This is the mail archive of the
ecos-bugs@sourceware.org
mailing list for the eCos project.
[Bug 1001655] New: eth_drv_send stack_corruption withCYGFUN_LWIP_MODE_SIMPLE
- From: bugzilla-daemon at bugs dot ecos dot sourceware dot org
- To: unassigned at bugs dot ecos dot sourceware dot org
- Date: Fri, 17 Aug 2012 08:09:42 +0100
- Subject: [Bug 1001655] New: eth_drv_send stack_corruption withCYGFUN_LWIP_MODE_SIMPLE
- Auto-submitted: auto-generated
Please do not reply to this email. Use the web interface provided at:
http://bugs.ecos.sourceware.org/show_bug.cgi?id=1001655
Summary: eth_drv_send stack_corruption with
CYGFUN_LWIP_MODE_SIMPLE
Product: eCos
Version: CVS
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: critical
Priority: high
Component: lwIP
AssignedTo: unassigned@bugs.ecos.sourceware.org
ReportedBy: bernd.edlinger@hotmail.de
CC: ecos-bugs@ecos.sourceware.org
Class: Advice Request
Created an attachment (id=1899)
--> (http://bugs.ecos.sourceware.org/attachment.cgi?id=1899)
This fixes the crash.
Hello,
there is a problem in eth_drv_send() for LwIP.
This function is supposed to wait for the packet to go out
to the network.
The wait is done by calling sc->funs->poll 100 times in a loop.
If the packet is not send by then the code assumes that will never
happen.
However this can be quite common, if:
a) the Processor is fast, like the AT91SAM9G45 which runs
with 400MHz and Caches enabled.
b) A full 1514 Byte packet is to be sent.
c) And maybe a 10BASE-T physical connection is used.
Sending that packet takes 1.5 ms in full-duplex,
but it can easily double for half-duplex.
The poll function does only access one device register,
while the packet is not yet sent, and returns very quickly.
However if the packet is eventually sent the driver calls
the function eth_drv_tx_done() just above which uses the
address of "done", to set *done=true, however the stack
frame is alredy gone, and another function may be executing
right now. => stack corruption
Furthermore the hardware driver is DMA based, at least in the case
of the AT91, and therefore at the time when the send function has
returned, the packet buffer will be re-used, but the driver is
still accessing it, and the sent packet may be corrupted in flight.
Note: The stack issue is fixed with this patch, as it makes "done" a static.
HOWEVER the Wait time (1000 iterations now) may still be too short,
which could free the packet buffer before it has been sent completely.
--
Configure bugmail: http://bugs.ecos.sourceware.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.