From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6923438E8C6 for ; Mon, 29 Jun 2026 20:19:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782764372; cv=none; b=cSlMAI+Z1p08mWvmbFscY9ehiqedJSDfSU0ym4+NfC5acm4iwq0vUxvsNUGKd4qYv+G6zhX1solDm6P0RomybDgBZWseo+Xq+YGmg5OfiEHHvt9POD18ePq0iF3XAplsw/jl3xggRWip6kLFjTEfMHqoaTG/sMyPD2MoybIMv/Q= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782764372; c=relaxed/simple; bh=J2o9siOknjUV1EIyuyIEguI/OuQyvr7osGhO/HaaCVA=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type; b=dVoJbPQF5ipW1hxQk3YwebHSy0xTVYiwGs+h715uSWozMZNFJe8P8STh/Fb8y9syzAPwe7oGTLqUHtvHF8J2+099gOiNGyzYldaUzW1m2IZuYoTCMX0bAk1cktsjikL70Pcb+9QF/ra0D/3Ob0HV2DF1UbIjP95BVzrt/AwEG/Q= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=W9DAQSpt; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=i1bohtN0; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="W9DAQSpt"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="i1bohtN0" Received: from pps.filterd (m0279863.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 65TGL0Fq3448807 for ; Mon, 29 Jun 2026 20:19:23 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= YrPo/wrins9m3aOwmOa8IZ6Og4C3nSZZxKNrdPPXXPk=; b=W9DAQSpt5htlg5z1 mpMIs5cdn2PEQ526sAaNI+Alzz5Vg7ayQXmDC2KzMAXaO23KFOafLH2BWGmjIIeu s1hm4cjl8JxdeSDDp8NMk0eYlEWi41/RkIN8v4koFQaZlx1rvA4a4CnabP8fKi89 tzDQcyQPj5NWlvRwfUyfLw6aiKl66b41Ad8QRBn635NB9WZnd/kWzkgBDjMHHdB7 WuQrp1KchLc06K3xu++1oiD1SQn0SKm9gFO48ZggeVrI+j7Gz7VuCMBVznTByUcb nXto4/m7b3hZmAcp621aja1AEdnttphPGIROCTDfF9TFS+9XlE8KHH+aL8uxf+Ax o/Idvg== Received: from mail-dy1-f199.google.com (mail-dy1-f199.google.com [74.125.82.199]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4f3npetxa9-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Mon, 29 Jun 2026 20:19:23 +0000 (GMT) Received: by mail-dy1-f199.google.com with SMTP id 5a478bee46e88-30c0d568830so16306633eec.1 for ; Mon, 29 Jun 2026 13:19:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1782764362; x=1783369162; darn=vger.kernel.org; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=YrPo/wrins9m3aOwmOa8IZ6Og4C3nSZZxKNrdPPXXPk=; b=i1bohtN0ZfaIyfFik+MhMSrLQswafLKPrsc3z3xQ53W0kFG9l9cf0tM2NYftL9ZbP/ rL23BzzIvWKn39wRY4hHWiTE9+5OI/xU1Y+GZgvUkjWtfQT8zzicEKViij5a1zUFh4ZV KjskJwevQeSoFqTQ3k1hZb0DqyhRI25IU/e8IKXffKYDDmte0OXbIL8dMCOzMJOTYs7v b175DI+w6RIa4eE5cM2TOODnckJMrA69rp/dgZDT18wTvtc5UU131swQmXD8K/P6Af/J dbAEbibxjmlJMsuWv9qbn+eaW5k1s99sBW9f2GEISJQhW2NPtDmCESl2Lvk/jhep9SWA 4U1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782764362; x=1783369162; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YrPo/wrins9m3aOwmOa8IZ6Og4C3nSZZxKNrdPPXXPk=; b=bboE0dJoyYW53F08d/VtiuQJiejboeUOxkIEoUORmZLtJHTYu4batqGkpMX150dpw1 BMhQIq9fnzDHsxVBcSKmioEsxndXDCBaRvUpaf9GXUvRFaNsVsn8BEQ47HwopqGV6Cu6 KtGiVd1fMENyZRhpaq3U++QJihhRfDxI0jS/D4p3eOmYu/ZicBZtontxu0IeUlgZQcEO COc02lcORE6iydguuHvAivfbFK7FaNdToKZ2Aeueu0mTr6zpJrVIEMdpkG0g1WE+ELOg