tulip 0.89K and rx_copybreak sceme...

Matti Aarnio matti.aarnio@sonera.fi
Mon Sep 14 09:07:19 1998


Hello,

I found nasty looking problems when I tried the lattest Tulip (test?)
driver at my Alpha running 2.1.122(pre2) kernel:  (21143 chip onboard)

Kernel panic: skput:over: fffffe00000118cc:16444 put:16444 dev:eth0
In interrupt handler - not syncing
eth0: Re-entering the interrupt handler.
eth0: Re-entering the interrupt handler.


It seems the 'status' register contains some more extra bits in the
upper 16 bits, than those which 0.89K expects there to be (topmost
"sign" only?).  The fix is below (cut & paste from my screen, so
propably you need to apply it manually..)

At the same time I noticed that the entire  rx_copybreak  scheme
as used in several drivers has one generic problem:

IF the ``pkt_len'' (or whatever name it has) has value exceeding
that of the pre-allocated skb buffer block (with extra set bits
in it, like I had), kernel panic is certain :-(

Sometimes that can happen due to lack of tests/masks, sometimes
the pkt_len value is masked down to 8k-1, or 2k-1, or whatever,
which makes reception of packets larger than buffer-space very
unlikely to occur..

	/Matti Aarnio <matti.aarnio@sonera.fi>

# diff -w -u ../tulip.c-089K drivers/net/tulip.c
--- ../tulip.c-089K     Sat Aug  8 00:00:00 1998
+++ drivers/net/tulip.c Mon Sep 14 14:45:45 1998
@@ -2395,7 +2395,8 @@
                        }
                } else {
                        /* Omit the four octet CRC from the length. */
-                       short pkt_len = (status >> 16) - 4;
+                       /* Pick only the packet length counter bits! */
+                       short pkt_len = ((status >> 16) & 0x07FF) - 4;
                        struct sk_buff *skb;