From: Jakub Kicinski <kuba@kernel.org>
To: jiefeng.z.zhang@gmail.com
Cc: netdev@vger.kernel.org, davem@davemloft.net, pabeni@redhat.com,
andrew+netdev@lunn.ch, edumazet@google.com,
linux-kernel@vger.kernel.org, irusskikh@marvell.com
Subject: Re: [PATCH net] net: atlantic: fix fragment overflow handling in RX path
Date: Tue, 18 Nov 2025 12:24:30 -0800 [thread overview]
Message-ID: <20251118122430.65cc5738@kernel.org> (raw)
In-Reply-To: <20251118070402.56150-1-jiefeng.z.zhang@gmail.com>
On Tue, 18 Nov 2025 15:04:02 +0800 jiefeng.z.zhang@gmail.com wrote:
> From: Jiefeng Zhang <jiefeng.z.zhang@gmail.com>
>
> The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)
> fragments when handling large multi-descriptor packets. This causes an
> out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.
>
> The issue occurs because the driver doesn't check the total number of
> fragments before calling skb_add_rx_frag(). When a packet requires more
> than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.
>
> Add a check in __aq_ring_rx_clean() to ensure the total number of fragments
> (including the initial header fragment and subsequent descriptor fragments)
> does not exceed MAX_SKB_FRAGS. If it does, drop the packet gracefully
> and increment the error counter.
First off, some basic Linux mailing list savoir vivre:
- please don't top post
- please don't resubmit your code within 24h of previous posting
- please wait for a discussion to close before you send another version
Quoting your response:
https://lore.kernel.org/all/CADEc0q6iLdpwYsyGAwH4qzST8G7asjdqgR6+ymXMy1k0wRwhNQ@mail.gmail.com/
> I have used git send-email to send my code.
>
> As for the patch --The aquantia/atlantic driver supports a maximum of
> AQ_CFG_SKB_FRAGS_MAX (32U) fragments, while the kernel limits the
> maximum number of fragments to MAX_SKB_FRAGS (17).
Frag count limits in drivers are usually for Tx not Rx.
Again, why do you think this driver can generate more frags than 17?
--
pw-bot: cr
next prev parent reply other threads:[~2025-11-18 20:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-18 7:04 [PATCH net] net: atlantic: fix fragment overflow handling in RX path jiefeng.z.zhang
2025-11-18 20:24 ` Jakub Kicinski [this message]
2025-11-19 8:38 ` Jiefeng
2025-11-20 3:03 ` Jakub Kicinski
2025-11-20 13:06 ` Jiefeng
2025-11-22 1:36 ` Jiefeng
2025-11-22 2:01 ` Jakub Kicinski
2025-11-24 14:08 ` Jiefeng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251118122430.65cc5738@kernel.org \
--to=kuba@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=irusskikh@marvell.com \
--cc=jiefeng.z.zhang@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.