re: (maybe) crash your VAX from userspace

To: port-vax%netbsd.org@localhost, Alexander Schreiber <als%thangorodrim.ch@localhost>
Subject: re: (maybe) crash your VAX from userspace
From: matthew green <mrg%eterna23.net@localhost>
Date: Sat, 23 Mar 2024 19:43:54 +1100

simple problem: ifp->if_init callback is NULL, leading to
an attempt to jump to 0 which faults.

   https://www.netbsd.org/~mrg/if_qe.if_init.diff

repeated below, it's not big.  i can now run:

  ifconfig qe0 mtu 512


.mrg.


vax/qe(4): supply an ipf->if_init() so that if_init() doesn't crash.

convert the existing qeinit() to one compatible with if_init.


Index: if_qe.c
===================================================================
RCS file: /cvsroot/src/sys/dev/qbus/if_qe.c,v
retrieving revision 1.81
diff -p -u -r1.81 if_qe.c
--- if_qe.c	28 May 2019 07:41:49 -0000	1.81
+++ if_qe.c	23 Mar 2024 08:37:43 -0000
@@ -97,7 +97,7 @@ struct	qe_softc {
 
 static	int	qematch(device_t, cfdata_t, void *);
 static	void	qeattach(device_t, device_t, void *);
-static	void	qeinit(struct qe_softc *);
+static	int	qeinit(struct ifnet *);
 static	void	qestart(struct ifnet *);
 static	void	qeintr(void *);
 static	int	qeioctl(struct ifnet *, u_long, void *);
@@ -341,6 +341,7 @@ qeattach(device_t parent, device_t self,
 	ifp->if_softc = sc;
 	ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
 	ifp->if_start = qestart;
+	ifp->if_init = qeinit;
 	ifp->if_ioctl = qeioctl;
 	ifp->if_watchdog = qetimeout;
 	IFQ_SET_READY(&ifp->if_snd);
@@ -381,10 +382,10 @@ qeattach(device_t parent, device_t self,
 /*
  * Initialization of interface.
  */
-void
-qeinit(struct qe_softc *sc)
+int
+qeinit(struct ifnet *ifp)
 {
-	struct ifnet *ifp = (struct ifnet *)&sc->sc_if;
+	struct qe_softc *sc = ifp->if_softc;
 	struct qe_cdata *qc = sc->sc_qedata;
 	int i;
 
@@ -411,7 +412,6 @@ qeinit(struct qe_softc *sc)
 		qc->qc_xmit[i].qe_status1 = qc->qc_xmit[i].qe_flag = QE_NOTYET;
 	}
 
-
 	/*
 	 * Init receive descriptors.
 	 */
@@ -436,6 +436,7 @@ qeinit(struct qe_softc *sc)
 	 */
 	qe_setup(sc);
 
+	return 0;
 }
 
 /*
@@ -651,7 +652,7 @@ qeioctl(struct ifnet *ifp, u_long cmd, v
 		switch (ifa->ifa_addr->sa_family) {
 #ifdef INET
 		case AF_INET:
-			qeinit(sc);
+			qeinit(ifp);
 			arp_ifinit(ifp, ifa);
 			break;
 #endif
@@ -677,7 +678,7 @@ qeioctl(struct ifnet *ifp, u_long cmd, v
 			 * If interface it marked up and it is stopped, then
 			 * start it.
 			 */
-			qeinit(sc);
+			qeinit(ifp);
 			break;
 		case IFF_UP | IFF_RUNNING:
 			/*
@@ -868,5 +869,5 @@ qetimeout(struct ifnet *ifp)
 	 * Do a reset of interface, to get it going again.
 	 * Will it work by just restart the transmit logic?
 	 */
-	qeinit(sc);
+	qeinit(ifp);
 }

Follow-Ups:
- Re: (maybe) crash your VAX from userspace
  - From: Alexander Schreiber

References:
- re: (maybe) crash your VAX from userspace
  - From: matthew green

Prev by Date: Re: VAXstation 4000/90 SCSI weirdness on 10 RC5
Next by Date: Re: (maybe) crash your VAX from userspace
Previous by Thread: re: (maybe) crash your VAX from userspace
Next by Thread: Re: (maybe) crash your VAX from userspace
Indexes:

Home | Main Index | Thread Index | Old Index