* [PATCH] drivers: net: axienet: safely drop oversized RX frames
@ 2025-05-08 15:04 Can Ayberk Demir
2025-05-09 6:08 ` Gupta, Suraj
2025-05-09 6:37 ` [PATCH v2] " Can Ayberk Demir
0 siblings, 2 replies; 11+ messages in thread
From: Can Ayberk Demir @ 2025-05-08 15:04 UTC (permalink / raw)
To: netdev
Cc: Radhey Shyam Pandey, Andrew Lunn, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Michal Simek, linux-arm-kernel,
linux-kernel, Can Ayberk DEMIR
From: Can Ayberk DEMIR <ayberkdemir@gmail.com>
In AXI Ethernet (axienet) driver, receiving an Ethernet frame larger
than the allocated skb buffer may cause memory corruption or kernel panic,
especially when the interface MTU is small and a jumbo frame is received.
Signed-off-by: Can Ayberk DEMIR <ayberkdemir@gmail.com>
---
.../net/ethernet/xilinx/xilinx_axienet_main.c | 46 +++++++++++--------
1 file changed, 27 insertions(+), 19 deletions(-)
diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
index 1b7a653c1f4e..a74ac8fe8ea8 100644
--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
@@ -1223,28 +1223,36 @@ static int axienet_rx_poll(struct napi_struct *napi, int budget)
dma_unmap_single(lp->dev, phys, lp->max_frm_size,
DMA_FROM_DEVICE);
- skb_put(skb, length);
- skb->protocol = eth_type_trans(skb, lp->ndev);
- /*skb_checksum_none_assert(skb);*/
- skb->ip_summed = CHECKSUM_NONE;
-
- /* if we're doing Rx csum offload, set it up */
- if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
- csumstatus = (cur_p->app2 &
- XAE_FULL_CSUM_STATUS_MASK) >> 3;
- if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
- csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
- skb->ip_summed = CHECKSUM_UNNECESSARY;
+ if (unlikely(length > skb_tailroom(skb))) {
+ netdev_warn(ndev,
+ "Dropping oversized RX frame (len=%u, tailroom=%u)\n",
+ length, skb_tailroom(skb));
+ dev_kfree_skb(skb);
+ skb = NULL;
+ }else{
+ skb_put(skb, length);
+ skb->protocol = eth_type_trans(skb, lp->ndev);
+ /*skb_checksum_none_assert(skb);*/
+ skb->ip_summed = CHECKSUM_NONE;
+
+ /* if we're doing Rx csum offload, set it up */
+ if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
+ csumstatus = (cur_p->app2 &
+ XAE_FULL_CSUM_STATUS_MASK) >> 3;
+ if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
+ csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+ }
+ } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
+ skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
+ skb->ip_summed = CHECKSUM_COMPLETE;
}
- } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
- skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
- skb->ip_summed = CHECKSUM_COMPLETE;
- }
- napi_gro_receive(napi, skb);
+ napi_gro_receive(napi, skb);
- size += length;
- packets++;
+ size += length;
+ packets++;
+ }
}
new_skb = napi_alloc_skb(napi, lp->max_frm_size);
--
2.39.5 (Apple Git-154)
^ permalink raw reply related [flat|nested] 11+ messages in thread
* RE: [PATCH] drivers: net: axienet: safely drop oversized RX frames
2025-05-08 15:04 [PATCH] drivers: net: axienet: safely drop oversized RX frames Can Ayberk Demir
@ 2025-05-09 6:08 ` Gupta, Suraj
2025-05-09 6:37 ` [PATCH v2] " Can Ayberk Demir
1 sibling, 0 replies; 11+ messages in thread
From: Gupta, Suraj @ 2025-05-09 6:08 UTC (permalink / raw)
To: Can Ayberk Demir, netdev@vger.kernel.org
Cc: Pandey, Radhey Shyam, Andrew Lunn, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simek, Michal,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
[AMD Official Use Only - AMD Internal Distribution Only]
> -----Original Message-----
> From: Can Ayberk Demir <ayberkdemir@gmail.com>
> Sent: Thursday, May 8, 2025 8:34 PM
> To: netdev@vger.kernel.org
> Cc: Pandey, Radhey Shyam <radhey.shyam.pandey@amd.com>; Andrew Lunn
> <andrew+netdev@lunn.ch>; David S . Miller <davem@davemloft.net>; Eric
> Dumazet <edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>; Paolo
> Abeni <pabeni@redhat.com>; Simek, Michal <michal.simek@amd.com>; linux-arm-
> kernel@lists.infradead.org; linux-kernel@vger.kernel.org; Can Ayberk DEMIR
> <ayberkdemir@gmail.com>
> Subject: [PATCH] drivers: net: axienet: safely drop oversized RX frames
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> From: Can Ayberk DEMIR <ayberkdemir@gmail.com>
>
> In AXI Ethernet (axienet) driver, receiving an Ethernet frame larger than the allocated
> skb buffer may cause memory corruption or kernel panic, especially when the
> interface MTU is small and a jumbo frame is received.
>
> Signed-off-by: Can Ayberk DEMIR <ayberkdemir@gmail.com>
> ---
> .../net/ethernet/xilinx/xilinx_axienet_main.c | 46 +++++++++++--------
> 1 file changed, 27 insertions(+), 19 deletions(-)
>
Please fix alignment and coding styles, some of them reported by checkpatch:
CHECK: Alignment should match open parenthesis
#46: FILE: drivers/net/ethernet/xilinx/xilinx_axienet_main.c:1228:
+ netdev_warn(ndev,
+ "Dropping oversized RX frame (len=%u, tailroom=%u)\n",
ERROR: space required before the open brace '{'
#50: FILE: drivers/net/ethernet/xilinx/xilinx_axienet_main.c:1232:
+ }else{
ERROR: space required after that close brace '}'
#50: FILE: drivers/net/ethernet/xilinx/xilinx_axienet_main.c:1232:
+ }else{
CHECK: Alignment should match open parenthesis
#61: FILE: drivers/net/ethernet/xilinx/xilinx_axienet_main.c:1243:
+ if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
+ csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
total: 2 errors, 0 warnings, 2 checks, 55 lines checked
FYR: https://www.kernel.org/doc/html/v4.10/process/coding-style.html
> diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> index 1b7a653c1f4e..a74ac8fe8ea8 100644
> --- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> +++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> @@ -1223,28 +1223,36 @@ static int axienet_rx_poll(struct napi_struct *napi, int
> budget)
> dma_unmap_single(lp->dev, phys, lp->max_frm_size,
> DMA_FROM_DEVICE);
>
> - skb_put(skb, length);
> - skb->protocol = eth_type_trans(skb, lp->ndev);
> - /*skb_checksum_none_assert(skb);*/
> - skb->ip_summed = CHECKSUM_NONE;
> -
> - /* if we're doing Rx csum offload, set it up */
> - if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
> - csumstatus = (cur_p->app2 &
> - XAE_FULL_CSUM_STATUS_MASK) >> 3;
> - if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
> - csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
> - skb->ip_summed = CHECKSUM_UNNECESSARY;
> + if (unlikely(length > skb_tailroom(skb))) {
> + netdev_warn(ndev,
> + "Dropping oversized RX frame (len=%u,
> tailroom=%u)\n",
> + length, skb_tailroom(skb));
> + dev_kfree_skb(skb);
> + skb = NULL;
> + }else{
> + skb_put(skb, length);
> + skb->protocol = eth_type_trans(skb, lp->ndev);
> + /*skb_checksum_none_assert(skb);*/
> + skb->ip_summed = CHECKSUM_NONE;
> +
> + /* if we're doing Rx csum offload, set it up */
> + if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
> + csumstatus = (cur_p->app2 &
> + XAE_FULL_CSUM_STATUS_MASK) >> 3;
> + if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
> + csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
> + skb->ip_summed = CHECKSUM_UNNECESSARY;
> + }
> + } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM)
> {
> + skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
> + skb->ip_summed =
> + CHECKSUM_COMPLETE;
> }
> - } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
> - skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
> - skb->ip_summed = CHECKSUM_COMPLETE;
> - }
>
> - napi_gro_receive(napi, skb);
> + napi_gro_receive(napi, skb);
>
> - size += length;
> - packets++;
> + size += length;
> + packets++;
> + }
> }
>
> new_skb = napi_alloc_skb(napi, lp->max_frm_size);
> --
> 2.39.5 (Apple Git-154)
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v2] drivers: net: axienet: safely drop oversized RX frames
2025-05-08 15:04 [PATCH] drivers: net: axienet: safely drop oversized RX frames Can Ayberk Demir
2025-05-09 6:08 ` Gupta, Suraj
@ 2025-05-09 6:37 ` Can Ayberk Demir
2025-05-09 8:06 ` Gupta, Suraj
` (2 more replies)
1 sibling, 3 replies; 11+ messages in thread
From: Can Ayberk Demir @ 2025-05-09 6:37 UTC (permalink / raw)
To: netdev
Cc: Radhey Shyam Pandey, Andrew Lunn, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Michal Simek, linux-arm-kernel,
linux-kernel, Can Ayberk DEMIR
From: Can Ayberk DEMIR <ayberkdemir@gmail.com>
This patch addresses style issues pointed out in v1.
In AXI Ethernet (axienet) driver, receiving an Ethernet frame larger
than the allocated skb buffer may cause memory corruption or kernel panic,
especially when the interface MTU is small and a jumbo frame is received.
Signed-off-by: Can Ayberk DEMIR <ayberkdemir@gmail.com>
---
.../net/ethernet/xilinx/xilinx_axienet_main.c | 46 +++++++++++--------
1 file changed, 27 insertions(+), 19 deletions(-)
diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
index 1b7a653c1f4e..2b375dd06def 100644
--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
@@ -1223,28 +1223,36 @@ static int axienet_rx_poll(struct napi_struct *napi, int budget)
dma_unmap_single(lp->dev, phys, lp->max_frm_size,
DMA_FROM_DEVICE);
- skb_put(skb, length);
- skb->protocol = eth_type_trans(skb, lp->ndev);
- /*skb_checksum_none_assert(skb);*/
- skb->ip_summed = CHECKSUM_NONE;
-
- /* if we're doing Rx csum offload, set it up */
- if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
- csumstatus = (cur_p->app2 &
- XAE_FULL_CSUM_STATUS_MASK) >> 3;
- if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
- csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
- skb->ip_summed = CHECKSUM_UNNECESSARY;
+ if (unlikely(length > skb_tailroom(skb))) {
+ netdev_warn(ndev,
+ "Dropping oversized RX frame (len=%u, tailroom=%u)\n",
+ length, skb_tailroom(skb));
+ dev_kfree_skb(skb);
+ skb = NULL;
+ } else {
+ skb_put(skb, length);
+ skb->protocol = eth_type_trans(skb, lp->ndev);
+ /*skb_checksum_none_assert(skb);*/
+ skb->ip_summed = CHECKSUM_NONE;
+
+ /* if we're doing Rx csum offload, set it up */
+ if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
+ csumstatus = (cur_p->app2 &
+ XAE_FULL_CSUM_STATUS_MASK) >> 3;
+ if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
+ csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+ }
+ } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
+ skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
+ skb->ip_summed = CHECKSUM_COMPLETE;
}
- } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
- skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
- skb->ip_summed = CHECKSUM_COMPLETE;
- }
- napi_gro_receive(napi, skb);
+ napi_gro_receive(napi, skb);
- size += length;
- packets++;
+ size += length;
+ packets++;
+ }
}
new_skb = napi_alloc_skb(napi, lp->max_frm_size);
--
2.39.5 (Apple Git-154)
^ permalink raw reply related [flat|nested] 11+ messages in thread
* RE: [PATCH v2] drivers: net: axienet: safely drop oversized RX frames
2025-05-09 6:37 ` [PATCH v2] " Can Ayberk Demir
@ 2025-05-09 8:06 ` Gupta, Suraj
2025-05-09 8:18 ` Gupta, Suraj
2025-05-09 10:47 ` [PATCH net v3] " Can Ayberk Demir
2025-05-13 22:18 ` [PATCH v2] drivers: " kernel test robot
2 siblings, 1 reply; 11+ messages in thread
From: Gupta, Suraj @ 2025-05-09 8:06 UTC (permalink / raw)
To: Can Ayberk Demir, netdev@vger.kernel.org
Cc: Pandey, Radhey Shyam, Andrew Lunn, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simek, Michal,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
[AMD Official Use Only - AMD Internal Distribution Only]
> -----Original Message-----
> From: Can Ayberk Demir <ayberkdemir@gmail.com>
> Sent: Friday, May 9, 2025 12:07 PM
> To: netdev@vger.kernel.org
> Cc: Pandey, Radhey Shyam <radhey.shyam.pandey@amd.com>; Andrew Lunn
> <andrew+netdev@lunn.ch>; David S . Miller <davem@davemloft.net>; Eric
> Dumazet <edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>; Paolo
> Abeni <pabeni@redhat.com>; Simek, Michal <michal.simek@amd.com>; linux-
> arm-kernel@lists.infradead.org; linux-kernel@vger.kernel.org; Can Ayberk DEMIR
> <ayberkdemir@gmail.com>
> Subject: [PATCH v2] drivers: net: axienet: safely drop oversized RX frames
>
Since it's bug fix, please use subject prefix [Patch net vx]
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> From: Can Ayberk DEMIR <ayberkdemir@gmail.com>
>
> This patch addresses style issues pointed out in v1.