E8oHZ8ZBMTwdckLhFfQRriW+QIbuuJA3WSCpqAL49aPxDkEZj7DrMCJiRj2yQYwm5jt8 j52g== X-Forwarded-Encrypted: i=1; AHgh+RroZqS+//YYw0lvSTnmL6HD2xoEGzOaZi4TrKV4wW1jum/1k/W7X/SEgyQCCLnC8IhCdeq1BL6TKaUhjoA=@vger.kernel.org X-Gm-Message-State: AOJu0YyjY6qzm5Pvq1kbsvfjBtgoMvUEixJDvsnz5vV4rgU5wC/pfRbr 1einGYpyh/gHM03CwBVG8qg0+qTqcLyfEipLEZfwrs8wV/XY/j3BGNvIMSAL/HhtArl7g6oVscY m6dt1nXtmej6YKGAweFCpBi+lonQpefD0hSF3VrSzYoBfi3+jEDX8uAg7LY9kvqQ6ST0= X-Gm-Gg: AfdE7ck5fqkv8P4auIAteebIttN3fHZqCqdotj49TVdj+ToFqfKQeyGUm5viHzITA/Z 6+NBZnXIZ1lYvncslbbb97+++D1a+dOf+h9dG7mCluf/fBaSiVypBForMTfk9LG6RYoz9Kg83u8 pMufw/CbUowQDzsMvNo/g3zJFlfGFl4r+XCrlmO/SUGKPgjzAeEpKtpRiG0BgiCv0ToGV5xjaCB catapeR6LzQuBP8rvlhCPThXKaoWJOKE746GqMQpVIv9mO/uSTHhv4wrVYl9+FrBh9aYqRt/yiR zmywDCfLX6oThdwidr0fXsfZvy0oK3D8tfpojbZFiFqRlt4lPmGbgu3Y9QTFhZZbg7f9dwRdxfz ucvDzt+FzzTt4mj4vvd5GEFf9dAo2KYVoi+8mfT8Dh/z2fozp+jqUhYhvHG9xLJf+l9nUz4HecC FBIeeiXn8= X-Received: by 2002:a05:7300:6ca0:b0:30c:9f31:b604 with SMTP id 5a478bee46e88-30ee13852c7mr605273eec.25.1782764362204; Mon, 29 Jun 2026 13:19:22 -0700 (PDT) X-Received: by 2002:a05:7300:6ca0:b0:30c:9f31:b604 with SMTP id 5a478bee46e88-30ee13852c7mr605238eec.25.1782764361328; Mon, 29 Jun 2026 13:19:21 -0700 (PDT) Received: from QCOMk1gASIiYhG (i-global254.qualcomm.com. [199.106.103.254]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-30ee2ffdbfesm651643eec.11.2026.06.29.13.19.20 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Jun 2026 13:19:21 -0700 (PDT) From: To: "'Xiang Mei'" , , Cc: , , , , , , References: <20260628075205.62280-1-xmei5@asu.edu> In-Reply-To: <20260628075205.62280-1-xmei5@asu.edu> Subject: RE: [PATCH net] net: qualcomm: rmnet: validate MAP frame length before ingress parsing Date: Mon, 29 Jun 2026 14:19:19 -0600 Message-ID: <000601dd0804$91cbd910$b5638b30$@oss.qualcomm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQHQ7aP9pGM6mVEWYd59aeRp0a7HYLZuKwKQ Content-Language: en-us X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjI5MDE3MSBTYWx0ZWRfX1U55k6ZUoa57 SFuQqMSmceVEc1cnXS69TlpQg2HKxyxfa14SzfO755fTKo6Bb2jpuwCsyluJIcKsWTRb4EKzcfM RWtlqXSFenzlfP2e5hX0cVxFyEmiMiMwUOSB37BnpKmj1hidriBEceCiHGsX/z6czbJ0JvdPkqp oYSUNNyzC9uPguSRKcoGQV3BHIoP+MlSaUkYvn47/L2iCqmn79M0rBD2Itn54oG8kcUQf1BgGjV x4FdvdGmf+0uI10C8DPm0Xa3D1ydXQtnHfY7QJtrFU27twsi5C+7n0Fo2tW/TrkjHaeLnaTFQFA SB3ddD/rBEymLWOoSbwYYj+kKqIZqHoQ0KMVnb7wzRA21N5yjTz4tyoad4EwohulIP3Bg1NEDdQ FyU2OFvFzXCKUui4yePMrAtXB6EXSZpUSschz4b7D7XZIVGgsR0BIEk2LgylcZ89TypviHvXNjB cDNfxARs+QNjJHtqeNg== X-Proofpoint-ORIG-GUID: x5uOtJ8TTDooMPu_P1r5SHVtnhRWYa09 X-Authority-Analysis: v=2.4 cv=T6q8ifKQ c=1 sm=1 tr=0 ts=6a42d34b cx=c_pps a=cFYjgdjTJScbgFmBucgdfQ==:117 a=JYp8KDb2vCoCEuGobkYCKw==:17 a=kj9zAlcOel0A:10 a=FelO9ux0wxsA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=yOCtJkima9RkubShWh1s:22 a=vR_vMVs8yzpaFJNcJ2gA:9 a=CjuIK1q_8ugA:10 a=scEy_gLbYbu1JhEsrz4S:22 X-Proofpoint-Spam-Info: AW1haW4tMjYwNjI5MDE3MSBTYWx0ZWRfX5grwEp+yQ2tP