RE: [PATCH net 2/2] r8152: rx descriptor check

Francois Romieu [mailto:rom...@fr.zoreil.com] > Sent: Tuesday, November 15, 2016 9:11 AM [...] > If it was possible to get it wrong once, it should be possible to > get it wrong twice, especially if some part of the hardware design > is recycled. I don't mean anything else. I agree with you.

Re: [PATCH net 2/2] r8152: rx descriptor check

Hayes Wang : > Francois Romieu [mailto:rom...@fr.zoreil.com] > > Sent: Friday, November 11, 2016 8:13 PM > [...] > > Invalid packet size corrupted receive descriptors in Realtek's device > > reminds of CVE-2009-4537. > > Do you mean that the driver would get a packet

Re: [PATCH net 2/2] r8152: rx descriptor check

From: Hayes Wang Date: Mon, 14 Nov 2016 07:23:51 + > Mark Lord [mailto:ml...@pobox.com] >> Sent: Monday, November 14, 2016 4:34 AM > [...] >> Perhaps the driver >> is somehow accessing the buffer space again after doing usb_submit_urb()? >> That would certainly produce

RE: [PATCH net 2/2] r8152: rx descriptor check

Mark Lord [mailto:ml...@pobox.com] > Sent: Monday, November 14, 2016 4:34 AM [...] > Perhaps the driver > is somehow accessing the buffer space again after doing usb_submit_urb()? > That would certainly produce this kind of behaviour. I don't think so. First, the driver only read the received

RE: [PATCH net 2/2] r8152: rx descriptor check

David Miller [mailto:da...@davemloft.net] > Sent: Monday, November 14, 2016 1:40 AM [...] > If you add this patch now, there is a much smaller likelyhood that you > will work with a high priority to figure out _why_ this is happening. > > For all we know this could be a platform bug in the DMA

RE: [PATCH net 2/2] r8152: rx descriptor check

Francois Romieu [mailto:rom...@fr.zoreil.com] > Sent: Friday, November 11, 2016 8:13 PM [...] > Invalid packet size corrupted receive descriptors in Realtek's device > reminds of CVE-2009-4537. Do you mean that the driver would get a packet exceed the size which is set to RxMaxSize? I check it

Re: [PATCH net 2/2] r8152: rx descriptor check

On 16-11-13 03:34 PM, Mark Lord wrote: > > The system I use it with is a 32-bit ppc476, with non-coherent RAM, > and using 16KB page sizes. > > The dongle instantly becomes a lot more reliable when r8152.c is updated > to use usb_alloc_coherent() for URB buffers, rather than kmalloc(). > > Not

Re: [PATCH net 2/2] r8152: rx descriptor check

On 16-11-13 12:39 PM, David Miller wrote: > From: Hayes Wang > Date: Fri, 11 Nov 2016 15:15:41 +0800 > >> For some platforms, the data in memory is not the same with the one >> from the device. That is, the data of memory is unbelievable. The >> check is used to find out

Re: [PATCH net 2/2] r8152: rx descriptor check

From: Hayes Wang Date: Fri, 11 Nov 2016 15:15:41 +0800 > For some platforms, the data in memory is not the same with the one > from the device. That is, the data of memory is unbelievable. The > check is used to find out this situation. > > Signed-off-by: Hayes Wang

Re: [PATCH net 2/2] r8152: rx descriptor check

On 16-11-11 07:13 AM, Francois Romieu wrote: > Hayes Wang : >> For some platforms, the data in memory is not the same with the one >> from the device. That is, the data of memory is unbelievable. The >> check is used to find out this situation. > > Invalid packet size

Re: [PATCH net 2/2] r8152: rx descriptor check

Hayes Wang : > For some platforms, the data in memory is not the same with the one > from the device. That is, the data of memory is unbelievable. The > check is used to find out this situation. Invalid packet size corrupted receive descriptors in Realtek's device reminds