From: Jakub Kicinski <kuba@kernel.org>
To: qikeyu2017@gmail.com
Cc: Jakub Kicinski <kuba@kernel.org>,
johannes@sipsolutions.net, pabeni@redhat.com,
chandrashekar.devegowda@intel.com, edumazet@google.com,
loic.poulain@oss.qualcomm.com, ryazanov.s.a@gmail.com,
haijun.liu@mediatek.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, andrew+netdev@lunn.ch,
ricardo.martinez@linux.intel.com,
chiranjeevi.rapolu@linux.intel.com, davem@davemloft.net
Subject: Re: net: wwan: t7xx: fix potential skb->frags overflow in RX path
Date: Sun, 25 Jan 2026 14:34:43 -0800 [thread overview]
Message-ID: <20260125223443.3404985-1-kuba@kernel.org> (raw)
In-Reply-To: <20260121091853.1758-2-qikeyu2017@gmail.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
net: wwan: t7xx: fix potential skb->frags overflow in RX path
This patch adds a bounds check to prevent skb->frags[] array overflow
when the modem firmware sends packets with excessive fragments. The fix
adds a check for nr_frags >= MAX_SKB_FRAGS before calling skb_add_rx_frag().
> diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> index b76bea6ab2d7..b041e6f48732 100644
> --- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> +++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> @@ -395,6 +395,7 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq,
> struct sk_buff *skb)
> {
> unsigned long long data_bus_addr, data_base_addr;
> + struct skb_shared_info *shinfo = skb_shinfo(skb);
> struct device *dev = rxq->dpmaif_ctrl->dev;
> struct dpmaif_bat_page *page_info;
> unsigned int data_len;
> @@ -407,13 +408,16 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq,
> if (!page_info->page)
> return -EINVAL;
>
> + if (shinfo->nr_frags >= MAX_SKB_FRAGS)
> + return -EINVAL;
When this new error path is taken, it appears that page_info->page has
already had its DMA mapping removed via dma_unmap_page() earlier in the
function, but the page itself is not freed (put_page is not called) and
page_info->page is not set to NULL.
Could this cause a page leak? On this error path:
- dma_unmap_page() has already been called
- page_info->page still holds a reference to the page
- t7xx_dpmaif_set_bat_mask() is not called in the caller t7xx_dpmaif_get_frag()
When the device is eventually torn down, t7xx_dpmaif_bat_free() will
iterate all entries and call t7xx_unmap_bat_page(), which will call
dma_unmap_page() again on the same (now stale) data_bus_addr. Is there a
concern about calling dma_unmap_page() twice for the same mapping?
It looks like the page cleanup on this error path should either:
- Move the new bounds check before dma_unmap_page(), or
- Add put_page() and set page_info->page = NULL on the error path
> +
> data_bus_addr = le32_to_cpu(pkt_info->pd.data_addr_h);
[ ... ]
--
pw-bot: cr
prev parent reply other threads:[~2026-01-25 22:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-21 9:18 [PATCH] net: wwan: t7xx: fix potential skb->frags overflow in RX path Kery Qi
2026-01-25 22:34 ` Jakub Kicinski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260125223443.3404985-1-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=chandrashekar.devegowda@intel.com \
--cc=chiranjeevi.rapolu@linux.intel.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=haijun.liu@mediatek.com \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=loic.poulain@oss.qualcomm.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=qikeyu2017@gmail.com \
--cc=ricardo.martinez@linux.intel.com \
--cc=ryazanov.s.a@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox