From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Jiefeng Zhang <jiefeng.z.zhang@gmail.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.6 16/93] net: atlantic: fix fragment overflow handling in RX path
Date: Wed, 3 Dec 2025 16:29:09 +0100 [thread overview]
Message-ID: <20251203152337.112334571@linuxfoundation.org> (raw)
In-Reply-To: <20251203152336.494201426@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiefeng Zhang <jiefeng.z.zhang@gmail.com>
[ Upstream commit 5ffcb7b890f61541201461580bb6622ace405aec ]
The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)
fragments when handling large multi-descriptor packets. This causes an
out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.
The issue occurs because the driver doesn't check the total number of
fragments before calling skb_add_rx_frag(). When a packet requires more
than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.
Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,
then all fragments are accounted for. And reusing the existing check to
prevent the overflow earlier in the code path.
This crash occurred in production with an Aquantia AQC113 10G NIC.
Stack trace from production environment:
```
RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0
Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89
ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90
c8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48
89 fa 83
RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287
RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:
fffffffe0a0c8000
RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:
0000000000037a40
RBP: 0000000000000024 R08: 0000000000000000 R09:
0000000000000021
R10: 0000000000000848 R11: 0000000000000000 R12:
ffffa9bec02a8e24
R13: ffff925ad8615570 R14: 0000000000000000 R15:
ffff925b22e80a00
FS: 0000000000000000(0000)
GS:ffff925e47880000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:
0000000000f72ef0
PKRU: 55555554
Call Trace:
<IRQ>
aq_ring_rx_clean+0x175/0xe60 [atlantic]
? aq_ring_rx_clean+0x14d/0xe60 [atlantic]
? aq_ring_tx_clean+0xdf/0x190 [atlantic]
? kmem_cache_free+0x348/0x450
? aq_vec_poll+0x81/0x1d0 [atlantic]
? __napi_poll+0x28/0x1c0
? net_rx_action+0x337/0x420
```
Fixes: 6aecbba12b5c ("net: atlantic: add check for MAX_SKB_FRAGS")
Changes in v4:
- Add Fixes: tag to satisfy patch validation requirements.
Changes in v3:
- Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,
then all fragments are accounted for.
Signed-off-by: Jiefeng Zhang <jiefeng.z.zhang@gmail.com>
Link: https://patch.msgid.link/20251126032249.69358-1-jiefeng.z.zhang@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
index f7433abd65915..3f004d08307fb 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
@@ -547,6 +547,11 @@ static int __aq_ring_rx_clean(struct aq_ring_s *self, struct napi_struct *napi,
if (!buff->is_eop) {
unsigned int frag_cnt = 0U;
+
+ /* There will be an extra fragment */
+ if (buff->len > AQ_CFG_RX_HDR_SIZE)
+ frag_cnt++;
+
buff_ = buff;
do {
bool is_rsc_completed = true;
--
2.51.0
next prev parent reply other threads:[~2025-12-03 16:56 UTC|newest]
Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-03 15:28 [PATCH 6.6 00/93] 6.6.119-rc1 review Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.6 01/93] can: kvaser_usb: leaf: Fix potential infinite loop in command parsers Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.6 02/93] can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.6 03/93] can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.6 04/93] can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.6 05/93] Bluetooth: hci_sock: Prevent race in socket write iter and sock bind Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.6 06/93] Bluetooth: SMP: Fix not generating mackey and ltk when repairing Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 07/93] net: phy: mxl-gpy: fix bogus error on USXGMII and integrated PHY Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 08/93] platform/x86: intel: punit_ipc: fix memory corruption Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 09/93] net: aquantia: Add missing descriptor cache invalidation on ATL2 Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 10/93] net: lan966x: Fix the initialization of taprio Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 11/93] net/mlx5e: Fix validation logic in rate limiting Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 12/93] net: sxgbe: fix potential NULL dereference in sxgbe_rx() Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 13/93] drm/amdgpu: fix cyan_skillfish2 gpu info fw handling Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 14/93] net: dsa: sja1105: simplify static configuration reload Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 15/93] net: dsa: sja1105: fix SGMII linking at 10M or 100M but not passing traffic Greg Kroah-Hartman
2025-12-03 15:29 ` Greg Kroah-Hartman [this message]
2025-12-03 15:29 ` [PATCH 6.6 17/93] net: fec: cancel perout_timer when PEROUT is disabled Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 18/93] net: fec: do not update PEROUT if it is enabled Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 19/93] net: fec: do not allow enabling PPS and PEROUT simultaneously Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 20/93] net: fec: do not register PPS event for PEROUT Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 21/93] iio: st_lsm6dsx: Fixed calibrated timestamp calculation Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 22/93] usb: gadget: renesas_usbf: Handle devm_pm_runtime_enable() errors Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 23/93] mailbox: mailbox-test: Fix debugfs_create_dir error checking Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 24/93] mailbox: pcc: Refactor error handling in irq handler into separate function Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 25/93] mailbox: pcc: dont zero error register Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 26/93] spi: tegra114: remove Kconfig dependency on TEGRA20_APB_DMA Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 27/93] spi: amlogic-spifc-a1: Handle devm_pm_runtime_enable() errors Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 28/93] spi: spi-mem: Allow specifying the byte order in Octal DTR mode Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 29/93] spi: spi-mem: Extend spi-mem operations with a per-operation maximum frequency Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 30/93] spi: spi-mem: Add a new controller capability Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 31/93] spi: nxp-fspi: Support per spi-mem operation frequency switches Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 32/93] spi: nxp-fspi: Propagate fwnode in ACPI case as well Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 33/93] spi: bcm63xx: fix premature CS deassertion on RX-only transactions Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 34/93] Revert "perf/x86: Always store regs->ip in perf_callchain_kernel()" Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 