mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-07 13:14:51 +00:00
Code Issues Releases Activity
a787e5ecf8
freebsd/sys/compat/ndis
History
Bill Paul a787e5ecf8 Add sanity checks to the ndis_packet and ndis_buffer pool handling 
routines to guard against problems caused by (possibly) buggy drivers.

The RealTek 8180 wireless driver calls NdisFreeBuffer() to release
some of its buffers _after_ it's already called NdisFreeBufferPool()
to destroy the pool to which the buffers belong. In our implementation,
this error causes NdisFreeBuffer() to touch stale heap memory.

If you are running a release kernel, and hence have INVARIANTS et al
turned off, it turns out nothing happens. But if you're using a
development kernel config with INVARIANTS on, the malloc()/free()
sanity checks will scribble over the pool memory with 0xdeadc0de
once it's released so that any attempts to touch it will cause a
trap, and indeed this is what happens. It happens that I run 5.2-RELEASE
on my laptop, so when I tested the rtl8180.sys driver, it worked fine
for me, but people trying to run it with development systems checked
out or cvsupped from -current would get a page fault on driver load.

I can't find any reason why the NDISulator would cause the RealTek
driver to do the NdisFreeBufferPool() prematurely, and the same driver
obviously works with Windows -- or at least, it doesn't cause a crash:
the Microsoft documentation for NdisFreeBufferPool() says that failing
to return all buffers to the pool before calling  NdisFreeBufferPool()
causes a memory leak.

I've written to my contacts at RealTek asking them to check if this
is indeed a bug in their driver. In the meantime, these new sanity checks
will catch this problem and issue a warning rather than causing a trap.
The trick is to keep a count of outstanding buffers for each buffer pool,
and if the driver tries to call NdisFreeBufferPool() while there are still
buffers outstanding, we mark the pool for deletion and then defer
destroying it until after the last buffer has been reclaimed.
2004-03-04 00:17:14 +00:00
..
cfg_var.h Deal with the duplicate sysctl leaf problem. A .inf file may contain 2003-12-18 03:51:21 +00:00
hal_var.h The definition for __stdcall logically belongs in pe_var.h, but 2004-01-15 21:31:49 +00:00
kern_ndis.c Fix a problem with the way we schedule work on the NDIS worker threads. 2004-02-14 20:57:32 +00:00
ndis_var.h Fix a problem with the way we schedule work on the NDIS worker threads. 2004-02-14 20:57:32 +00:00
ntoskrnl_var.h More cleanups/fixes for the AMD Am1771 driver: 2004-02-16 02:50:03 +00:00
pe_var.h The definition for __stdcall logically belongs in pe_var.h, but 2004-01-15 21:31:49 +00:00
resource_var.h
subr_hal.c Add stub implementations of KfLowerIrql() and KfRaiseIrql() (both of 2004-02-09 19:13:58 +00:00
subr_ndis.c Add sanity checks to the ndis_packet and ndis_buffer pool handling 2004-03-04 00:17:14 +00:00
subr_ntoskrnl.c Add sanity checks to the ndis_packet and ndis_buffer pool handling 2004-03-04 00:17:14 +00:00
subr_pe.c AMD64 has a single MS-Win calling convention, so provide an empty __stdcall. 2004-01-13 22:49:45 +00:00