Please add changelogs below "---" after SOB
>
> In AXI Ethernet (axienet) driver, receiving an Ethernet frame larger than the
> allocated skb buffer may cause memory corruption or kernel panic, especially when
> the interface MTU is small and a jumbo frame is received.
>
Please add Fixes tag and better to add call trace of kernel crash.
> Signed-off-by: Can Ayberk DEMIR <ayberkdemir@gmail.com>
> ---
> .../net/ethernet/xilinx/xilinx_axienet_main.c | 46 +++++++++++--------
> 1 file changed, 27 insertions(+), 19 deletions(-)
>
> diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> index 1b7a653c1f4e..2b375dd06def 100644
> --- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> +++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> @@ -1223,28 +1223,36 @@ static int axienet_rx_poll(struct napi_struct *napi, int
> budget)
> dma_unmap_single(lp->dev, phys, lp->max_frm_size,
> DMA_FROM_DEVICE);
>
> - skb_put(skb, length);
> - skb->protocol = eth_type_trans(skb, lp->ndev);
> - /*skb_checksum_none_assert(skb);*/
> - skb->ip_summed = CHECKSUM_NONE;
> -
> - /* if we're doing Rx csum offload, set it up */
> - if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
> - csumstatus = (cur_p->app2 &
> - XAE_FULL_CSUM_STATUS_MASK) >> 3;
> - if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
> - csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
> - skb->ip_summed = CHECKSUM_UNNECESSARY;
> + if (unlikely(length > skb_tailroom(skb))) {
> + netdev_warn(ndev,
> + "Dropping oversized RX frame (len=%u,
> tailroom=%u)\n",
> + length, skb_tailroom(skb));
> + dev_kfree_skb(skb);
> + skb = NULL;
Update packet drop in netdev stats?
> + } else {
> + skb_put(skb, length);
> + skb->protocol = eth_type_trans(skb, lp->ndev);
> + /*skb_checksum_none_assert(skb);*/
> + skb->ip_summed = CHECKSUM_NONE;
> +
> + /* if we're doing Rx csum offload, set it up */
> + if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
> + csumstatus = (cur_p->app2 &
> + XAE_FULL_CSUM_STATUS_MASK) >> 3;
> + if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
> + csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
> + skb->ip_summed = CHECKSUM_UNNECESSARY;
> + }
> + } else if (lp->features &
> XAE_FEATURE_PARTIAL_RX_CSUM) {
> + skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
> + skb->ip_summed =
> + CHECKSUM_COMPLETE;
> }
> - } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
> - skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
> - skb->ip_summed = CHECKSUM_COMPLETE;
> - }
>
> - napi_gro_receive(napi, skb);
> + napi_gro_receive(napi, skb);
>
> - size += length;
> - packets++;
> + size += length;
> + packets++;
> + }
> }
>
> new_skb = napi_alloc_skb(napi, lp->max_frm_size);
> --
> 2.39.5 (Apple Git-154)
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: [PATCH v2] drivers: net: axienet: safely drop oversized RX frames
2025-05-09 8:06 ` Gupta, Suraj
@ 2025-05-09 8:18 ` Gupta, Suraj
0 siblings, 0 replies; 11+ messages in thread
From: Gupta, Suraj @ 2025-05-09 8:18 UTC (permalink / raw)
To: Gupta, Suraj, Can Ayberk Demir, netdev@vger.kernel.org
Cc: Pandey, Radhey Shyam, Andrew Lunn, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simek, Michal,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
[AMD Official Use Only - AMD Internal Distribution Only]
> -----Original Message-----
> From: Gupta, Suraj <Suraj.Gupta2@amd.com>
> Sent: Friday, May 9, 2025 1:36 PM
> To: Can Ayberk Demir <ayberkdemir@gmail.com>; netdev@vger.kernel.org
> Cc: Pandey, Radhey Shyam <radhey.shyam.pandey@amd.com>; Andrew Lunn
> <andrew+netdev@lunn.ch>; David S . Miller <davem@davemloft.net>; Eric
> Dumazet <edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>; Paolo
> Abeni <pabeni@redhat.com>; Simek, Michal <michal.simek@amd.com>; linux-
> arm-kernel@lists.infradead.org; linux-kernel@vger.kernel.org
> Subject: RE: [PATCH v2] drivers: net: axienet: safely drop oversized RX frames
>
> [AMD Official Use Only - AMD Internal Distribution Only]
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> [AMD Official Use Only - AMD Internal Distribution Only]
>
> > -----Original Message-----
> > From: Can Ayberk Demir <ayberkdemir@gmail.com>
> > Sent: Friday, May 9, 2025 12:07 PM
> > To: netdev@vger.kernel.org
> > Cc: Pandey, Radhey Shyam <radhey.shyam.pandey@amd.com>; Andrew Lunn
> > <andrew+netdev@lunn.ch>; David S . Miller <davem@davemloft.net>; Eric
> > Dumazet <edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>; Paolo
> > Abeni <pabeni@redhat.com>; Simek, Michal <michal.simek@amd.com>;
> > linux- arm-kernel@lists.infradead.org; linux-kernel@vger.kernel.org;
> > Can Ayberk DEMIR <ayberkdemir@gmail.com>
> > Subject: [PATCH v2] drivers: net: axienet: safely drop oversized RX
> > frames
> >
>
> Since it's bug fix, please use subject prefix [Patch net vx]
>
>
There are compilation errors in your patch. Please test the build and basic data transfer.
drivers/net/ethernet/xilinx/xilinx_axienet_main.c:1227:45: error: 'ndev' undeclared (first use in this function); did you mean 'cdev'?
1227 | netdev_warn(ndev,
| ^~~~
| cdev
> > Caution: This message originated from an External Source. Use proper
> > caution when opening attachments, clicking links, or responding.
> >
> >
> > From: Can Ayberk DEMIR <ayberkdemir@gmail.com>
> >
> > This patch addresses style issues pointed out in v1.
>
> Please add changelogs below "---" after SOB
> >
> > In AXI Ethernet (axienet) driver, receiving an Ethernet frame larger
> > than the allocated skb buffer may cause memory corruption or kernel
> > panic, especially when the interface MTU is small and a jumbo frame is received.
> >
>
> Please add Fixes tag and better to add call trace of kernel crash.
>
> > Signed-off-by: Can Ayberk DEMIR <ayberkdemir@gmail.com>
> > ---
> > .../net/ethernet/xilinx/xilinx_axienet_main.c | 46
> > +++++++++++--------
> > 1 file changed, 27 insertions(+), 19 deletions(-)
> >
> > diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> > b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> > index 1b7a653c1f4e..2b375dd06def 100644
> > --- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> > +++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> > @@ -1223,28 +1223,36 @@ static int axienet_rx_poll(struct napi_struct
> > *napi, int
> > budget)
> > dma_unmap_single(lp->dev, phys, lp->max_frm_size,
> > DMA_FROM_DEVICE);
> >
> > - skb_put(skb, length);
> > - skb->protocol = eth_type_trans(skb, lp->ndev);
> > - /*skb_checksum_none_assert(skb);*/
> > - skb->ip_summed = CHECKSUM_NONE;
> > -
> > - /* if we're doing Rx csum offload, set it up */
> > - if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
> > - csumstatus = (cur_p->app2 &
> > - XAE_FULL_CSUM_STATUS_MASK) >> 3;
> > - if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
> > - csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
> > - skb->ip_summed = CHECKSUM_UNNECESSARY;
> > + if (unlikely(length > skb_tailroom(skb))) {
> > + netdev_warn(ndev,
> > + "Dropping oversized RX
> > + frame (len=%u,
> > tailroom=%u)\n",
> > + length, skb_tailroom(skb));
> > + dev_kfree_skb(skb);
> > + skb = NULL;
>
> Update packet drop in netdev stats?
>
> > + } else {
> > + skb_put(skb, length);
> > + skb->protocol = eth_type_trans(skb, lp->ndev);
> > + /*skb_checksum_none_assert(skb);*/
> > + skb->ip_summed = CHECKSUM_NONE;
> > +
> > + /* if we're doing Rx csum offload, set it up */
> > + if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
> > + csumstatus = (cur_p->app2 &
> > + XAE_FULL_CSUM_STATUS_MASK) >> 3;
> > + if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
> > + csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
> > + skb->ip_summed =
> CHECKSUM_UNNECESSARY;
> > + }
> > + } else if (lp->features &
> > XAE_FEATURE_PARTIAL_RX_CSUM) {
> > + skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
> > + skb->ip_summed =
> > + CHECKSUM_COMPLETE;
> > }
> > - } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
> > - skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
> > - skb->ip_summed = CHECKSUM_COMPLETE;
> > - }
> >
> > - napi_gro_receive(napi, skb);
> > + napi_gro_receive(napi, skb);
> >
> > - size += length;
> > - packets++;
> > + size += length;
> > + packets++;
> > + }
> > }
> >
> > new_skb = napi_alloc_skb(napi, lp->max_frm_size);
> > --
> > 2.39.5 (Apple Git-154)
> >
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH net v3] net: axienet: safely drop oversized RX frames
2025-05-09 6:37 ` [PATCH v2] " Can Ayberk Demir
2025-05-09 8:06 ` Gupta, Suraj
@ 2025-05-09 10:47 ` Can Ayberk Demir
2025-05-09 15:17 ` Gupta, Suraj
2025-05-16 8:43 ` [PATCH net v4] " Can Ayberk Demir
2025-05-13 22:18 ` [PATCH v2] drivers: " kernel test robot
2 siblings, 2 replies; 11+ messages in thread
From: Can Ayberk Demir @ 2025-05-09 10:47 UTC (permalink / raw)
To: netdev
Cc: Radhey Shyam Pandey, Andrew Lunn, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Michal Simek, linux-arm-kernel,
linux-kernel, Can Ayberk DEMIR
From: Can Ayberk DEMIR <ayberkdemir@gmail.com>
In AXI Ethernet (axienet) driver, receiving an Ethernet frame larger
than the allocated skb buffer may cause memory corruption or kernel panic,
especially when the interface MTU is small and a jumbo frame is received.
Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
This bug was discovered during testing on a Kria K26 platform. When an
oversized frame is received and `skb_put()` is called without checking
the tailroom, the following kernel panic occurs:
skb_panic+0x58/0x5c
skb_put+0x90/0xb0
axienet_rx_poll+0x130/0x4ec
...
Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt
Signed-off-by: Can Ayberk DEMIR <ayberkdemir@gmail.com>
---
Changes in v3:
- Fixed 'ndev' undeclared error → replaced with 'lp->ndev'
- Added rx_dropped++ for statistics
- Added Fixes: tag
Changes in v2:
- This patch addresses style issues pointed out in v1.
---
.../net/ethernet/xilinx/xilinx_axienet_main.c | 47 +++++++++++--------
1 file changed, 28 insertions(+), 19 deletions(-)
diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
index 1b7a653c1f4e..7a12132e2b7c 100644
--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
@@ -1223,28 +1223,37 @@ static int axienet_rx_poll(struct napi_struct *napi, int budget)
dma_unmap_single(lp->dev, phys, lp->max_frm_size,
DMA_FROM_DEVICE);
- skb_put(skb, length);
- skb->protocol = eth_type_trans(skb, lp->ndev);
- /*skb_checksum_none_assert(skb);*/
- skb->ip_summed = CHECKSUM_NONE;
-
- /* if we're doing Rx csum offload, set it up */
- if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
- csumstatus = (cur_p->app2 &
- XAE_FULL_CSUM_STATUS_MASK) >> 3;
- if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
- csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
- skb->ip_summed = CHECKSUM_UNNECESSARY;
+ if (unlikely(length > skb_tailroom(skb))) {
+ netdev_warn(lp->ndev,
+ "Dropping oversized RX frame (len=%u, tailroom=%u)\n",
+ length, skb_tailroom(skb));
+ dev_kfree_skb(skb);
+ lp->ndev->stats.rx_dropped++;
+ skb = NULL;
+ } else {
+ skb_put(skb, length);
+ skb->protocol = eth_type_trans(skb, lp->ndev);
+ /*skb_checksum_none_assert(skb);*/
+ skb->ip_summed = CHECKSUM_NONE;
+
+ /* if we're doing Rx csum offload, set it up */
+ if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
+ csumstatus = (cur_p->app2 &
+ XAE_FULL_CSUM_STATUS_MASK) >> 3;
+ if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
+ csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+ }
+ } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
+ skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
+ skb->ip_summed = CHECKSUM_COMPLETE;
}
- } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
- skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
- skb->ip_summed = CHECKSUM_COMPLETE;
- }
- napi_gro_receive(napi, skb);
+ napi_gro_receive(napi, skb);
- size += length;
- packets++;
+ size += length;
+ packets++;
+ }
}
new_skb = napi_alloc_skb(napi, lp->max_frm_size);
--
2.39.5 (Apple Git-154)
^ permalink raw reply related [flat|nested] 11+ messages in thread
* RE: [PATCH net v3] net: axienet: safely drop oversized RX frames
2025-05-09 10:47 ` [PATCH net v3] " Can Ayberk Demir
@ 2025-05-09 15:17 ` Gupta, Suraj
2025-05-16 8:43 ` [PATCH net v4] " Can Ayberk Demir
1 sibling, 0 replies; 11+ messages in thread
From: Gupta, Suraj @ 2025-05-09 15:17 UTC (permalink / raw)
To: Can Ayberk Demir, netdev@vger.kernel.org
Cc: Pandey, Radhey Shyam, Andrew Lunn, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simek, Michal,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
[AMD Official Use Only - AMD Internal Distribution Only]
> -----Original Message-----
> From: Can Ayberk Demir <ayberkdemir@gmail.com>
> Sent: Friday, May 9, 2025 4:18 PM
> To: netdev@vger.kernel.org
> Cc: Pandey, Radhey Shyam <radhey.shyam.pandey@amd.com>; Andrew Lunn
> <andrew+netdev@lunn.ch>; David S . Miller <davem@davemloft.net>; Eric
> Dumazet <edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>; Paolo
> Abeni <pabeni@redhat.com>; Simek, Michal <michal.simek@amd.com>; linux-arm-
> kernel@lists.infradead.org; linux-kernel@vger.kernel.org; Can Ayberk DEMIR
> <ayberkdemir@gmail.com>
> Subject: [PATCH net v3] net: axienet: safely drop oversized RX frames
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> From: Can Ayberk DEMIR <ayberkdemir@gmail.com>
>
> In AXI Ethernet (axienet) driver, receiving an Ethernet frame larger than the allocated
> skb buffer may cause memory corruption or kernel panic, especially when the
> interface MTU is small and a jumbo frame is received.
>
> Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
Please move it just before SOB.
>
> This bug was discovered during testing on a Kria K26 platform. When an oversized
> frame is received and `skb_put()` is called without checking the tailroom, the
> following kernel panic occurs:
>
> skb_panic+0x58/0x5c
> skb_put+0x90/0xb0
> axienet_rx_poll+0x130/0x4ec
> ...
> Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt
>
> Signed-off-by: Can Ayberk DEMIR <ayberkdemir@gmail.com>
> ---
Tested with zcu102 setup.
Tested-by: <suraj.gupta2@amd.com>
> Changes in v3:
> - Fixed 'ndev' undeclared error → replaced with 'lp->ndev'
> - Added rx_dropped++ for statistics
> - Added Fixes: tag
>
> Changes in v2:
> - This patch addresses style issues pointed out in v1.
> ---
> .../net/ethernet/xilinx/xilinx_axienet_main.c | 47 +++++++++++--------
> 1 file changed, 28 insertions(+), 19 deletions(-)
>
> diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> index 1b7a653c1f4e..7a12132e2b7c 100644
> --- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> +++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> @@ -1223,28 +1223,37 @@ static int axienet_rx_poll(struct napi_struct *napi, int
> budget)
> dma_unmap_single(lp->dev, phys, lp->max_frm_size,
> DMA_FROM_DEVICE);
>
> - skb_put(skb, length);
> - skb->protocol = eth_type_trans(skb, lp->ndev);
> - /*skb_checksum_none_assert(skb);*/
> - skb->ip_summed = CHECKSUM_NONE;
> -
> - /* if we're doing Rx csum offload, set it up */
> - if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
> - csumstatus = (cur_p->app2 &
> - XAE_FULL_CSUM_STATUS_MASK) >> 3;
> - if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
> - csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
> - skb->ip_summed = CHECKSUM_UNNECESSARY;
> + if (unlikely(length > skb_tailroom(skb))) {
> + netdev_warn(lp->ndev,
> + "Dropping oversized RX frame (len=%u,
> tailroom=%u)\n",
> + length, skb_tailroom(skb));
> + dev_kfree_skb(skb);
> + lp->ndev->stats.rx_dropped++;
> + skb = NULL;
> + } else {
> + skb_put(skb, length);
> + skb->protocol = eth_type_trans(skb, lp->ndev);
> + /*skb_checksum_none_assert(skb);*/
> + skb->ip_summed = CHECKSUM_NONE;
> +
> + /* if we're doing Rx csum offload, set it up */
> + if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
> + csumstatus = (cur_p->app2 &
> + XAE_FULL_CSUM_STATUS_MASK) >> 3;
> + if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
> + csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
> + skb->ip_summed = CHECKSUM_UNNECESSARY;
> + }
> + } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM)
> {
> + skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
> + skb->ip_summed =
> + CHECKSUM_COMPLETE;
> }
> - } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
> - skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
> - skb->ip_summed = CHECKSUM_COMPLETE;
> - }
>
> - napi_gro_receive(napi, skb);
> + napi_gro_receive(napi, skb);
>
> - size += length;
> - packets++;
> + size += length;
> + packets++;
> + }
> }
>
> new_skb = napi_alloc_skb(napi, lp->max_frm_size);
> --
> 2.39.5 (Apple Git-154)
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2] drivers: net: axienet: safely drop oversized RX frames
2025-05-09 6:37 ` [PATCH v2] " Can Ayberk Demir
2025-05-09 8:06 ` Gupta, Suraj
2025-05-09 10:47 ` [PATCH net v3] " Can Ayberk Demir
@ 2025-05-13 22:18 ` kernel test robot
2 siblings, 0 replies; 11+ messages in thread
From: kernel test robot @ 2025-05-13 22:18 UTC (permalink / raw)
To: Can Ayberk Demir, netdev
Cc: oe-kbuild-all, Radhey Shyam Pandey, Andrew Lunn, David S . Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, Michal Simek,
linux-arm-kernel, linux-kernel, Can Ayberk DEMIR
Hi Can,
kernel test robot noticed the following build errors:
[auto build test ERROR on net/main]
[also build test ERROR on net-next/main linus/master v6.15-rc6 next-20250513]
[cannot apply to xilinx-xlnx/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Can-Ayberk-Demir/drivers-net-axienet-safely-drop-oversized-RX-frames/20250509-143942
base: net/main
patch link: https://lore.kernel.org/r/20250509063727.35560-1-ayberkdemir%40gmail.com
patch subject: [PATCH v2] drivers: net: axienet: safely drop oversized RX frames
config: parisc-allmodconfig (https://download.01.org/0day-ci/archive/20250514/202505140618.dkbky4zD-lkp@intel.com/config)
compiler: hppa-linux-gcc (GCC) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250514/202505140618.dkbky4zD-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202505140618.dkbky4zD-lkp@intel.com/
All errors (new ones prefixed by >>):
drivers/net/ethernet/xilinx/xilinx_axienet_main.c: In function 'axienet_rx_poll':
>> drivers/net/ethernet/xilinx/xilinx_axienet_main.c:1227:45: error: 'ndev' undeclared (first use in this function); did you mean 'cdev'?
1227 | netdev_warn(ndev,
| ^~~~
| cdev
drivers/net/ethernet/xilinx/xilinx_axienet_main.c:1227:45: note: each undeclared identifier is reported only once for each function it appears in
vim +1227 drivers/net/ethernet/xilinx/xilinx_axienet_main.c
1184
1185 /**
1186 * axienet_rx_poll - Triggered by RX ISR to complete the BD processing.
1187 * @napi: Pointer to NAPI structure.
1188 * @budget: Max number of RX packets to process.
1189 *
1190 * Return: Number of RX packets processed.
1191 */
1192 static int axienet_rx_poll(struct napi_struct *napi, int budget)
1193 {
1194 u32 length;
1195 u32 csumstatus;
1196 u32 size = 0;
1197 int packets = 0;
1198 dma_addr_t tail_p = 0;
1199 struct axidma_bd *cur_p;
1200 struct sk_buff *skb, *new_skb;
1201 struct axienet_local *lp = container_of(napi, struct axienet_local, napi_rx);
1202
1203 cur_p = &lp->rx_bd_v[lp->rx_bd_ci];
1204
1205 while (packets < budget && (cur_p->status & XAXIDMA_BD_STS_COMPLETE_MASK)) {
1206 dma_addr_t phys;
1207
1208 /* Ensure we see complete descriptor update */
1209 dma_rmb();
1210
1211 skb = cur_p->skb;
1212 cur_p->skb = NULL;
1213
1214 /* skb could be NULL if a previous pass already received the
1215 * packet for this slot in the ring, but failed to refill it
1216 * with a newly allocated buffer. In this case, don't try to
1217 * receive it again.
1218 */
1219 if (likely(skb)) {
1220 length = cur_p->app4 & 0x0000FFFF;
1221
1222 phys = desc_get_phys_addr(lp, cur_p);
1223 dma_unmap_single(lp->dev, phys, lp->max_frm_size,
1224 DMA_FROM_DEVICE);
1225
1226 if (unlikely(length > skb_tailroom(skb))) {
> 1227 netdev_warn(ndev,
1228 "Dropping oversized RX frame (len=%u, tailroom=%u)\n",
1229 length, skb_tailroom(skb));
1230 dev_kfree_skb(skb);
1231 skb = NULL;
1232 } else {
1233 skb_put(skb, length);
1234 skb->protocol = eth_type_trans(skb, lp->ndev);
1235 /*skb_checksum_none_assert(skb);*/
1236 skb->ip_summed = CHECKSUM_NONE;
1237
1238 /* if we're doing Rx csum offload, set it up */
1239 if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
1240 csumstatus = (cur_p->app2 &
1241 XAE_FULL_CSUM_STATUS_MASK) >> 3;
1242 if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
1243 csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
1244 skb->ip_summed = CHECKSUM_UNNECESSARY;
1245 }
1246 } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
1247 skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
1248 skb->ip_summed = CHECKSUM_COMPLETE;
1249 }
1250
1251 napi_gro_receive(napi, skb);
1252
1253 size += length;
1254 packets++;
1255 }
1256 }
1257
1258 new_skb = napi_alloc_skb(napi, lp->max_frm_size);
1259 if (!new_skb)
1260 break;
1261
1262 phys = dma_map_single(lp->dev, new_skb->data,
1263 lp->max_frm_size,
1264 DMA_FROM_DEVICE);
1265 if (unlikely(dma_mapping_error(lp->dev, phys))) {
1266 if (net_ratelimit())
1267 netdev_err(lp->ndev, "RX DMA mapping error\n");
1268 dev_kfree_skb(new_skb);
1269 break;
1270 }
1271 desc_set_phys_addr(lp, phys, cur_p);
1272
1273 cur_p->cntrl = lp->max_frm_size;
1274 cur_p->status = 0;
1275 cur_p->skb = new_skb;
1276
1277 /* Only update tail_p to mark this slot as usable after it has
1278 * been successfully refilled.
1279 */
1280 tail_p = lp->rx_bd_p + sizeof(*lp->rx_bd_v) * lp->rx_bd_ci;
1281
1282 if (++lp->rx_bd_ci >= lp->rx_bd_num)
1283 lp->rx_bd_ci = 0;
1284 cur_p = &lp->rx_bd_v[lp->rx_bd_ci];
1285 }
1286
1287 u64_stats_update_begin(&lp->rx_stat_sync);
1288 u64_stats_add(&lp->rx_packets, packets);
1289 u64_stats_add(&lp->rx_bytes, size);
1290 u64_stats_update_end(&lp->rx_stat_sync);
1291
1292 if (tail_p)
1293 axienet_dma_out_addr(lp, XAXIDMA_RX_TDESC_OFFSET, tail_p);
1294
1295 if (packets < budget && napi_complete_done(napi, packets)) {
1296 if (READ_ONCE(lp->rx_dim_enabled)) {
1297 struct dim_sample sample = {
1298 .time = ktime_get(),
1299 /* Safe because we are the only writer */
1300 .pkt_ctr = u64_stats_read(&lp->rx_packets),
1301 .byte_ctr = u64_stats_read(&lp->rx_bytes),
1302 .event_ctr = READ_ONCE(lp->rx_irqs),
1303 };
1304
1305 net_dim(&lp->rx_dim, &sample);
1306 }
1307
1308 /* Re-enable RX completion interrupts. This should
1309 * cause an immediate interrupt if any RX packets are
1310 * already pending.
