From owner-freebsd-current@FreeBSD.ORG Mon Apr 5 18:50:34 2010 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A970106566B for ; Mon, 5 Apr 2010 18:50:34 +0000 (UTC) (envelope-from pyunyh@gmail.com) Received: from mail-bw0-f216.google.com (mail-bw0-f216.google.com [209.85.218.216]) by mx1.freebsd.org (Postfix) with ESMTP id 03BFD8FC18 for ; Mon, 5 Apr 2010 18:50:33 +0000 (UTC) Received: by bwz8 with SMTP id 8so3178205bwz.3 for ; Mon, 05 Apr 2010 11:50:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:received:from:date:to:subject :message-id:reply-to:references:mime-version:content-type :content-disposition:in-reply-to:user-agent; bh=Lq9rF9pfcdrhOhP5hdEIdMP6zmxoqzaGh2QqLVQppq4=; b=PAnR4706hGsVldK69icYqGfE2nQ8liEBYki4VTCXuIWQt+4I/S7UgHugc6JKcrXJN3 rFyDcBV0SnzGCdQiEbgvVBjmtc1A4l+Qqz/1kEhbBItAru8LfB107SySCcUdr7hE1XvM YYemxeRRVgeM5ltj7N87SI2oyT9acQw3RCP18= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:date:to:subject:message-id:reply-to:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=VafRdeSheZ7rH56sZivFon77zK0q5qMy+aodHSbP87/E744Sr5pazD0tAeRIw1OGKs y3tDP2gPe7XFWc3b6r8qgwzwzukDHuveLdWG2DvzwwWf1dAdiIswE5vUNrOjQtfjwUN5 FCnZ3pFtekvwZ1Nm/AihD1fRW1mNwMA+RtESE= Received: by 10.204.9.152 with SMTP id l24mr7141618bkl.193.1270493432798; Mon, 05 Apr 2010 11:50:32 -0700 (PDT) Received: from pyunyh@gmail.com ([174.35.1.224]) by mx.google.com with ESMTPS id s17sm107881900bkd.16.2010.04.05.11.50.29 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 05 Apr 2010 11:50:31 -0700 (PDT) Received: by pyunyh@gmail.com (sSMTP sendmail emulation); Mon, 5 Apr 2010 11:50:25 -0700 From: Pyun YongHyeon Date: Mon, 5 Apr 2010 11:50:25 -0700 To: freebsd-current@FreeBSD.org Message-ID: <20100405185025.GE1225@michelle.cdnetworks.com> References: <20100405010054.GA1225@michelle.cdnetworks.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20100405010054.GA1225@michelle.cdnetworks.com> User-Agent: Mutt/1.4.2.3i Cc: Subject: Re: Call for testers: fxp(4) Rx buffer use after free X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: pyunyh@gmail.com List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2010 18:50:34 -0000 On Sun, Apr 04, 2010 at 06:00:54PM -0700, Pyun YongHyeon wrote: > Hi, > > It seems that fxp(4) has a long standing races between controller > and driver. The exotic RFD handling of controller is race prone as > we had seen old ethernet controllers. I could easily reproduce this > by rebooting system while netperf 64bytes UDP test is in progress. > If heavy RX frames hit the controller while interface UP is in > progress, controller started DMAing to freed mbufs such that > "Memory modified after free" message showed up. Based on OpenBSD's > patch I made a patch which seems to fix the issue. > If you saw this type of issue please give it try and let me how > it goes on your box. The patch has effect only on interrupt mode so > if you're using polling(4) you would have no effects. > You can get download the patch at the following URL. > http://people.freebsd.org/~yongari/fxp/fxp.rx.race.patch > > After applying the patch you may see somewhat increased RNR counter > value from sysctl node(dev.fxp.0.rnr). Previously fxp(4) might have > lower RNR counter value but that fake value came from DMAing to > freed mbufs which was completely wrong. > Hmm, it seems there are other issues in the patch. I'll post new patch after fixing this. > Thanks.