From: Lorenzo Bianconi <lorenzo@kernel.org>
To: sashiko@lists.linux.dev
Cc: conor+dt@kernel.org, devicetree@vger.kernel.org,
krzk+dt@kernel.org, robh@kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH net-next v5 02/12] net: airoha: Reserve RX headroom to avoid skb reallocation
Date: Mon, 11 May 2026 10:13:29 +0200 [thread overview]
Message-ID: <agGPqVvwyCbVbROt@lore-desk> (raw)
In-Reply-To: <20260510140502.B244EC4AF0B@smtp.kernel.org>
[-- Attachment #1: Type: text/plain, Size: 2387 bytes --]
On May 10, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [High] Missing bounds check adjustment for RX packet length allows buffer overflows
> --
>
> commit f34e8812cb62dd63f96801a39b0d65ee905cd258
> Author: Lorenzo Bianconi <lorenzo@kernel.org>
>
> net: airoha: Reserve RX headroom to avoid skb reallocation
>
> This commit reserves NET_SKB_PAD + NET_IP_ALIGN bytes of headroom for
> received packets to avoid skb head reallocation when pushing protocol
> headers into the skb.
>
> > diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
> > --- a/drivers/net/ethernet/airoha/airoha_eth.c
> > +++ b/drivers/net/ethernet/airoha/airoha_eth.c
> [ ... ]
> > @@ -627,10 +629,12 @@ static int airoha_qdma_rx_process(struct airoha_queue *q, int budget)
> >
> > port = eth->ports[p];
> > if (!q->skb) { /* first buffer */
> > - q->skb = napi_build_skb(e->buf, q->buf_size);
> > + q->skb = napi_build_skb(e->buf - AIROHA_RX_HEADROOM,
> > + q->buf_size);
> > if (!q->skb)
> > goto free_frag;
> >
> > + skb_reserve(q->skb, AIROHA_RX_HEADROOM);
> > __skb_put(q->skb, len);
>
> Does this code overlook adjusting the bounds check for the RX packet
> length?
>
> Earlier in airoha_qdma_rx_process(), the software validation check
> uses the unadjusted lengths:
>
> data_len = q->skb ? q->buf_size
> : SKB_WITH_OVERHEAD(q->buf_size);
> if (!len || data_len < len)
> goto free_frag;
>
> If the hardware descriptor returns a len that is larger than the newly
> adjusted dma_len but smaller than or equal to the old data_len, the
> check will pass.
>
> Since skb_reserve() shifts the skb->tail forward by AIROHA_RX_HEADROOM,
> will calling __skb_put(q->skb, len) with this unvalidated oversized len
> push skb->tail past skb->end and overflow the skb_shared_info structure?
>
> Similarly for scattered fragments, could an oversized len passed to
> skb_add_rx_frag() cause out-of-bounds memory accesses beyond the allocated
> page fragment?
ack, I will fix it in v6.
Regards,
Lorenzo
>
> --
> Sashiko AI review · https://sashiko.dev/#/patchset/20260509-airoha-eth-multi-serdes-v5-0-805e38edc2aa@kernel.org?part=2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
next prev parent reply other threads:[~2026-05-11 8:13 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-09 13:05 [PATCH net-next v5 00/12] net: airoha: Support multiple net_devices connected to the same GDM port Lorenzo Bianconi
2026-05-09 13:05 ` [PATCH net-next v5 01/12] dt-bindings: net: airoha: Add EN7581 ethernet-ports properties Lorenzo Bianconi
2026-05-10 14:05 ` sashiko-bot
2026-05-11 10:44 ` Lorenzo Bianconi
2026-05-09 13:05 ` [PATCH net-next v5 02/12] net: airoha: Reserve RX headroom to avoid skb reallocation Lorenzo Bianconi
2026-05-10 14:05 ` sashiko-bot
2026-05-11 8:13 ` Lorenzo Bianconi [this message]
2026-05-09 13:05 ` [PATCH net-next v5 03/12] net: airoha: Introduce airoha_gdm_dev struct Lorenzo Bianconi
2026-05-09 13:05 ` [PATCH net-next v5 04/12] net: airoha: Move airoha_qdma pointer in " Lorenzo Bianconi
2026-05-09 13:05 ` [PATCH net-next v5 05/12] net: airoha: Rely on airoha_gdm_dev pointer in airhoa_is_lan_gdm_port() Lorenzo Bianconi
2026-05-09 13:05 ` [PATCH net-next v5 06/12] net: airoha: Move qos_sq_bmap in airoha_gdm_dev struct Lorenzo Bianconi
2026-05-10 14:05 ` sashiko-bot
2026-05-11 8:47 ` Lorenzo Bianconi
2026-05-09 13:05 ` [PATCH net-next v5 07/12] net: airoha: Move {cpu,fwd}_tx_packets " Lorenzo Bianconi
2026-05-09 13:05 ` [PATCH net-next v5 08/12] net: airoha: Support multiple net_devices for a single FE GDM port Lorenzo Bianconi
2026-05-10 14:05 ` sashiko-bot
2026-05-11 7:54 ` Lorenzo Bianconi
2026-05-09 13:05 ` [PATCH net-next v5 09/12] net: airoha: Do not stop GDM port if it is shared Lorenzo Bianconi
2026-05-10 14:05 ` sashiko-bot
2026-05-11 7:47 ` Lorenzo Bianconi
2026-05-09 13:05 ` [PATCH net-next v5 10/12] net: airoha: Introduce WAN device flag Lorenzo Bianconi
2026-05-09 13:05 ` [PATCH net-next v5 11/12] net: airoha: Support multiple LAN/WAN interfaces for hw MAC address configuration Lorenzo Bianconi
2026-05-10 14:05 ` sashiko-bot
2026-05-11 7:02 ` Lorenzo Bianconi
2026-05-09 13:05 ` [PATCH net-next v5 12/12] net: airoha: Better handle MIB for GDM with multiple port attached Lorenzo Bianconi
2026-05-10 14:05 ` sashiko-bot
2026-05-11 6:51 ` Lorenzo Bianconi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agGPqVvwyCbVbROt@lore-desk \
--to=lorenzo@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=krzk+dt@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.