1311 */
1312 spin_lock_irq(&lp->rx_cr_lock);
1313 axienet_dma_out32(lp, XAXIDMA_RX_CR_OFFSET, lp->rx_dma_cr);
1314 spin_unlock_irq(&lp->rx_cr_lock);
1315 }
1316 return packets;
1317 }
1318
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH net v4] net: axienet: safely drop oversized RX frames
2025-05-09 10:47 ` [PATCH net v3] " Can Ayberk Demir
2025-05-09 15:17 ` Gupta, Suraj
@ 2025-05-16 8:43 ` Can Ayberk Demir
2025-05-16 9:02 ` Eric Dumazet
1 sibling, 1 reply; 11+ messages in thread
From: Can Ayberk Demir @ 2025-05-16 8:43 UTC (permalink / raw)
To: netdev
Cc: Radhey Shyam Pandey, Andrew Lunn, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Michal Simek, linux-arm-kernel,
linux-kernel, Can Ayberk DEMIR, Suraj Gupta
From: Can Ayberk DEMIR <ayberkdemir@gmail.com>
In AXI Ethernet (axienet) driver, receiving an Ethernet frame larger
than the allocated skb buffer may cause memory corruption or kernel panic,
especially when the interface MTU is small and a jumbo frame is received.
This bug was discovered during testing on a Kria K26 platform. When an
oversized frame is received and `skb_put()` is called without checking
the tailroom, the following kernel panic occurs:
skb_panic+0x58/0x5c
skb_put+0x90/0xb0
axienet_rx_poll+0x130/0x4ec
...
Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt
Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
Signed-off-by: Can Ayberk DEMIR <ayberkdemir@gmail.com>
Tested-by: Suraj Gupta <suraj.gupta2@amd.com>
---
Changes in v4:
- Moved Fixes: tag before SOB as requested
- Added Tested-by tag from Suraj Gupta
Changes in v3:
- Fixed 'ndev' undeclared error → replaced with 'lp->ndev'
- Added rx_dropped++ for statistics
- Added Fixes: tag
Changes in v2:
- This patch addresses style issues pointed out in v1.
---
.../net/ethernet/xilinx/xilinx_axienet_main.c | 47 +++++++++++--------
1 file changed, 28 insertions(+), 19 deletions(-)
diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
index 1b7a653c1f4e..7a12132e2b7c 100644
--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
@@ -1223,28 +1223,37 @@ static int axienet_rx_poll(struct napi_struct *napi, int budget)
dma_unmap_single(lp->dev, phys, lp->max_frm_size,
DMA_FROM_DEVICE);
- skb_put(skb, length);
- skb->protocol = eth_type_trans(skb, lp->ndev);
- /*skb_checksum_none_assert(skb);*/
- skb->ip_summed = CHECKSUM_NONE;
-
- /* if we're doing Rx csum offload, set it up */
- if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
- csumstatus = (cur_p->app2 &
- XAE_FULL_CSUM_STATUS_MASK) >> 3;
- if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
- csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
- skb->ip_summed = CHECKSUM_UNNECESSARY;
+ if (unlikely(length > skb_tailroom(skb))) {
+ netdev_warn(lp->ndev,
+ "Dropping oversized RX frame (len=%u, tailroom=%u)\n",
+ length, skb_tailroom(skb));
+ dev_kfree_skb(skb);
+ lp->ndev->stats.rx_dropped++;
+ skb = NULL;
+ } else {
+ skb_put(skb, length);
+ skb->protocol = eth_type_trans(skb, lp->ndev);
+ /*skb_checksum_none_assert(skb);*/
+ skb->ip_summed = CHECKSUM_NONE;
+
+ /* if we're doing Rx csum offload, set it up */
+ if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
+ csumstatus = (cur_p->app2 &
+ XAE_FULL_CSUM_STATUS_MASK) >> 3;
+ if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
+ csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+ }
+ } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
+ skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
+ skb->ip_summed = CHECKSUM_COMPLETE;
}
- } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
- skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
- skb->ip_summed = CHECKSUM_COMPLETE;
- }
- napi_gro_receive(napi, skb);
+ napi_gro_receive(napi, skb);
- size += length;
- packets++;
+ size += length;
+ packets++;
+ }
}
new_skb = napi_alloc_skb(napi, lp->max_frm_size);
--
2.39.5 (Apple Git-154)
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH net v4] net: axienet: safely drop oversized RX frames
2025-05-16 8:43 ` [PATCH net v4] " Can Ayberk Demir
@ 2025-05-16 9:02 ` Eric Dumazet
2025-05-19 5:17 ` Gupta, Suraj
0 siblings, 1 reply; 11+ messages in thread
From: Eric Dumazet @ 2025-05-16 9:02 UTC (permalink / raw)
To: Can Ayberk Demir
Cc: netdev, Radhey Shyam Pandey, Andrew Lunn, David S . Miller,
Jakub Kicinski, Paolo Abeni, Michal Simek, linux-arm-kernel,
linux-kernel, Suraj Gupta
On Fri, May 16, 2025 at 1:44 AM Can Ayberk Demir <ayberkdemir@gmail.com> wrote:
>
> From: Can Ayberk DEMIR <ayberkdemir@gmail.com>
>
> In AXI Ethernet (axienet) driver, receiving an Ethernet frame larger
> than the allocated skb buffer may cause memory corruption or kernel panic,
> especially when the interface MTU is small and a jumbo frame is received.
>
> This bug was discovered during testing on a Kria K26 platform. When an
> oversized frame is received and `skb_put()` is called without checking
> the tailroom, the following kernel panic occurs:
>
> skb_panic+0x58/0x5c
> skb_put+0x90/0xb0
> axienet_rx_poll+0x130/0x4ec
> ...
> Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt
>
> Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
>
> Signed-off-by: Can Ayberk DEMIR <ayberkdemir@gmail.com>
> Tested-by: Suraj Gupta <suraj.gupta2@amd.com>
> ---
> Changes in v4:
> - Moved Fixes: tag before SOB as requested
> - Added Tested-by tag from Suraj Gupta
>
> Changes in v3:
> - Fixed 'ndev' undeclared error → replaced with 'lp->ndev'
> - Added rx_dropped++ for statistics
> - Added Fixes: tag
>
> Changes in v2:
> - This patch addresses style issues pointed out in v1.
