:12:11 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o4JLCB7h089602; Wed, 19 May 2010 21:12:11 GMT (envelope-from yongari@svn.freebsd.org) Received: (from yongari@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o4JLCBeI089600; Wed, 19 May 2010 21:12:11 GMT (envelope-from yongari@svn.freebsd.org) Message-Id: <201005192112.o4JLCBeI089600@svn.freebsd.org> From: Pyun YongHyeon Date: Wed, 19 May 2010 21:12:11 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org X-SVN-Group: stable-7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r208317 - stable/7/sys/dev/fxp X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 May 2010 21:12:11 -0000 Author: yongari Date: Wed May 19 21:12:10 2010 New Revision: 208317 URL: http://svn.freebsd.org/changeset/base/208317 Log: MFC r208084: If controller received bad frames make sure to update newly added RFA. Also drop frames that have either CRC error or alignment error. Normally bad frames are not received at all. But controllers running in promiscuous mode will receive bad frames. 82557 will also receive bad frames to receive VLAN oversized frames. While I'm here mark RNR condition if driver happen to see RNR in RFA status and restart RU to receive frames again. Because driver checks all received frames in RX loop, RNR condition could be set in the middle of RX processing. Just relying on RNR interrupt was not enough. This change fixes "Memory modified after free" issue when fxp(4) is running as a member of if_bridge(4). Tested by: Larry Baird gta dot com> Modified: stable/7/sys/dev/fxp/if_fxp.c Directory Properties: stable/7/sys/ (props changed) stable/7/sys/cddl/contrib/opensolaris/ (props changed) stable/7/sys/contrib/dev/acpica/ (props changed) stable/7/sys/contrib/pf/ (props changed) Modified: stable/7/sys/dev/fxp/if_fxp.c ============================================================================== --- stable/7/sys/dev/fxp/if_fxp.c Wed May 19 21:08:38 2010 (r208316) +++ stable/7/sys/dev/fxp/if_fxp.c Wed May 19 21:12:10 2010 (r208317) @@ -1912,6 +1912,8 @@ fxp_intr_body(struct fxp_softc *sc, stru if ((status & FXP_RFA_STATUS_C) == 0) break; + if ((status & FXP_RFA_STATUS_RNR) != 0) + rnr++; /* * Advance head forward. */ @@ -1938,9 +1940,12 @@ fxp_intr_body(struct fxp_softc *sc, stru total_len -= 2; } if (total_len < sizeof(struct ether_header) || - total_len > MCLBYTES - RFA_ALIGNMENT_FUDGE - - sc->rfa_size || status & FXP_RFA_STATUS_CRC) { + total_len > (MCLBYTES - RFA_ALIGNMENT_FUDGE - + sc->rfa_size) || + status & (FXP_RFA_STATUS_CRC | + FXP_RFA_STATUS_ALIGN)) { m_freem(m); + fxp_add_rfabuf(sc, rxp); continue; }