[PATCH] Net: ethernet: ti: netcp: Fix inbound ping crash if MTU size is greater than 1500

[PATCH] Net: ethernet: ti: netcp: Fix inbound ping crash if MTU size is greater than 1500

[Rex Chang]

In the receive queue for 4096 bytes fragments, the page address
set in the SW data0 field of the descriptor is not the one we got
when doing the reassembly in receive. The page structure was retrieved
from the wrong descriptor into SW data0 which is then causing a
page fault when UDP checksum is accessing data above 1500.

Signed-off-by: Rex Chang <rchang@ti.com>
---
 drivers/net/ethernet/ti/netcp_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c
index ed58c74..f5a7eb2 100644
--- a/drivers/net/ethernet/ti/netcp_core.c
+++ b/drivers/net/ethernet/ti/netcp_core.c
@@ -715,7 +715,7 @@ static int netcp_process_one_rx_packet(struct netcp_intf *netcp)
 		/* warning!!!! We are retrieving the virtual ptr in the sw_data
 		 * field as a 32bit value. Will not work on 64bit machines
 		 */
-		page = (struct page *)GET_SW_DATA0(desc);
+		page = (struct page *)GET_SW_DATA0(ndesc);
 
 		if (likely(dma_buff && buf_len && page)) {
 			dma_unmap_page(netcp->dev, dma_buff, PAGE_SIZE,
-- 
2.9.3

Re: [PATCH] Net: ethernet: ti: netcp: Fix inbound ping crash if MTU size is greater than 1500

[David Miller]

From: Rex Chang <rchang@ti.com>
Date: Tue, 16 Jan 2018 15:16:01 -0500

> In the receive queue for 4096 bytes fragments, the page address
> set in the SW data0 field of the descriptor is not the one we got
> when doing the reassembly in receive. The page structure was retrieved
> from the wrong descriptor into SW data0 which is then causing a
> page fault when UDP checksum is accessing data above 1500.
> 
> Signed-off-by: Rex Chang <rchang@ti.com>

Applied, thank you.

[PATCH] Net: ethernet: ti: netcp: Fix inbound ping crash if MTU size is greater than 1500

[Chang, Rex]

I am requesting to merge this patch to the stable releases:

commit 5a717843177c96ca3fe4565187de395afdb28092

Kernel crashes if MTU is greater than 1500. This code was working in Kernel v 3.14, but got broken when migrating from Kernel v3.14 to v 4.1.

Stable versions to apply: v4.1 and v4.4.

Thanks!

Rex

-----Original Message-----
From: David Miller [mailto:davem@davemloft.net] 
Sent: Wednesday, January 17, 2018 4:20 PM
To: Chang, Rex
Cc: Kwok, WingMan; Karicheri, Muralidharan; netdev@vger.kernel.org; linux-kernel@vger.kernel.org
Subject: [EXTERNAL] Re: [PATCH] Net: ethernet: ti: netcp: Fix inbound ping crash if MTU size is greater than 1500

From: Rex Chang <rchang@ti.com>
Date: Tue, 16 Jan 2018 15:16:01 -0500

> In the receive queue for 4096 bytes fragments, the page address set in 
> the SW data0 field of the descriptor is not the one we got when doing 
> the reassembly in receive. The page structure was retrieved from the 
> wrong descriptor into SW data0 which is then causing a page fault when 
> UDP checksum is accessing data above 1500.
> 
> Signed-off-by: Rex Chang <rchang@ti.com>

Applied, thank you.