Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 21 Sep 2018 11:33:44 -0700
From:      Mark Millard <marklmi@yahoo.com>
To:        freebsd-hackers@freebsd.org
Subject:   Does sys/dev/fxp/if_fxp.c using cbp->tbd[-1].tb_size = htole32(m->m_pkthdr.tso_segsz << 16) make any sense?
Message-ID:  <3E0252F3-3E65-4A2B-B17A-3BBFBAFFD5F6@yahoo.com>
In-Reply-To: <3EBF1660-6CD5-4C80-A36D-4DE945073006@yahoo.com>
References:  <3EBF1660-6CD5-4C80-A36D-4DE945073006@yahoo.com>
index | next in thread | previous in thread | raw e-mail 

[I decided that freebsd-hackers might be better for this,
under a different wording.]

sys/dev/fxp/if_fxp.c uses the statement:

cbp->tbd[-1].tb_size = htole32(m->m_pkthdr.tso_segsz << 16);

But sys/dev/fxp/if_fxpreg.h has the types involved as:

struct fxp_cb_tx {
      uint16_t cb_status;
      uint16_t cb_command;
      uint32_t link_addr;
      uint32_t tbd_array_addr;
      uint16_t byte_count;
      uint8_t tx_threshold;
      uint8_t tbd_number;

      /*
       * The following structure isn't actually part of the TxCB,
       * unless the extended TxCB feature is being used.  In this
       * case, the first two elements of the structure below are
       * fetched along with the TxCB.
       */
      union {
              struct fxp_ipcb ipcb;
              struct fxp_tbd tbd[FXP_NTXSEG + 1];
      } tx_cb_u;
};

So cbp->tbd is not pointing into the middle of an array.
Thus the cbp->tbd[-1].tb_size = . . . assignment trashes memory
from what I can tell.

/usr/src/sys/dev/fxp/if_fxp.c has the [-1] assignment in:

      /* Configure TSO. */
      if (m->m_pkthdr.csum_flags & CSUM_TSO) {
              cbp->tbd[-1].tb_size = htole32(m->m_pkthdr.tso_segsz << 16);
              cbp->tbd[1].tb_size |= htole32(tcp_payload << 16);
              cbp->ipcb_ip_schedule |= FXP_IPCB_LARGESEND_ENABLE |
                  FXP_IPCB_IP_CHECKSUM_ENABLE |
                  FXP_IPCB_TCP_PACKET |
                  FXP_IPCB_TCPUDP_CHECKSUM_ENABLE;
      }

This cbp->tbd[-1].tb_size use goes back to -r185330 in 2008-Nov-26.

This is also when the "+ 1" was added to the:

struct fxp_tbd tbd[FXP_NTXSEG + 1]

above.

clang 7 via xtoolchain-llvm70 reported:

--- if_fxp.o ---
/usr/src/sys/dev/fxp/if_fxp.c:1630:3: error: array index -1 is before the beginning of the array [-Werror,-Warray-bounds]
              cbp->tbd[-1].tb_size = htole32(m->m_pkthdr.tso_segsz << 16);
              ^        ~~
/usr/src/sys/dev/fxp/if_fxpreg.h:297:3: note: array 'tbd' declared here
              struct fxp_tbd tbd[FXP_NTXSEG + 1];
              ^
1 error generated.
*** [if_fxp.o] Error code 1

It does look odd to me.


===
Mark Millard
marklmi at yahoo.com
( dsl-only.net went
away in early 2018-Mar)
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E0252F3-3E65-4A2B-B17A-3BBFBAFFD5F6>