su8CQsVPZQKqIjCg1+Wr2Mn90/E86a2qCPVYpggqKlSexutBZ9voDTOq77A5pUbVvL0NY+C06KN eSsmZVxqgSZCehrfwtWF3WPhXdBlctQ= X-Proofpoint-GUID: x5uOtJ8TTDooMPu_P1r5SHVtnhRWYa09 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-06-29_04,2026-06-26_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 priorityscore=1501 suspectscore=0 clxscore=1011 adultscore=0 lowpriorityscore=0 malwarescore=0 impostorscore=0 phishscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2606150000 definitions=main-2606290171 > -----Original Message----- > From: Xiang Mei > Each guard uses pskb_may_pull() before its read. The MAPv4 check uses > ntohs(pkt_len) (== payload + pad) directly rather than the derived len, so it is > unaffected by the u16 underflow in len when pad > pkt_len. Well-formed > frames always carry the header/trailer they declare, so only malformed > packets are dropped; this mirrors the length check rmnet_map_deaggregate() > already performs on the deaggregation path. > > @@ -61,6 +61,9 @@ __rmnet_map_ingress_handler(struct sk_buff *skb, > u16 len, pad; > u8 mux_id; > > + if (!pskb_may_pull(skb, sizeof(*map_header))) > + goto free_skb; > + > if (map_header->flags & MAP_CMD_FLAG) { > /* Packet contains a MAP command (not data) */ > if (port->data_format & > RMNET_FLAGS_INGRESS_MAP_COMMANDS) @@ -84,11 +87,19 @@ > __rmnet_map_ingress_handler(struct sk_buff *skb, > > if ((port->data_format & RMNET_FLAGS_INGRESS_MAP_CKSUMV5) > && > (map_header->flags & MAP_NEXT_HEADER_FLAG)) { > + if (!pskb_may_pull(skb, sizeof(*map_header) + > + sizeof(struct > rmnet_map_v5_csum_header))) > + goto free_skb; > if (rmnet_map_process_next_hdr_packet(skb, len)) > goto free_skb; > skb_pull(skb, sizeof(*map_header)); > rmnet_set_skb_proto(skb); > } else { > + if (port->data_format & > RMNET_FLAGS_INGRESS_MAP_CKSUMV4 && > + !pskb_may_pull(skb, sizeof(*map_header) + > + ntohs(map_header->pkt_len) + > + sizeof(struct rmnet_map_dl_csum_trailer))) > + goto free_skb; > /* Subtract MAP header */ > skb_pull(skb, sizeof(*map_header)); > rmnet_set_skb_proto(skb); > -- > 2.43.0 The patch seems fine at a high level. However, it ends up adding duplicate checks for the deagg path which is the commonly used path. Perhaps you can try something similar to the following which adds all the relevant checks of the deagg path to the no agg path as well. diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c index 9f3479500f85..086874b673c6 100644 --- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c +++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c @@ -126,7 +126,8 @@ rmnet_map_ingress_handler(struct sk_buff *skb, consume_skb(skb); } else { - __rmnet_map_ingress_handler(skb, port); + if (rmnet_map_validate_packet_len(skb, port)) + __rmnet_map_ingress_handler(skb, port); } } diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map.h b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map.h index b70284095568..46495b7966f3 100644 --- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map.h +++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map.h @@ -59,5 +59,7 @@ void rmnet_map_tx_aggregate_init(struct rmnet_port *port); void rmnet_map_tx_aggregate_exit(struct rmnet_port *port); void rmnet_map_update_ul_agg_config(struct rmnet_port *port, u32 size, u32 count, u32 time); +u32 rmnet_map_validate_packet_len(struct sk_buff *skb, + struct rmnet_port *port); #endif /* _RMNET_MAP_H_ */ diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_data.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_data.c index 8b4640c5d61e..1729b73249f7 100644 --- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_data.c +++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_data.c @@ -333,24 +333,16 @@ struct rmnet_map_header *rmnet_map_add_map_header(struct sk_buff *skb, return map_header; } -/* Deaggregates a single packet - * A whole new buffer is allocated for each portion of an aggregated frame. - * Caller should keep calling deaggregate() on the source skb until 0 is - * returned, indicating that there are no more packets to deaggregate. Caller - * is responsible for freeing the original skb. - */ -struct sk_buff *rmnet_map_deaggregate(struct sk_buff *skb, - struct rmnet_port *port) -{ +u32 rmnet_map_validate_packet_len(struct sk_buff *skb, + struct rmnet_port *port) { struct rmnet_map_v5_csum_header *next_hdr = NULL; struct rmnet_map_header *maph; void *data = skb->data; - struct sk_buff *skbn; u8 nexthdr_type; u32 packet_len; if (skb->len == 0) - return NULL; + goto err1; maph = (struct rmnet_map_header *)skb->data; packet_len = ntohs(maph->pkt_len) + sizeof(*maph); @@ -364,24 +356,48 @@ struct sk_buff *rmnet_map_deaggregate(struct sk_buff *skb, next_hdr = data + sizeof(*maph); else /* Mapv5 data pkt without csum hdr is invalid */ - return NULL; + goto err1; } } if (((int)skb->len - (int)packet_len) < 0) - return NULL; + goto err1; /* Some hardware can send us empty frames. Catch them */ if (!maph->pkt_len) - return NULL; + goto err1; if (next_hdr) { nexthdr_type = u8_get_bits(next_hdr->header_info, MAPV5_HDRINFO_HDR_TYPE_FMASK); if (nexthdr_type != RMNET_MAP_HEADER_TYPE_CSUM_OFFLOAD) - return NULL; + goto err1; } + goto err0; + +err1: + packet_len = 0; +err0: + return packet_len; +} + +/* Deaggregates a single packet + * A whole new buffer is allocated for each portion of an aggregated frame. + * Caller should keep calling deaggregate() on the source skb until 0 is + * returned, indicating that there are no more packets to deaggregate. Caller + * is responsible for freeing the original skb. + */ +struct sk_buff *rmnet_map_deaggregate(struct sk_buff *skb, + struct rmnet_port *port) +{ + struct sk_buff *skbn; + u32 packet_len; + + packet_len = rmnet_map_validate_packet_len(skb, port); + if (!packet_len) + return NULL; + skbn = alloc_skb(packet_len + RMNET_MAP_DEAGGR_SPACING, GFP_ATOMIC); if (!skbn) return NULL;