> ---
> .../net/ethernet/xilinx/xilinx_axienet_main.c | 47 +++++++++++--------
> 1 file changed, 28 insertions(+), 19 deletions(-)
>
> diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> index 1b7a653c1f4e..7a12132e2b7c 100644
> --- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> +++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> @@ -1223,28 +1223,37 @@ static int axienet_rx_poll(struct napi_struct *napi, int budget)
> dma_unmap_single(lp->dev, phys, lp->max_frm_size,
> DMA_FROM_DEVICE);
>
> - skb_put(skb, length);
> - skb->protocol = eth_type_trans(skb, lp->ndev);
> - /*skb_checksum_none_assert(skb);*/
> - skb->ip_summed = CHECKSUM_NONE;
> -
> - /* if we're doing Rx csum offload, set it up */
> - if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
> - csumstatus = (cur_p->app2 &
> - XAE_FULL_CSUM_STATUS_MASK) >> 3;
> - if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
> - csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
> - skb->ip_summed = CHECKSUM_UNNECESSARY;
> + if (unlikely(length > skb_tailroom(skb))) {
If really the NIC copied more data than allowed, we already have
corruption of kernel memory.
Dropping the packet here has undetermined behavior.
If the NIC only reports the big length but has not performed any DMA,
then the skb can be recycled.
No point freeing it, and re-allocate a new one.
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: [PATCH net v4] net: axienet: safely drop oversized RX frames
2025-05-16 9:02 ` Eric Dumazet
@ 2025-05-19 5:17 ` Gupta, Suraj
0 siblings, 0 replies; 11+ messages in thread
From: Gupta, Suraj @ 2025-05-19 5:17 UTC (permalink / raw)
To: Eric Dumazet, Can Ayberk Demir
Cc: netdev@vger.kernel.org, Pandey, Radhey Shyam, Andrew Lunn,
David S . Miller, Jakub Kicinski, Paolo Abeni, Simek, Michal,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
[AMD Official Use Only - AMD Internal Distribution Only]
> -----Original Message-----
> From: Eric Dumazet <edumazet@google.com>
> Sent: Friday, May 16, 2025 2:32 PM
> To: Can Ayberk Demir <ayberkdemir@gmail.com>
> Cc: netdev@vger.kernel.org; Pandey, Radhey Shyam
> <radhey.shyam.pandey@amd.com>; Andrew Lunn <andrew+netdev@lunn.ch>;
> David S . Miller <davem@davemloft.net>; Jakub Kicinski <kuba@kernel.org>; Paolo
> Abeni <pabeni@redhat.com>; Simek, Michal <michal.simek@amd.com>; linux-arm-
> kernel@lists.infradead.org; linux-kernel@vger.kernel.org; Gupta, Suraj
> <Suraj.Gupta2@amd.com>
> Subject: Re: [PATCH net v4] net: axienet: safely drop oversized RX frames
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> On Fri, May 16, 2025 at 1:44 AM Can Ayberk Demir <ayberkdemir@gmail.com>
> wrote:
> >
> > From: Can Ayberk DEMIR <ayberkdemir@gmail.com>
> >
> > In AXI Ethernet (axienet) driver, receiving an Ethernet frame larger
> > than the allocated skb buffer may cause memory corruption or kernel
> > panic, especially when the interface MTU is small and a jumbo frame is received.
> >
> > This bug was discovered during testing on a Kria K26 platform. When an
> > oversized frame is received and `skb_put()` is called without checking
> > the tailroom, the following kernel panic occurs:
> >
> > skb_panic+0x58/0x5c
> > skb_put+0x90/0xb0
> > axienet_rx_poll+0x130/0x4ec
> > ...
> > Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt
> >
> > Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI
> > Ethernet driver")
> >
> > Signed-off-by: Can Ayberk DEMIR <ayberkdemir@gmail.com>
> > Tested-by: Suraj Gupta <suraj.gupta2@amd.com>
> > ---
> > Changes in v4:
> > - Moved Fixes: tag before SOB as requested
> > - Added Tested-by tag from Suraj Gupta
> >
> > Changes in v3:
> > - Fixed 'ndev' undeclared error → replaced with 'lp->ndev'
> > - Added rx_dropped++ for statistics
> > - Added Fixes: tag
> >
> > Changes in v2:
> > - This patch addresses style issues pointed out in v1.
> > ---
> > .../net/ethernet/xilinx/xilinx_axienet_main.c | 47
> > +++++++++++--------
> > 1 file changed, 28 insertions(+), 19 deletions(-)
> >
> > diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> > b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> > index 1b7a653c1f4e..7a12132e2b7c 100644
> > --- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> > +++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
> > @@ -1223,28 +1223,37 @@ static int axienet_rx_poll(struct napi_struct *napi, int
> budget)
> > dma_unmap_single(lp->dev, phys, lp->max_frm_size,
> > DMA_FROM_DEVICE);
> >
> > - skb_put(skb, length);
> > - skb->protocol = eth_type_trans(skb, lp->ndev);
> > - /*skb_checksum_none_assert(skb);*/
> > - skb->ip_summed = CHECKSUM_NONE;
> > -
> > - /* if we're doing Rx csum offload, set it up */
> > - if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
> > - csumstatus = (cur_p->app2 &
> > - XAE_FULL_CSUM_STATUS_MASK) >> 3;
> > - if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
> > - csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
> > - skb->ip_summed = CHECKSUM_UNNECESSARY;
> > + if (unlikely(length > skb_tailroom(skb))) {
>
> If really the NIC copied more data than allowed, we already have corruption of kernel
> memory.
>
> Dropping the packet here has undetermined behavior.
>
> If the NIC only reports the big length but has not performed any DMA, then the skb
> can be recycled.
> No point freeing it, and re-allocate a new one.
Agreed, this may not be the right place to drop the packet. Please check jumbo frame configurations. We suspect memory for jumbo frames (represented by "xlnx,rxmem" in DT) might not be
sufficient in the design. This memory size is checked in the driver before enabling jumbo frame support.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2025-05-19 5:20 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-08 15:04 [PATCH] drivers: net: axienet: safely drop oversized RX frames Can Ayberk Demir
2025-05-09 6:08 ` Gupta, Suraj
2025-05-09 6:37 ` [PATCH v2] " Can Ayberk Demir
2025-05-09 8:06 ` Gupta, Suraj
2025-05-09 8:18 ` Gupta, Suraj
2025-05-09 10:47 ` [PATCH net v3] " Can Ayberk Demir
2025-05-09 15:17 ` Gupta, Suraj
2025-05-16 8:43 ` [PATCH net v4] " Can Ayberk Demir
2025-05-16 9:02 ` Eric Dumazet
2025-05-19 5:17 ` Gupta, Suraj
2025-05-13 22:18 ` [PATCH v2] drivers: " kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).