From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Eric Dumazet <eric.dumazet@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [patch 05/35] r8169: fix crash when large packets are received
Date: Tue, 30 Jun 2009 17:14:01 -0700 [thread overview]
Message-ID: <20090701001548.822249123@mini.kroah.org> (raw)
In-Reply-To: <20090701002825.GA6518@kroah.com>
[-- Attachment #1: r8169-fix-crash-when-large-packets-are-received.patch --]
[-- Type: text/plain, Size: 2893 bytes --]
2.6.29-stable review patch. If anyone has any objections, please let us know.
------------------
From: Eric Dumazet <eric.dumazet@gmail.com>
commit fdd7b4c3302c93f6833e338903ea77245eb510b4 upstream.
Michael Tokarev reported receiving a large packet could crash
a machine with RTL8169 NIC.
( original thread at http://lkml.org/lkml/2009/6/8/192 )
Problem is this driver tells that NIC frames up to 16383 bytes
can be received but provides skb to rx ring allocated with
smaller sizes (1536 bytes in case standard 1500 bytes MTU is used)
When a frame larger than what was allocated by driver is received,
dma transfert can occurs past the end of buffer and corrupt
kernel memory.
Fix is to tell to NIC what is the maximum size a frame can be.
This bug is very old, (before git introduction, linux-2.6.10), and
should be backported to stable versions.
Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Tested-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/net/r8169.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/drivers/net/r8169.c
+++ b/drivers/net/r8169.c
@@ -66,7 +66,6 @@ static const int multicast_filter_limit
#define RX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
#define TX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
#define EarlyTxThld 0x3F /* 0x3F means NO early transmit */
-#define RxPacketMaxSize 0x3FE8 /* 16K - 1 - ETH_HLEN - VLAN - CRC... */
#define SafeMtu 0x1c20 /* ... actually life sucks beyond ~7k */
#define InterFrameGap 0x03 /* 3 means InterFrameGap = the shortest one */
@@ -2357,10 +2356,10 @@ static u16 rtl_rw_cpluscmd(void __iomem
return cmd;
}
-static void rtl_set_rx_max_size(void __iomem *ioaddr)
+static void rtl_set_rx_max_size(void __iomem *ioaddr, unsigned int rx_buf_sz)
{
/* Low hurts. Let's disable the filtering. */
- RTL_W16(RxMaxSize, 16383);
+ RTL_W16(RxMaxSize, rx_buf_sz);
}
static void rtl8169_set_magic_reg(void __iomem *ioaddr, unsigned mac_version)
@@ -2407,7 +2406,7 @@ static void rtl_hw_start_8169(struct net
RTL_W8(EarlyTxThres, EarlyTxThld);
- rtl_set_rx_max_size(ioaddr);
+ rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
if ((tp->mac_version == RTL_GIGA_MAC_VER_01) ||
(tp->mac_version == RTL_GIGA_MAC_VER_02) ||
@@ -2668,7 +2667,7 @@ static void rtl_hw_start_8168(struct net
RTL_W8(EarlyTxThres, EarlyTxThld);
- rtl_set_rx_max_size(ioaddr);
+ rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
tp->cp_cmd |= RTL_R16(CPlusCmd) | PktCntrDisable | INTT_1;
@@ -2846,7 +2845,7 @@ static void rtl_hw_start_8101(struct net
RTL_W8(EarlyTxThres, EarlyTxThld);
- rtl_set_rx_max_size(ioaddr);
+ rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
tp->cp_cmd |= rtl_rw_cpluscmd(ioaddr) | PCIMulRW;
next prev parent reply other threads:[~2009-07-01 0:39 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20090701001356.007288418@mini.kroah.org>
