From owner-svn-src-head@FreeBSD.ORG Fri May 14 17:39:28 2010 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D08C1065670; Fri, 14 May 2010 17:39:28 +0000 (UTC) (envelope-from yongari@FreeBSD.org) Received: from svn.freebsd.org (unknown [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 6C7558FC0A; Fri, 14 May 2010 17:39:28 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o4EHdSY5024209; Fri, 14 May 2010 17:39:28 GMT (envelope-from yongari@svn.freebsd.org) Received: (from yongari@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o4EHdSaW024207; Fri, 14 May 2010 17:39:28 GMT (envelope-from yongari@svn.freebsd.org) Message-Id: <201005141739.o4EHdSaW024207@svn.freebsd.org> From: Pyun YongHyeon Date: Fri, 14 May 2010 17:39:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r208084 - head/sys/dev/fxp X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 May 2010 17:39:28 -0000 Author: yongari Date: Fri May 14 17:39:28 2010 New Revision: 208084 URL: http://svn.freebsd.org/changeset/base/208084 Log: If controller received bad frames make sure to update newly added RFA. Also drop frames that have either CRC error or alignment error. Normally bad frames are not received at all. But controllers running in promiscuous mode will receive bad frames. 82557 will also receive bad frames to receive VLAN oversized frames. While I'm here mark RNR condition if driver happen to see RNR in RFA status and restart RU to receive frames again. Because driver checks all received frames in RX loop, RNR condition could be set in the middle of RX processing. Just relying on RNR interrupt was not enough. This change fixes "Memory modified after free" issue when fxp(4) is running as a member of if_bridge(4). Tested by: Larry Baird gta dot com> MFC after: 5 days Modified: head/sys/dev/fxp/if_fxp.c Modified: head/sys/dev/fxp/if_fxp.c ============================================================================== --- head/sys/dev/fxp/if_fxp.c Fri May 14 16:58:37 2010 (r208083) +++ head/sys/dev/fxp/if_fxp.c Fri May 14 17:39:28 2010 (r208084) @@ -1916,6 +1916,8 @@ fxp_intr_body(struct fxp_softc *sc, stru if ((status & FXP_RFA_STATUS_C) == 0) break; + if ((status & FXP_RFA_STATUS_RNR) != 0) + rnr++; /* * Advance head forward. */ @@ -1942,9 +1944,12 @@ fxp_intr_body(struct fxp_softc *sc, stru total_len -= 2; } if (total_len < sizeof(struct ether_header) || - total_len > MCLBYTES - RFA_ALIGNMENT_FUDGE - - sc->rfa_size || status & FXP_RFA_STATUS_CRC) { + total_len > (MCLBYTES - RFA_ALIGNMENT_FUDGE - + sc->rfa_size) || + status & (FXP_RFA_STATUS_CRC | + FXP_RFA_STATUS_ALIGN)) { m_freem(m); + fxp_add_rfabuf(sc, rxp); continue; }