From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Miller <davem@davemloft.net>
Subject: Re: [PATCH v2 net] net: aquantia: memory corruption on jumbo frames
Date: Mon, 17 Sep 2018 08:15:20 -0700 (PDT)
Message-ID: <20180917.081520.1792531317539601050.davem@davemloft.net>
References: <67762c5cd115c74d743ba184c97def9a4734eebd.1537021802.git.igor.russkikh@aquantia.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: nikita.danilov@aquantia.com, netdev@vger.kernel.org,
        f.gerold@b-c-s.de
To: igor.russkikh@aquantia.com
Return-path: <netdev-owner@vger.kernel.org>
Received: from shards.monkeyblade.net ([23.128.96.9]:46168 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726885AbeIQUnH (ORCPT
        <rfc822;netdev@vger.kernel.org>); Mon, 17 Sep 2018 16:43:07 -0400
In-Reply-To: <67762c5cd115c74d743ba184c97def9a4734eebd.1537021802.git.igor.russkikh@aquantia.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

From: Igor Russkikh <igor.russkikh@aquantia.com>
Date: Sat, 15 Sep 2018 18:03:39 +0300

> From: Friedemann Gerold <f.gerold@b-c-s.de>
> 
> This patch fixes skb_shared area, which will be corrupted
> upon reception of 4K jumbo packets.
> 
> Originally build_skb usage purpose was to reuse page for skb to eliminate
> needs of extra fragments. But that logic does not take into account that
> skb_shared_info should be reserved at the end of skb data area.
> 
> In case packet data consumes all the page (4K), skb_shinfo location
> overflows the page. As a consequence, __build_skb zeroed shinfo data above
> the allocated page, corrupting next page.
> 
> The issue is rarely seen in real life because jumbo are normally larger
> than 4K and that causes another code path to trigger.
> But it 100% reproducible with simple scapy packet, like:
> 
>     sendp(IP(dst="192.168.100.3") / TCP(dport=443) \
>           / Raw(RandString(size=(4096-40))), iface="enp1s0")
> 
> Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code")
> 
> Reported-by: Friedemann Gerold <f.gerold@b-c-s.de>
> Reported-by: Michael Rauch <michael@rauch.be>
> Signed-off-by: Friedemann Gerold <f.gerold@b-c-s.de>
> Tested-by: Nikita Danilov <nikita.danilov@aquantia.com>
> Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>

APplied and queued up for -stable.