2009-07-01 0:28 ` [patch 00/35] 2.6.29-stable review Greg KH
2009-07-01 0:13 ` [patch 01/35] parport: netmos 9845 & 9855 1P4S fixes Greg KH
2009-07-01 0:13 ` [patch 02/35] 8250: Fix oops from setserial Greg KH
2009-07-01 0:13 ` [patch 03/35] char: mxser, fix ISA board lookup Greg KH
2009-07-01 0:14 ` [patch 04/35] jbd: fix race in buffer processing in commit code Greg KH
2009-07-01 0:14 ` Greg KH [this message]
2009-07-01 0:14 ` [patch 06/35] fs: remove incorrect I_NEW warnings Greg KH
2009-07-01 0:14 ` [patch 07/35] firmware_map: fix hang with x86/32bit Greg KH
2009-07-01 0:14 ` [patch 08/35] PCI: disable ASPM on VIA root-port-under-bridge configurations Greg KH
2009-07-01 0:14 ` [patch 09/35] atkbd: add forced release quirks for four more keyboard models Greg KH
2009-07-01 0:14 ` [patch 10/35] atmel_lcdfb: correct fifo size for some products Greg KH
2009-07-01 0:14 ` [patch 11/35] bonding: fix multiple module load problem Greg KH
2009-07-01 0:14 ` [patch 12/35] char: moxa, prevent opening unavailable ports Greg KH
2009-07-01 0:14 ` [patch 13/35] ISDN: Fix DMA alloc for hfcpci Greg KH
2009-07-01 0:14 ` [patch 14/35] USB: usbtmc: fix switch statment Greg KH
2009-07-01 0:14 ` [patch 15/35] x86: Add quirk for reboot stalls on a Dell Optiplex 360 Greg KH
2009-07-01 0:14 ` [patch 16/35] ALSA: ca0106 - Add missing registrations of vmaster controls Greg KH
2009-07-01 0:14 ` [patch 17/35] floppy: provide a PNP device table in the module Greg KH
2009-07-01 0:14 ` [patch 18/35] IB/mlx4: Add strong ordering to local inval and fast reg work requests Greg KH
2009-07-01 0:14 ` [patch 19/35] x86: handle initrd that extends into unusable memory Greg KH
2009-07-01 0:14 ` [patch 20/35] lockdep: Select frame pointers on x86 Greg KH
2009-07-01 0:14 ` [patch 21/35] mac80211: fix minstrel single-rate memory corruption Greg KH
2009-07-01 0:14 ` [patch 22/35] md/raid5: add missing call to schedule() after prepare_to_wait() Greg KH
2009-07-01 0:14 ` [patch 23/35] vt_ioctl: fix lock imbalance Greg KH
2009-07-01 0:14 ` [patch 24/35] x86: Set cpu_llc_id on AMD CPUs Greg KH
2009-07-01 0:14 ` [patch 25/35] parport_pc: after superio probing restore original register values Greg KH
2009-07-01 0:14 ` [patch 26/35] parport_pc: set properly the dma_mask for parport_pc device Greg KH
2009-07-01 0:14 ` [patch 27/35] PCI PM: Fix handling of devices without PM support by pci_target_state() Greg KH
2009-07-01 0:14 ` [patch 28/35] PCI PM: Follow PCI_PM_CTRL_NO_SOFT_RESET during transitions from D3 Greg KH
2009-07-01 0:14 ` [patch 29/35] pcmcia/cm4000: fix lock imbalance Greg KH
2009-07-01 0:14 ` [patch 30/35] qla2xxx: Correct (again) overflow during dump-processing on large-memory ISP23xx parts Greg KH
2009-07-01 0:14 ` [patch 31/35] sound: seq_midi_event: fix decoding of (N)RPN events Greg KH
2009-07-01 0:14 ` [patch 32/35] mm: fix handling of pagesets for downed cpus Greg KH
2009-07-01 0:14 ` [patch 33/35] dm mpath: validate table argument count Greg KH
2009-07-01 0:14 ` [patch 34/35] dm mpath: validate hw_handler " Greg KH
2009-07-01 0:14 ` [patch 35/35] dm: sysfs skip output when device is being destroyed Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090701001548.822249123@mini.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox