Home Explore Help
Register Sign In
wareck
/
openwrt_lede
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 488fc98adf
Branches Tags
openwrt_lede
/
target
/
linux
/
brcm2708
/
patches-4.4
/
0471-enc28j60-Fix-race-condition-in-enc28j60-driver.patch

0471-enc28j60-Fix-race-condition-in-enc28j60-driver.patch 2.6 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364 
  1. From edfa1131e425e0dafe9561fee792a0d319fa734e Mon Sep 17 00:00:00 2001
    2. 

  2. From: Sergio Valverde <sergio.valverde@hpe.com>
    3. 

  3. Date: Fri, 1 Jul 2016 11:44:30 -0600
    4. 

  4. Subject: [PATCH] enc28j60: Fix race condition in enc28j60 driver
    5. 

  5. 

  6. (Upstream commit 373819ec391de0d11f63b10b2fb69ef2854236ca)
    7. 

  7. 

  8. The interrupt worker code for the enc28j60 relies only on the TXIF flag to
    9. 

  9. determinate if the packet transmission was completed. However the datasheet
    10. 

  10. specifies in section 12.1.3 that TXERIF will clear the TXRTS after a
    11. 

  11. transmit abort. Also in section 12.1.4 that TXIF will be set
    12. 

  12. when TXRTS transitions from '1' to '0'. Therefore the TXIF flag is enabled
    13. 

  13. during transmission errors.
    14. 

  14. 

  15. This causes a race condition, since the worker code will invoke
    16. 

  16. enc28j60_tx_clear() -> netif_wake_queue(), potentially invoking the
    17. 

  17. ndo_start_xmit function to send a new packet. The enc28j60_send_packet function
    18. 

  18. uses a workqueue that invokes enc28j60_hw_tx(). In between this function is
    19. 

  19. called, the worker from the interrupt handler will enter the path for error
    20. 

  20. handler because of the TXERIF flag, causing to invoke enc28j60_tx_clear() again
    21. 

  21. and releasing the packet scheduled for transmission, causing a kernel crash with
    22. 

  22. due a NULL pointer.
    23. 

  23. 

  24. These crashes due a NULL pointer were observed under stress conditions of the
    25. 

  25. device. A BUG_ON() sequence was used to validate the issue was fixed, and has
    26. 

  26. been running without problems for 2 years now.
    27. 

  27. 

  28. Signed-off-by: Diego Dompe <dompe@hpe.com>
    29. 

  29. Acked-by: Sergio Valverde <sergio.valverde@hpe.com>
    30. 

  30. Signed-off-by: David S. Miller <davem@davemloft.net>
    31. 

  31. ---
    32. 

  32.  drivers/net/ethernet/microchip/enc28j60.c | 7 +++++--
    33. 

  33.  1 file changed, 5 insertions(+), 2 deletions(-)
    34. 

  34. 

  35. --- a/drivers/net/ethernet/microchip/enc28j60.c
    36. 

  36. +++ b/drivers/net/ethernet/microchip/enc28j60.c
    37. 

  37. @@ -1147,7 +1147,8 @@ static void enc28j60_irq_work_handler(st
    38. 

  38.  			enc28j60_phy_read(priv, PHIR);
    39. 

  39.  		}
    40. 

  40.  		/* TX complete handler */
    41. 

  41. -		if ((intflags & EIR_TXIF) != 0) {
    42. 

  42. +		if (((intflags & EIR_TXIF) != 0) &&
    43. 

  43. +		    ((intflags & EIR_TXERIF) == 0)) {
    44. 

  44.  			bool err = false;
    45. 

  45.  			loop++;
    46. 

  46.  			if (netif_msg_intr(priv))
    47. 

  47. @@ -1199,7 +1200,7 @@ static void enc28j60_irq_work_handler(st
    48. 

  48.  					enc28j60_tx_clear(ndev, true);
    49. 

  49.  			} else
    50. 

  50.  				enc28j60_tx_clear(ndev, true);
    51. 

  51. -			locked_reg_bfclr(priv, EIR, EIR_TXERIF);
    52. 

  52. +			locked_reg_bfclr(priv, EIR, EIR_TXERIF | EIR_TXIF);
    53. 

  53.  		}
    54. 

  54.  		/* RX Error handler */
    55. 

  55.  		if ((intflags & EIR_RXERIF) != 0) {
    56. 

  56. @@ -1234,6 +1235,8 @@ static void enc28j60_irq_work_handler(st
    57. 

  57.   */
    58. 

  58.  static void enc28j60_hw_tx(struct enc28j60_net *priv)
    59. 

  59.  {
    60. 

  60. +	BUG_ON(!priv->tx_skb);
    61. 

  61. +
    62. 

  62.  	if (netif_msg_tx_queued(priv))
    63. 

  63.  		printk(KERN_DEBUG DRV_NAME
    64. 

  64.  			": Tx Packet Len:%d\n", priv->tx_skb->len);
    65.