From: Jesse Brandeburg <jesse.brandeburg@intel.com>
To: Xiaohui Zhang <ruc_zhangxiaohui@163.com>
Cc: Shannon Nelson <snelson@pensando.io>,
Pensando Drivers <drivers@pensando.io>,
"David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, <netdev@vger.kernel.org>,
<linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/1] ionic: fix array overflow on receiving too many fragments for a packet
Date: Sun, 6 Dec 2020 17:51:57 -0800 [thread overview]
Message-ID: <20201206175157.0000170d@intel.com> (raw)
In-Reply-To: <20201206133537.30135-1-ruc_zhangxiaohui@163.com>
Xiaohui Zhang wrote:
> From: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
>
> If the hardware receives an oversized packet with too many rx fragments,
> skb_shinfo(skb)->frags can overflow and corrupt memory of adjacent pages.
> This becomes especially visible if it corrupts the freelist pointer of
> a slab page.
>
> Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
Hi, thanks for your patch.
It appears this is a part of a series of patches (at least this one and
one to the ice driver) - please send as one series, with a cover letter
explanation.
Please justify how this is a bug and how this is found / reproduced.
I'll respond separately to the ice driver patch as I don't know this
hardware and it's limits, but I suspect that you've tried to fix a bug
where there was none. (It seems like something a code scanner might find
and be confused about)
> ---
> drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
> index 169ac4f54..a3e274c65 100644
> --- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
> +++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
> @@ -102,8 +102,12 @@ static struct sk_buff *ionic_rx_frags(struct ionic_queue *q,
>
> dma_unmap_page(dev, dma_unmap_addr(page_info, dma_addr),
> PAGE_SIZE, DMA_FROM_DEVICE);
> - skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
> + struct skb_shared_info *shinfo = skb_shinfo(skb);
you can't declare variables in the middle of a code flow in C, did you
compile this?
> +
> + if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) {
> + skb_add_rx_frag(skb, shinfo->nr_frags,
> page_info->page, 0, frag_len, PAGE_SIZE);
> + }
> page_info->page = NULL;
> page_info++;
> i--;
next prev parent reply other threads:[~2020-12-07 1:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-06 13:35 [PATCH 1/1] ionic: fix array overflow on receiving too many fragments for a packet Xiaohui Zhang
2020-12-07 1:51 ` Jesse Brandeburg [this message]
2020-12-07 3:41 ` Shannon Nelson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201206175157.0000170d@intel.com \
--to=jesse.brandeburg@intel.com \
--cc=davem@davemloft.net \
--cc=drivers@pensando.io \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=ruc_zhangxiaohui@163.com \
--cc=snelson@pensando.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.