From: Eric Dumazet <eric.dumazet@gmail.com>
To: Michael Tokarev <mjt@tls.msk.ru>
Cc: Linux-kernel <linux-kernel@vger.kernel.org>,
netdev <netdev@vger.kernel.org>
Subject: Re: [Security, resend] Instant crash with rtl8169 and large packets
Date: Mon, 08 Jun 2009 16:27:48 +0200 [thread overview]
Message-ID: <4A2D1FE4.5030100@gmail.com> (raw)
In-Reply-To: <4A2D1147.8020101@msgid.tls.msk.ru>
Michael Tokarev a écrit :
> [Please excuse me for the resend, --
> picked the wrong address for netdev again]
>
> Hello.
>
> This is a resend (sort of) of several months old email.
> Previous email about this issue has been mostly ignored.
>
> The situation is very simple: with an RTL8169 (probably
> onboard) GigE card which, by default, is configured to
> have MTU (maximal transmission unit) to be 1500 bytes,
> it's *trivial* to instantly crash the machine by sending
> it a *single* packet of size >1500 bytes (provided the
> network switch can handle jumbo frames).
>
> I verified with on several different machines - all I were
> able to find with this card - and all behaves exactly the
> same.
>
> When sending a packet of size, say, 3000 bytes (ping -s 3000)
> from another machine to a machine running rtl8169 with no
> MTU configured, kernel OOPSes.
>
> I captured one such OOPS (unfortunately without the first
> line few lines) here:
>
> http://www.corpit.ru/mjt/r8169-mtu-oops.jpg
>
> (since the network goes boom at that time, no network console
> is working).
>
> But for anyone familiar with the driver's internals it
> should be easy to figure the issue out.
>
> This is, in my opinion, quite a serious issue. And I've no
> idea why it is being ignored for several months.
I suppose you use a recent kernel ?
Could you please try following patch ?
Thank you
diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
index e94316b..c08b97a 100644
--- a/drivers/net/r8169.c
+++ b/drivers/net/r8169.c
@@ -3468,7 +3468,7 @@ static int rtl8169_rx_interrupt(struct net_device *dev,
if (status & DescOwn)
break;
- if (unlikely(status & RxRES)) {
+ if (unlikely(status & (RxRES | RxRWT | RxRUNT | RxCRC | RxFOVF))) {
if (netif_msg_rx_err(tp)) {
printk(KERN_INFO
"%s: Rx ERROR. status = %08x\n",
next prev parent reply other threads:[~2009-06-08 14:27 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-08 13:25 [Security, resend] Instant crash with rtl8169 and large packets Michael Tokarev
2009-06-08 14:27 ` Eric Dumazet [this message]
2009-06-08 14:53 ` Michael Tokarev
2009-06-08 15:06 ` Eric Dumazet
2009-06-08 15:37 ` Michael Tokarev
2009-06-08 15:59 ` Eric Dumazet
2009-06-08 16:26 ` Michael Tokarev
2009-06-08 17:30 ` Eric Dumazet
2009-06-08 19:28 ` Michael Tokarev
2009-06-08 19:57 ` Michael Tokarev
2009-06-08 21:17 ` Eric Dumazet
2009-06-08 21:27 ` Michael Tokarev
2009-06-09 11:20 ` Krzysztof Halasa
2009-06-08 22:02 ` Francois Romieu
-- strict thread matches above, loose matches on Subject: below --
2009-06-08 13:24 Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A2D1FE4.5030100@gmail.com \
--to=eric.dumazet@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mjt@tls.msk.ru \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.