35/93] iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 36/93] iio:common:ssp_sensors: Fix an error handling path ssp_probe() Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 37/93] iio: accel: bmc150: Fix irq assumption regression Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 38/93] iio: accel: fix ADXL355 startup race condition Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 39/93] iio: adc: ad7280a: fix ad7280_store_balance_timer() Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 40/93] MIPS: mm: Prevent a TLB shutdown on initial uniquification Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 41/93] MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 42/93] ALSA: usb-audio: Add DSD quirk for LEAK Stereo 230 Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 43/93] ARM: dts: nxp: imx6ul: correct SAI3 interrupt line Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 44/93] atm/fore200e: Fix possible data race in fore200e_open() Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 45/93] can: sja1000: fix max irq loop handling Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 46/93] can: sun4i_can: sun4i_can_interrupt(): " Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 47/93] ceph: fix crash in process_v2_sparse_read() for encrypted directories Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 48/93] dm-verity: fix unreliable memory allocation Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 49/93] drivers/usb/dwc3: fix PCI parent check Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 50/93] smb: client: fix memory leak in cifs_construct_tcon() Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 51/93] thunderbolt: Add support for Intel Wildcat Lake Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 52/93] slimbus: ngd: Fix reference count leak in qcom_slim_ngd_notify_slaves Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 53/93] firmware: stratix10-svc: fix bug in saving controller data Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 54/93] mptcp: clear scheduled subflows on retransmit Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 55/93] serial: amba-pl011: prefer dma_mapping_error() over explicit address checking Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 56/93] most: usb: fix double free on late probe failure Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 57/93] usb: cdns3: Fix double resource release in cdns3_pci_probe Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 58/93] usb: gadget: f_eem: Fix memory leak in eem_unwrap Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 59/93] usb: renesas_usbhs: Fix synchronous external abort on unbind Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 60/93] usb: storage: Fix memory leak in USB bulk transport Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 61/93] USB: storage: Remove subclass and protocol overrides from Novatek quirk Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 62/93] usb: storage: sddr55: Reject out-of-bound new_pba Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 63/93] usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 64/93] usb: dwc3: pci: add support for the Intel Nova Lake -S Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 65/93] usb: dwc3: pci: Sort out the Intel device IDs Greg Kroah-Hartman
2025-12-03 15:29 ` [PATCH 6.6 66/93] usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 67/93] xhci: dbgtty: Fix data corruption when transmitting data form DbC to host Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 68/93] xhci: dbgtty: fix device unregister Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 69/93] USB: serial: ftdi_sio: add support for u-blox EVK-M101 Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 70/93] USB: serial: option: add support for Rolling RW101R-GL Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 71/93] drm: sti: fix device leaks at component probe Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 72/93] drm/amd/display: Check NULL before accessing Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 73/93] net: dsa: microchip: common: Fix checks on irq_find_mapping() Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 74/93] net: dsa: microchip: ptp: " Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 75/93] libceph: fix potential use-after-free in have_mon_and_osd_map() Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 76/93] libceph: prevent potential out-of-bounds writes in handle_auth_session_key() Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 77/93] libceph: replace BUG_ON with bounds check for map->max_osd Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 78/93] bonding: return detailed error when loading native XDP fails Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 79/93] bonding: check xdp prog when set bond mode Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 80/93] nfsd: Replace clamp_t in nfsd4_get_drc_mem() Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 81/93] usb: udc: Add trace event for usb_gadget_set_state Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 82/93] usb: gadget: udc: fix use-after-free in usb_gadget_state_work Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 83/93] usb: typec: ucsi: psy: Set max current to zero when disconnected Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 84/93] can: rcar_canfd: Fix CAN-FD mode as default Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 85/93] iio: adc: rtq6056: Correct the sign bit index Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 86/93] net: macb: fix unregister_netdev call order in macb_remove() Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 87/93] staging: rtl8712: Remove driver using deprecated API wext Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 88/93] selftests: mptcp: join: properly kill background tasks Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 89/93] mptcp: fix duplicate reset on fastclose Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 90/93] ksmbd: fix use-after-free in session logoff Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 91/93] net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}() Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 92/93] net: dsa: microchip: Free previously initialized ports on init failures Greg Kroah-Hartman
2025-12-03 15:30 ` [PATCH 6.6 93/93] HID: core: Harden s32ton() against conversion to 0 bits Greg Kroah-Hartman
2025-12-03 18:29 ` [PATCH 6.6 00/93] 6.6.119-rc1 review Florian Fainelli
2025-12-03 23:12 ` Hardik Garg
2025-12-03 23:49 ` Shuah Khan
2025-12-04 6:47 ` Peter Schneider
2025-12-04 10:00 ` Jon Hunter
2025-12-04 10:39 ` Ron Economos
2025-12-04 11:35 ` Mark Brown
2025-12-04 17:55 ` Naresh Kamboju
2025-12-05 9:09 ` Miguel Ojeda
2025-12-05 11:00 ` Brett A C Sheffield
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251203152337.112334571@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jiefeng.z.zhang@gmail.com \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).