From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] gianfar: prevent integer wrapping in the rx handler Date: Mon, 29 Jan 2018 14:17:37 -0500 (EST) Message-ID: <20180129.141737.977648549224422044.davem@davemloft.net> References: <20180126033750.GA93486@a.spacex.corp> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, claudiu.manoil@freescale.com To: aspencer@spacex.com Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:48366 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751072AbeA2TSY (ORCPT ); Mon, 29 Jan 2018 14:18:24 -0500 In-Reply-To: <20180126033750.GA93486@a.spacex.corp> Sender: netdev-owner@vger.kernel.org List-ID: From: Andy Spencer Date: Thu, 25 Jan 2018 19:37:50 -0800 > When the frame check sequence (FCS) is split across the last two frames > of a fragmented packet, part of the FCS gets counted twice, once when > subtracting the FCS, and again when subtracting the previously received > data. > > For example, if 1602 bytes are received, and the first fragment contains > the first 1600 bytes (including the first two bytes of the FCS), and the > second fragment contains the last two bytes of the FCS: > > 'skb->len == 1600' from the first fragment > > size = lstatus & BD_LENGTH_MASK; # 1602 > size -= ETH_FCS_LEN; # 1598 > size -= skb->len; # -2 > > Since the size is unsigned, it wraps around and causes a BUG later in > the packet handling, as shown below: > > kernel BUG at ./include/linux/skbuff.h:2068! > Oops: Exception in kernel mode, sig: 5 [#1] > ... > NIP [c021ec60] skb_pull+0x24/0x44 > LR [c01e2fbc] gfar_clean_rx_ring+0x498/0x690 > Call Trace: > [df7edeb0] [c01e2c1c] gfar_clean_rx_ring+0xf8/0x690 (unreliable) > [df7edf20] [c01e33a8] gfar_poll_rx_sq+0x3c/0x9c > [df7edf40] [c023352c] net_rx_action+0x21c/0x274 > [df7edf90] [c0329000] __do_softirq+0xd8/0x240 > [df7edff0] [c000c108] call_do_irq+0x24/0x3c > [c0597e90] [c00041dc] do_IRQ+0x64/0xc4 > [c0597eb0] [c000d920] ret_from_except+0x0/0x18 > --- interrupt: 501 at arch_cpu_idle+0x24/0x5c > > Change the size to a signed integer and then trim off any part of the > FCS that was received prior to the last fragment. > > Fixes: 6c389fc931bc ("gianfar: fix size of scatter-gathered frames") > Signed-off-by: Andy Spencer Applied.