From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Michael Braun <michael-dev@fami-braun.de>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 11/37] gianfar: fix jumbo packets+napi+rx overrun crash
Date: Tue, 16 Mar 2021 20:57:36 -0400 [thread overview]
Message-ID: <20210317005802.725825-11-sashal@kernel.org> (raw)
In-Reply-To: <20210317005802.725825-1-sashal@kernel.org>
From: Michael Braun <michael-dev@fami-braun.de>
[ Upstream commit d8861bab48b6c1fc3cdbcab8ff9d1eaea43afe7f ]
When using jumbo packets and overrunning rx queue with napi enabled,
the following sequence is observed in gfar_add_rx_frag:
| lstatus | | skb |
t | lstatus, size, flags | first | len, data_len, *ptr |
---+--------------------------------------+-------+-----------------------+
13 | 18002348, 9032, INTERRUPT LAST | 0 | 9600, 8000, f554c12e |
12 | 10000640, 1600, INTERRUPT | 0 | 8000, 6400, f554c12e |
11 | 10000640, 1600, INTERRUPT | 0 | 6400, 4800, f554c12e |
10 | 10000640, 1600, INTERRUPT | 0 | 4800, 3200, f554c12e |
09 | 10000640, 1600, INTERRUPT | 0 | 3200, 1600, f554c12e |
08 | 14000640, 1600, INTERRUPT FIRST | 0 | 1600, 0, f554c12e |
07 | 14000640, 1600, INTERRUPT FIRST | 1 | 0, 0, f554c12e |
06 | 1c000080, 128, INTERRUPT LAST FIRST | 1 | 0, 0, abf3bd6e |
05 | 18002348, 9032, INTERRUPT LAST | 0 | 8000, 6400, c5a57780 |
04 | 10000640, 1600, INTERRUPT | 0 | 6400, 4800, c5a57780 |
03 | 10000640, 1600, INTERRUPT | 0 | 4800, 3200, c5a57780 |
02 | 10000640, 1600, INTERRUPT | 0 | 3200, 1600, c5a57780 |
01 | 10000640, 1600, INTERRUPT | 0 | 1600, 0, c5a57780 |
00 | 14000640, 1600, INTERRUPT FIRST | 1 | 0, 0, c5a57780 |
So at t=7 a new packets is started but not finished, probably due to rx
overrun - but rx overrun is not indicated in the flags. Instead a new
packets starts at t=8. This results in skb->len to exceed size for the LAST
fragment at t=13 and thus a negative fragment size added to the skb.
This then crashes:
kernel BUG at include/linux/skbuff.h:2277!
Oops: Exception in kernel mode, sig: 5 [#1]
...
NIP [c04689f4] skb_pull+0x2c/0x48
LR [c03f62ac] gfar_clean_rx_ring+0x2e4/0x844
Call Trace:
[ec4bfd38] [c06a84c4] _raw_spin_unlock_irqrestore+0x60/0x7c (unreliable)
[ec4bfda8] [c03f6a44] gfar_poll_rx_sq+0x48/0xe4
[ec4bfdc8] [c048d504] __napi_poll+0x54/0x26c
[ec4bfdf8] [c048d908] net_rx_action+0x138/0x2c0
[ec4bfe68] [c06a8f34] __do_softirq+0x3a4/0x4fc
[ec4bfed8] [c0040150] run_ksoftirqd+0x58/0x70
[ec4bfee8] [c0066ecc] smpboot_thread_fn+0x184/0x1cc
[ec4bff08] [c0062718] kthread+0x140/0x144
[ec4bff38] [c0012350] ret_from_kernel_thread+0x14/0x1c
This patch fixes this by checking for computed LAST fragment size, so a
negative sized fragment is never added.
