From owner-freebsd-hackers@freebsd.org  Fri Sep 21 18:33:52 2018
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4FCD710A0B18
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Fri, 21 Sep 2018 18:33:52 +0000 (UTC)
 (envelope-from marklmi@yahoo.com)
Received: from sonic313-11.consmr.mail.ne1.yahoo.com
 (sonic313-11.consmr.mail.ne1.yahoo.com [66.163.185.34])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id DD4618B0B0
 for <freebsd-hackers@freebsd.org>; Fri, 21 Sep 2018 18:33:51 +0000 (UTC)
 (envelope-from marklmi@yahoo.com)
X-YMail-OSG: fIxfl5MVM1k.U2UxY64958KGOA26cwYN79FOSdT2JYNvhXlfUQ_nDYi3KizfOvt
 _3wIVMjtZG2eSCTe4fZZzAaHVKUUpThe3Qb3q7iAFKuAzroYwVu7TKYTS2pco7W5ahc7U05DN.OX
 FJwQ3j2Lj_MTcanRtqtXXN9Mtk3iuvrwfttyLjozw8gLqLnWeUE_ZFj9kEsPiwsDAm563_IwI71W
 GYPhtFuLyp1IxKy7SR4oSYI4TY6P.PAn9O26vqrWkTClpj3do41rxVEiCF3krHuI0Jhu9Mwwv38T
 CTZSAfN.MLMLzJsKb6S0Nv0CYhEqyctG9CbCNS6R9vEn35GY4SY0Q8sE_GZvmwexvhcMt7nft17I
 Fdc_5Zg2N2ViPGiiO2APfU_U.WHK0GgB8ZZZ8oBtBZ0U84A3U5b2RLET65Om31WAOHn0KuUZ87PB
 7Ia1i0DE1MMnpYMLzYVrEV2TDR5CZ.eQRvQWPaQLMw8IzSjBBFJsEN14WALVvyq6tNLwJBtaREqs
 rlYqTsrqcAI2sOhEyPeIT1DFGl6qDp.Z0sRB9cMBUK64Qh3P17vJFq5nPB5xbPUWQ7Q0bxN2RNuM
 Tq_Gv2TszbFBArlsE1vRyGB1TK30nzrjUStb37iN17dZuHDcfl8CxU67OYjhemd.ZEJcnoO591F4
 eu9HB0LPPYHuhRft4R9ucVKFzirU1CFge89EEw2.ojhAzAa6dSYvbyhvcawwqf7ULgW.yMrL8XXi
 oHwU3nmJ8JX4ljjrGJcq2_84W8p4scLOgoq2rapk2lrTzOGhpN2WjhUIIfRELGHfSyjsOpuaoQEf
 xLW71Z93vmiftRA61hvT1GEsivUEu6n43Dzf_OmPEGvyyiK6Bql.eylLrqSASqedm0pCHg6I1854
 _ai1BE6kFlVY6fisWeQjGHHTkZNRvJwj_37riQ1ITaLu8AaiunB5xZkGWB4aor7pzLed7EEuFU4S
 ld4XmXWg_5HDsXMpU.XNFDUxihTi2BHn3mgW9dlW7uKJXC06.opjEJsZeTsv93.5xjEY-
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic313.consmr.mail.ne1.yahoo.com with HTTP; Fri, 21 Sep 2018 18:33:50 +0000
Received: from ip70-189-131-151.lv.lv.cox.net (EHLO [192.168.0.105])
 ([70.189.131.151])
 by smtp405.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID
 0412e9fab9b86c812583c99f0d201529 for <freebsd-hackers@freebsd.org>;
 Fri, 21 Sep 2018 18:33:46 +0000 (UTC)
From: Mark Millard <marklmi@yahoo.com>
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject: Does sys/dev/fxp/if_fxp.c using cbp->tbd[-1].tb_size =
 htole32(m->m_pkthdr.tso_segsz << 16) make any sense?
Date: Fri, 21 Sep 2018 11:33:44 -0700
References: <3EBF1660-6CD5-4C80-A36D-4DE945073006@yahoo.com>
To: freebsd-hackers@freebsd.org
In-Reply-To: <3EBF1660-6CD5-4C80-A36D-4DE945073006@yahoo.com>
Message-Id: <3E0252F3-3E65-4A2B-B17A-3BBFBAFFD5F6@yahoo.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Sep 2018 18:33:52 -0000

[I decided that freebsd-hackers might be better for this,
under a different wording.]

sys/dev/fxp/if_fxp.c uses the statement:

cbp->tbd[-1].tb_size =3D htole32(m->m_pkthdr.tso_segsz << 16);

But sys/dev/fxp/if_fxpreg.h has the types involved as:

struct fxp_cb_tx {
      uint16_t cb_status;
      uint16_t cb_command;
      uint32_t link_addr;
      uint32_t tbd_array_addr;
      uint16_t byte_count;
      uint8_t tx_threshold;
      uint8_t tbd_number;

      /*
       * The following structure isn't actually part of the TxCB,
       * unless the extended TxCB feature is being used.  In this
       * case, the first two elements of the structure below are
       * fetched along with the TxCB.
       */
      union {
              struct fxp_ipcb ipcb;
              struct fxp_tbd tbd[FXP_NTXSEG + 1];
      } tx_cb_u;
};

So cbp->tbd is not pointing into the middle of an array.
Thus the cbp->tbd[-1].tb_size =3D . . . assignment trashes memory
from what I can tell.

/usr/src/sys/dev/fxp/if_fxp.c has the [-1] assignment in:

      /* Configure TSO. */
      if (m->m_pkthdr.csum_flags & CSUM_TSO) {
              cbp->tbd[-1].tb_size =3D htole32(m->m_pkthdr.tso_segsz << =
16);
              cbp->tbd[1].tb_size |=3D htole32(tcp_payload << 16);
              cbp->ipcb_ip_schedule |=3D FXP_IPCB_LARGESEND_ENABLE |
                  FXP_IPCB_IP_CHECKSUM_ENABLE |
                  FXP_IPCB_TCP_PACKET |
                  FXP_IPCB_TCPUDP_CHECKSUM_ENABLE;
      }

This cbp->tbd[-1].tb_size use goes back to -r185330 in 2008-Nov-26.

This is also when the "+ 1" was added to the:

struct fxp_tbd tbd[FXP_NTXSEG + 1]

above.

clang 7 via xtoolchain-llvm70 reported:

--- if_fxp.o ---
/usr/src/sys/dev/fxp/if_fxp.c:1630:3: error: array index -1 is before =
the beginning of the array [-Werror,-Warray-bounds]
              cbp->tbd[-1].tb_size =3D htole32(m->m_pkthdr.tso_segsz << =
16);
              ^        ~~
/usr/src/sys/dev/fxp/if_fxpreg.h:297:3: note: array 'tbd' declared here
              struct fxp_tbd tbd[FXP_NTXSEG + 1];
              ^
1 error generated.
*** [if_fxp.o] Error code 1

It does look odd to me.


=3D=3D=3D
Mark Millard
marklmi at yahoo.com
( dsl-only.net went
away in early 2018-Mar)