diff mbox series

[edk2,edk2-platforms] Silicon/SynQuacer/NetsecDxe: fix buffer allocation bug

Message ID 20180412092349.8680-1-ard.biesheuvel@linaro.org
State New
Headers show
Series [edk2,edk2-platforms] Silicon/SynQuacer/NetsecDxe: fix buffer allocation bug | expand

Commit Message

Ard Biesheuvel April 12, 2018, 9:23 a.m. UTC 
The receive buffers of the NETSEC driver are owned by the driver itself
(as opposed to the protocol client in the case of the transmit path),
and so the descriptors and the buffers (which are of a fixed size) are
allocated in one go. The idea is that the 'buffer' member of the
descriptor should point to a DMA aligned offset into the same allocation,
but the code in pfdep_alloc_pkt_buf() calculates the value incorrectly,
resulting in corruption of the descriptor metadata if the pool allocation
happens to be DMA aligned.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

---
 Silicon/Socionext/SynQuacer/Drivers/Net/NetsecDxe/netsec_for_uefi/pfdep_uefi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.17.0

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Comments

Leif Lindholm April 19, 2018, 10:44 a.m. UTC | #1 
On Thu, Apr 12, 2018 at 11:23:49AM +0200, Ard Biesheuvel wrote:
> The receive buffers of the NETSEC driver are owned by the driver itself

> (as opposed to the protocol client in the case of the transmit path),

> and so the descriptors and the buffers (which are of a fixed size) are

> allocated in one go. The idea is that the 'buffer' member of the

> descriptor should point to a DMA aligned offset into the same allocation,

> but the code in pfdep_alloc_pkt_buf() calculates the value incorrectly,

> resulting in corruption of the descriptor metadata if the pool allocation

> happens to be DMA aligned.

> 

> Contributed-under: TianoCore Contribution Agreement 1.1

> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>


Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>


> ---

>  Silicon/Socionext/SynQuacer/Drivers/Net/NetsecDxe/netsec_for_uefi/pfdep_uefi.c | 2 +-

>  1 file changed, 1 insertion(+), 1 deletion(-)

> 

> diff --git a/Silicon/Socionext/SynQuacer/Drivers/Net/NetsecDxe/netsec_for_uefi/pfdep_uefi.c b/Silicon/Socionext/SynQuacer/Drivers/Net/NetsecDxe/netsec_for_uefi/pfdep_uefi.c

> index b43d1aaff037..0875558c08ea 100644

> --- a/Silicon/Socionext/SynQuacer/Drivers/Net/NetsecDxe/netsec_for_uefi/pfdep_uefi.c

> +++ b/Silicon/Socionext/SynQuacer/Drivers/Net/NetsecDxe/netsec_for_uefi/pfdep_uefi.c

> @@ -134,7 +134,7 @@ pfdep_alloc_pkt_buf (

>        return PFDEP_ERR_ALLOC;

>      }

>  

> -    (*pkt_handle_p)->Buffer = ALIGN_POINTER (*pkt_handle_p,

> +    (*pkt_handle_p)->Buffer = ALIGN_POINTER (*pkt_handle_p + 1,

>                                               mCpu->DmaBufferAlignment);

>    }

>  

> -- 

> 2.17.0

> 

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Ard Biesheuvel April 19, 2018, 12:53 p.m. UTC | #2 
On 19 April 2018 at 12:44, Leif Lindholm <leif.lindholm@linaro.org> wrote:
> On Thu, Apr 12, 2018 at 11:23:49AM +0200, Ard Biesheuvel wrote:

>> The receive buffers of the NETSEC driver are owned by the driver itself

>> (as opposed to the protocol client in the case of the transmit path),

>> and so the descriptors and the buffers (which are of a fixed size) are

>> allocated in one go. The idea is that the 'buffer' member of the

>> descriptor should point to a DMA aligned offset into the same allocation,

>> but the code in pfdep_alloc_pkt_buf() calculates the value incorrectly,

>> resulting in corruption of the descriptor metadata if the pool allocation

>> happens to be DMA aligned.

>>

>> Contributed-under: TianoCore Contribution Agreement 1.1

>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

>

> Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>

>


Thanks

Pushed as 61716249316b

>> ---

>>  Silicon/Socionext/SynQuacer/Drivers/Net/NetsecDxe/netsec_for_uefi/pfdep_uefi.c | 2 +-

>>  1 file changed, 1 insertion(+), 1 deletion(-)

>>

>> diff --git a/Silicon/Socionext/SynQuacer/Drivers/Net/NetsecDxe/netsec_for_uefi/pfdep_uefi.c b/Silicon/Socionext/SynQuacer/Drivers/Net/NetsecDxe/netsec_for_uefi/pfdep_uefi.c

>> index b43d1aaff037..0875558c08ea 100644

>> --- a/Silicon/Socionext/SynQuacer/Drivers/Net/NetsecDxe/netsec_for_uefi/pfdep_uefi.c

>> +++ b/Silicon/Socionext/SynQuacer/Drivers/Net/NetsecDxe/netsec_for_uefi/pfdep_uefi.c

>> @@ -134,7 +134,7 @@ pfdep_alloc_pkt_buf (

>>        return PFDEP_ERR_ALLOC;

>>      }

>>

>> -    (*pkt_handle_p)->Buffer = ALIGN_POINTER (*pkt_handle_p,

>> +    (*pkt_handle_p)->Buffer = ALIGN_POINTER (*pkt_handle_p + 1,

>>                                               mCpu->DmaBufferAlignment);

>>    }

>>

>> --

>> 2.17.0

>>

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
diff mbox series

Patch

diff --git a/Silicon/Socionext/SynQuacer/Drivers/Net/NetsecDxe/netsec_for_uefi/pfdep_uefi.c b/Silicon/Socionext/SynQuacer/Drivers/Net/NetsecDxe/netsec_for_uefi/pfdep_uefi.c
index b43d1aaff037..0875558c08ea 100644
--- a/Silicon/Socionext/SynQuacer/Drivers/Net/NetsecDxe/netsec_for_uefi/pfdep_uefi.c
+++ b/Silicon/Socionext/SynQuacer/Drivers/Net/NetsecDxe/netsec_for_uefi/pfdep_uefi.c
@@ -134,7 +134,7 @@  pfdep_alloc_pkt_buf (
       return PFDEP_ERR_ALLOC;
     }
 
-    (*pkt_handle_p)->Buffer = ALIGN_POINTER (*pkt_handle_p,
+    (*pkt_handle_p)->Buffer = ALIGN_POINTER (*pkt_handle_p + 1,
                                              mCpu->DmaBufferAlignment);
   }