From: David Carlier <devnexen@gmail.com>
To: netdev@vger.kernel.org
Cc: David Carlier <devnexen@gmail.com>,
stable@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>,
Kaiyuan Zhang <kaiyuanz@google.com>,
Mina Almasry <almasrymina@google.com>,
linux-kernel@vger.kernel.org
Subject: [PATCH net] net: devmem: reject TX dma-buf with non-page-aligned size or SG length
Date: Sun, 17 May 2026 21:18:14 +0100 [thread overview]
Message-ID: <20260517201814.222563-1-devnexen@gmail.com> (raw)
The TX dma-buf bind assumes dmabuf->size and every sg_dma_len() are
PAGE_SIZE multiples: tx_vec is sized dmabuf->size / PAGE_SIZE and
indexed by virt_addr / PAGE_SIZE, with only a virt_addr < dmabuf->size
bound check. A non-page-aligned size lets sendmsg() reach the tail
region past the last populated slot and read one past tx_vec[]. A
non-page-aligned, non-final SG entry causes the same OOB indirectly
by desyncing later slots.
Reject both up front. Real exporters (udmabuf, dma-buf heaps, GPU
drivers) already page-align, so this only refuses layouts the TX path
can't back correctly.
Fixes: bd61848900bf ("net: devmem: Implement TX path")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
---
net/core/devmem.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/net/core/devmem.c b/net/core/devmem.c
index 468344739db2..e72f48ff9094 100644
--- a/net/core/devmem.c
+++ b/net/core/devmem.c
@@ -193,6 +193,7 @@ net_devmem_bind_dmabuf(struct net_device *dev,
struct dma_buf *dmabuf;
unsigned int sg_idx, i;
unsigned long virtual;
+ bool todevice;
int err;
if (!dma_dev) {
@@ -240,7 +241,14 @@ net_devmem_bind_dmabuf(struct net_device *dev,
goto err_detach;
}
- if (direction == DMA_TO_DEVICE) {
+ todevice = direction == DMA_TO_DEVICE;
+
+ if (todevice) {
+ if (!IS_ALIGNED(dmabuf->size, PAGE_SIZE)) {
+ err = -EINVAL;
+ NL_SET_ERR_MSG(extack, "TX dma-buf size must be a multiple of PAGE_SIZE");
+ goto err_unmap;
+ }
binding->tx_vec = kvmalloc_objs(struct net_iov *,
dmabuf->size / PAGE_SIZE);
if (!binding->tx_vec) {
@@ -267,6 +275,12 @@ net_devmem_bind_dmabuf(struct net_device *dev,
size_t len = sg_dma_len(sg);
struct net_iov *niov;
+ if (todevice && !IS_ALIGNED(len, PAGE_SIZE)) {
+ err = -EINVAL;
+ NL_SET_ERR_MSG(extack, "TX dma-buf SG length must be PAGE_SIZE aligned");
+ goto err_free_chunks;
+ }
+
owner = kzalloc_node(sizeof(*owner), GFP_KERNEL,
dev_to_node(&dev->dev));
if (!owner) {
--
2.53.0
next reply other threads:[~2026-05-17 20:18 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 20:18 David Carlier [this message]
2026-05-18 15:25 ` [PATCH net] net: devmem: reject TX dma-buf with non-page-aligned size or SG length Stanislav Fomichev
2026-05-18 17:37 ` David CARLIER
2026-05-18 16:26 ` Bobby Eshleman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260517201814.222563-1-devnexen@gmail.com \
--to=devnexen@gmail.com \
--cc=almasrymina@google.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kaiyuanz@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@fomichev.me \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.