From: David Miller <davem@davemloft.net>
To: aspencer@spacex.com
Cc: netdev@vger.kernel.org, claudiu.manoil@freescale.com
Subject: Re: [PATCH net] gianfar: prevent integer wrapping in the rx handler
Date: Mon, 29 Jan 2018 14:17:37 -0500 (EST) [thread overview]
Message-ID: <20180129.141737.977648549224422044.davem@davemloft.net> (raw)
In-Reply-To: <20180126033750.GA93486@a.spacex.corp>
From: Andy Spencer <aspencer@spacex.com>
Date: Thu, 25 Jan 2018 19:37:50 -0800
> When the frame check sequence (FCS) is split across the last two frames
> of a fragmented packet, part of the FCS gets counted twice, once when
> subtracting the FCS, and again when subtracting the previously received
> data.
>
> For example, if 1602 bytes are received, and the first fragment contains
> the first 1600 bytes (including the first two bytes of the FCS), and the
> second fragment contains the last two bytes of the FCS:
>
> 'skb->len == 1600' from the first fragment
>
> size = lstatus & BD_LENGTH_MASK; # 1602
> size -= ETH_FCS_LEN; # 1598
> size -= skb->len; # -2
>
> Since the size is unsigned, it wraps around and causes a BUG later in
> the packet handling, as shown below:
>
> kernel BUG at ./include/linux/skbuff.h:2068!
> Oops: Exception in kernel mode, sig: 5 [#1]
> ...
> NIP [c021ec60] skb_pull+0x24/0x44
> LR [c01e2fbc] gfar_clean_rx_ring+0x498/0x690
> Call Trace:
> [df7edeb0] [c01e2c1c] gfar_clean_rx_ring+0xf8/0x690 (unreliable)
> [df7edf20] [c01e33a8] gfar_poll_rx_sq+0x3c/0x9c
> [df7edf40] [c023352c] net_rx_action+0x21c/0x274
> [df7edf90] [c0329000] __do_softirq+0xd8/0x240
> [df7edff0] [c000c108] call_do_irq+0x24/0x3c
> [c0597e90] [c00041dc] do_IRQ+0x64/0xc4
> [c0597eb0] [c000d920] ret_from_except+0x0/0x18
> --- interrupt: 501 at arch_cpu_idle+0x24/0x5c
>
> Change the size to a signed integer and then trim off any part of the
> FCS that was received prior to the last fragment.
>
> Fixes: 6c389fc931bc ("gianfar: fix size of scatter-gathered frames")
> Signed-off-by: Andy Spencer <aspencer@spacex.com>
Applied.
next prev parent reply other threads:[~2018-01-29 19:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-26 3:37 [PATCH net] gianfar: prevent integer wrapping in the rx handler Andy Spencer
2018-01-29 19:17 ` David Miller [this message]
2018-01-30 16:31 ` Claudiu Manoil
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180129.141737.977648549224422044.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=aspencer@spacex.com \
--cc=claudiu.manoil@freescale.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).