This is the mail archive of the ecos-bugs@sourceware.org mailing list for the eCos project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug 1001655] New: eth_drv_send stack_corruption withCYGFUN_LWIP_MODE_SIMPLE

From: bugzilla-daemon at bugs dot ecos dot sourceware dot org
To: unassigned at bugs dot ecos dot sourceware dot org
Date: Fri, 17 Aug 2012 08:09:42 +0100
Subject: [Bug 1001655] New: eth_drv_send stack_corruption withCYGFUN_LWIP_MODE_SIMPLE
Auto-submitted: auto-generated

Please do not reply to this email. Use the web interface provided at:
http://bugs.ecos.sourceware.org/show_bug.cgi?id=1001655

           Summary: eth_drv_send stack_corruption with
                    CYGFUN_LWIP_MODE_SIMPLE
           Product: eCos
           Version: CVS
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: critical
          Priority: high
         Component: lwIP
        AssignedTo: unassigned@bugs.ecos.sourceware.org
        ReportedBy: bernd.edlinger@hotmail.de
                CC: ecos-bugs@ecos.sourceware.org
             Class: Advice Request


Created an attachment (id=1899)
 --> (http://bugs.ecos.sourceware.org/attachment.cgi?id=1899)
This fixes the crash.

Hello,

there is a problem in eth_drv_send() for LwIP.
This function is supposed to wait for the packet to go out
to the network.
The wait is done by calling sc->funs->poll 100 times in a loop.
If the packet is not send by then the code assumes that will never
happen.
However this can be quite common, if:
a) the Processor is fast, like the AT91SAM9G45 which runs
   with 400MHz and Caches enabled.
b) A full 1514 Byte packet is to be sent.
c) And maybe a 10BASE-T physical connection is used.

Sending that packet takes 1.5 ms in full-duplex,
but it can easily double for half-duplex.

The poll function does only access one device register,
while the packet is not yet sent, and returns very quickly.

However if the packet is eventually sent the driver calls
the function eth_drv_tx_done() just above which uses the
address of "done", to set *done=true, however the stack
frame is alredy gone, and another function may be executing
right now. => stack corruption

Furthermore the hardware driver is DMA based, at least in the case
of the AT91, and therefore at the time when the send function has
returned, the packet buffer will be re-used, but the driver is
still accessing it, and the sent packet may be corrupted in flight.

Note: The stack issue is fixed with this patch, as it makes "done" a static.
HOWEVER the Wait time (1000 iterations now) may still be too short,
which could free the packet buffer before it has been sent completely.

-- 
Configure bugmail: http://bugs.ecos.sourceware.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]