In order to prevent the newer rx frame from getting corrupted, the FIRST
flag is checked to discard the incomplete older frame.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/gianfar.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c
index 5cb58ab1eec9..a8959a092344 100644
--- a/drivers/net/ethernet/freescale/gianfar.c
+++ b/drivers/net/ethernet/freescale/gianfar.c
@@ -2388,6 +2388,10 @@ static bool gfar_add_rx_frag(struct gfar_rx_buff *rxb, u32 lstatus,
if (lstatus & BD_LFLAG(RXBD_LAST))
size -= skb->len;
+ WARN(size < 0, "gianfar: rx fragment size underflow");
+ if (size < 0)
+ return false;
+
skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page,
rxb->page_offset + RXBUF_ALIGNMENT,
size, GFAR_RXB_TRUESIZE);
@@ -2550,6 +2554,17 @@ static int gfar_clean_rx_ring(struct gfar_priv_rx_q *rx_queue,
if (lstatus & BD_LFLAG(RXBD_EMPTY))
break;
+ /* lost RXBD_LAST descriptor due to overrun */
+ if (skb &&
+ (lstatus & BD_LFLAG(RXBD_FIRST))) {
+ /* discard faulty buffer */
+ dev_kfree_skb(skb);
+ skb = NULL;
+ rx_queue->stats.rx_dropped++;
+
+ /* can continue normally */
+ }
+
/* order rx buffer descriptor reads */
rmb();
--
2.30.1
next prev parent reply other threads:[~2021-03-17 1:04 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-17 0:57 [PATCH AUTOSEL 5.4 01/37] net: fec: ptp: avoid register access when ipg clock is disabled Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 02/37] powerpc/4xx: Fix build errors from mfdcr() Sasha Levin
2021-03-17 0:57 ` Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 03/37] atm: eni: dont release is never initialized Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 04/37] atm: lanai: dont run lanai_dev_close if not open Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 05/37] Revert "r8152: adjust the settings about MAC clock speed down for RTL8153" Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 06/37] ALSA: hda: ignore invalid NHLT table Sasha Levin
2021-03-17 0:57 ` Sasha Levin
2021-03-17 0:57 ` [Intel-wired-lan] [PATCH AUTOSEL 5.4 07/37] ixgbe: Fix memleak in ixgbe_configure_clsu32 Sasha Levin
2021-03-17 0:57 ` Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 08/37] net: tehuti: fix error return code in bdx_probe() Sasha Levin
2021-03-17 0:57 ` [Intel-wired-lan] [PATCH AUTOSEL 5.4 09/37] net: intel: iavf: fix error return code of iavf_init_get_resources() Sasha Levin
2021-03-17 0:57 ` Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 10/37] sun/niu: fix wrong RXMAC_BC_FRM_CNT_COUNT count Sasha Levin
2021-03-17 0:57 ` Sasha Levin [this message]
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 12/37] cifs: ask for more credit on async read/write code paths Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 13/37] cpufreq: blacklist Arm Vexpress platforms in cpufreq-dt-platdev Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 14/37] gpiolib: acpi: Add missing IRQF_ONESHOT Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 15/37] nfs: fix PNFS_FLEXFILE_LAYOUT Kconfig default Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 16/37] NFS: Correct size calculation for create reply length Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 17/37] net: hisilicon: hns: fix error return code of hns_nic_clear_all_rx_fetch() Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 18/37] net: wan: fix error return code of uhdlc_init() Sasha Levin
2021-03-17 0:57 ` Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 19/37] net: davicom: Use platform_get_irq_optional() Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 20/37] atm: uPD98402: fix incorrect allocation Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 21/37] atm: idt77252: fix null-ptr-dereference Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 22/37] cifs: change noisy error message to FYI Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 23/37] irqchip/ingenic: Add support for the JZ4760 Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 24/37] sparc64: Fix opcode filtering in handling of no fault loads Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 25/37] habanalabs: Call put_pid() when releasing control device Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 26/37] u64_stats,lockdep: Fix u64_stats_init() vs lockdep Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 27/37] regulator: qcom-rpmh: Correct the pmic5_hfsmps515 buck Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 28/37] drm/amd/display: Revert dram_clock_change_latency for DCN2.1 Sasha Levin
2021-03-17 0:57 ` Sasha Levin
2021-03-17 0:57 ` Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 29/37] drm/amdgpu: fb BO should be ttm_bo_type_device Sasha Levin
2021-03-17 0:57 ` Sasha Levin
2021-03-17 0:57 ` Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 30/37] drm/radeon: fix AGP dependency Sasha Levin
2021-03-17 0:57 ` Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 31/37] nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() Sasha Levin
2021-03-17 0:57 ` Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 32/37] nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted Sasha Levin
2021-03-17 0:57 ` Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 33/37] nvme-pci: add the DISABLE_WRITE_ZEROES quirk for a Samsung PM1725a Sasha Levin
2021-03-17 0:57 ` Sasha Levin
2021-03-17 0:57 ` [PATCH AUTOSEL 5.4 34/37] nfs: we don't support removing system.nfs4_acl Sasha Levin
2021-03-17 0:58 ` [PATCH AUTOSEL 5.4 35/37] block: Suppress uevent for hidden device when removed Sasha Levin
2021-03-17 0:58 ` [PATCH AUTOSEL 5.4 36/37] ia64: fix ia64_syscall_get_set_arguments() for break-based syscalls Sasha Levin
2021-03-17 0:58 ` Sasha Levin
2021-03-17 0:58 ` [PATCH AUTOSEL 5.4 37/37] ia64: fix ptrace(PTRACE_SYSCALL_INFO_EXIT) sign Sasha Levin
2021-03-17 0:58 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210317005802.725825-11-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=michael-dev@fami-braun.de \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.