Corrupt Data Detection
A hardened driver assumes that any data which it reads from the device may be corrupt. The data should be sanity checked, before use, if undesirable consequences are anticipated from its use or propagation.
In the dec21x4x ethernet driver the DMA buffers are not checked against corruption because this is already done by client's protocol stack (TCP/IP). However, code Example 13-5 illustrates how you could avoid an infinate loop when reading a register, by adding a break condition to the loop.
Example 13-5 loop on register value
/*
* Reset the PHY device.
*/
static void
phy_reset (Dec21Data* dec21)
{
unsigned int count = 10000;
mii_write_reg(dec21, MII_CTRL_REG, MII_CTRL_RESET);
do {
msecBusyWait(1);
} while ((mii_read_reg(dec21, MII_CTRL_REG) & MII_CTRL_RESET) && count--);
msecBusyWait(1);
}
Device Management and Control Data
Hardened drivers must act with extreme caution when using pointers, array indexes or memory offsets which are read or calculated from data retrieved from the device. These values should not be used until they are checked to ensure that they are within an expected range and have legal alignment. These types of pointer mechanisms can become misleading or malignant if the device has developed a fault.
A hardened driver will never loop simply upon a register value. An infinite loop may occur if a device breaks and returns stuck data. The hardened driver must have a method to break this type of loop.
Driver state information should be maintained in main memory, not on an I/O card.
Received Data
Device errors can result in corrupt data being placed in receive buffers. This corruption is indistinguishable from corruption occurring beyond the domain of the device, for example within a network. Typically, existing software will already be in place to handle such corruption through, for example, integrity checks at the transport layer of a protocol stack or within the application using the device.
If the received data is not going to be subjected to an integrity check at a higher layer, as in the case of a disk driver, it can be integrity-checked within the driver itself. However, such low level integrity checking can cause the greatest degradation to system performance. By not performing such checks at device level the results are, at worst, application failure or file corruption; it is not likely to cause a total system crash.
DMA
A defective device may be able to falsely initiate a DMA transfer over the bus. This type of data transfer may corrupt the system memory.
Some host bus bridges provide an IOMMU which allows you to map a DMA region (within the bus address space) to the system memory. On such hardware, the bus driver is able to protect the system memory (which is not used for DMA buffers) from corruption caused by a falsely initiated DMA transfer. The bus driver should not use a static one-to-one mapping (from the system memory to the bus space) to handle DMA transfers. Instead, it should manage IOMMU mappings dynamically. The dma_alloc() method maps a memory region to the bus space, enabling DMA transfers. The dma_free() method invalidates any mapping, disabling DMA to the memory region.
Note -
A defective device may still corrupt a DMA buffer managed by another device driver.
- © 2010, Oracle Corporation and/or its affiliates