* [PATCH net 0/2] octeon_ep, octeon_ep_vf: fix skb frags overflow in the RX path @ 2026-07-01 11:28 Maoyi Xie 2026-07-01 11:28 ` [PATCH net 1/2] octeon_ep: " Maoyi Xie 2026-07-01 11:28 ` [PATCH net 2/2] octeon_ep_vf: " Maoyi Xie 0 siblings, 2 replies; 5+ messages in thread From: Maoyi Xie @ 2026-07-01 11:28 UTC (permalink / raw) To: Veerasenareddy Burru, Sathesh Edara Cc: Andrew Lunn, David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, netdev, linux-kernel The PF (octeon_ep) and VF (octeon_ep_vf) RX paths add one skb fragment per buffer_size chunk of a multi-buffer packet. Neither bounds the count against MAX_SKB_FRAGS. The packet length comes from the device. A long packet yields about 18 fragments. The default MAX_SKB_FRAGS is 17, so the last skb_add_rx_frag() overflows frags[]. Both patches drop such a packet, matching the recent fixes in atlantic and t7xx. Patch 1 fixes the PF, patch 2 the VF. This was posted as an inquiry on 2026-06-23 with no reply: https://lore.kernel.org/r/178219996724.2539184.5129396914438743404@maoyixie.com Maoyi Xie (2): octeon_ep: fix skb frags overflow in the RX path octeon_ep_vf: fix skb frags overflow in the RX path .../net/ethernet/marvell/octeon_ep/octep_rx.c | 6 ++++++ .../ethernet/marvell/octeon_ep_vf/octep_vf_rx.c | 17 +++++++++++++++++ 2 files changed, 23 insertions(+) -- 2.34.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net 1/2] octeon_ep: fix skb frags overflow in the RX path 2026-07-01 11:28 [PATCH net 0/2] octeon_ep, octeon_ep_vf: fix skb frags overflow in the RX path Maoyi Xie @ 2026-07-01 11:28 ` Maoyi Xie 2026-07-01 13:31 ` Maciej Fijalkowski 2026-07-01 11:28 ` [PATCH net 2/2] octeon_ep_vf: " Maoyi Xie 1 sibling, 1 reply; 5+ messages in thread From: Maoyi Xie @ 2026-07-01 11:28 UTC (permalink / raw) To: Veerasenareddy Burru, Sathesh Edara Cc: Andrew Lunn, David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, netdev, linux-kernel __octep_oq_process_rx() builds an skb for a multi-buffer packet by adding one fragment per buffer_size chunk: data_len = buff_info->len - oq->max_single_buffer_size; while (data_len) { ... skb_add_rx_frag(skb, shinfo->nr_frags, buff_info->page, 0, buff_info->len, buff_info->len); ... } buff_info->len comes from the device response header (be64_to_cpu(resp_hw->length)). Nothing bounds the fragment count against MAX_SKB_FRAGS. data_len can be close to 65535. buffer_size defaults to about 3776 on 4K pages, so a full packet yields about 18 fragments. That is one more than the default MAX_SKB_FRAGS of 17, so skb_add_rx_frag() writes past shinfo->frags[]. The driver now drops a packet that would need more fragments than the skb can hold. octep_oq_drop_rx() consumes its descriptors, as on the build_skb failure path. The same class was fixed in other RX paths, including commit 5ffcb7b890f6 ("net: atlantic: fix fragment overflow handling in RX path") and commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path"). Fixes: 37d79d059606 ("octeon_ep: add Tx/Rx processing and interrupt support") Co-developed-by: Kaixuan Li <kaixuan.li@ntu.edu.sg> Signed-off-by: Kaixuan Li <kaixuan.li@ntu.edu.sg> Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> --- drivers/net/ethernet/marvell/octeon_ep/octep_rx.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c b/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c index e6ebc7e44a00c..4ee911b6c0107 100644 --- a/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c +++ b/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c @@ -476,6 +476,12 @@ static int __octep_oq_process_rx(struct octep_device *oct, skb_put(skb, oq->max_single_buffer_size); shinfo = skb_shinfo(skb); data_len = buff_info->len - oq->max_single_buffer_size; + if (DIV_ROUND_UP(data_len, oq->buffer_size) > MAX_SKB_FRAGS) { + dev_kfree_skb_any(skb); + octep_oq_drop_rx(oq, buff_info, + &read_idx, &desc_used); + continue; + } while (data_len) { buff_info = (struct octep_rx_buffer *) &oq->buff_info[read_idx]; -- 2.34.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net 1/2] octeon_ep: fix skb frags overflow in the RX path 2026-07-01 11:28 ` [PATCH net 1/2] octeon_ep: " Maoyi Xie @ 2026-07-01 13:31 ` Maciej Fijalkowski 0 siblings, 0 replies; 5+ messages in thread From: Maciej Fijalkowski @ 2026-07-01 13:31 UTC (permalink / raw) To: Maoyi Xie Cc: Veerasenareddy Burru, Sathesh Edara, Andrew Lunn, David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, netdev, linux-kernel On Wed, Jul 01, 2026 at 07:28:24PM +0800, Maoyi Xie wrote: > __octep_oq_process_rx() builds an skb for a multi-buffer packet by adding > one fragment per buffer_size chunk: > > data_len = buff_info->len - oq->max_single_buffer_size; > while (data_len) { > ... > skb_add_rx_frag(skb, shinfo->nr_frags, buff_info->page, 0, > buff_info->len, buff_info->len); > ... > } > > buff_info->len comes from the device response header > (be64_to_cpu(resp_hw->length)). Nothing bounds the fragment count against > MAX_SKB_FRAGS. data_len can be close to 65535. buffer_size defaults to > about 3776 on 4K pages, so a full packet yields about 18 fragments. That > is one more than the default MAX_SKB_FRAGS of 17, so skb_add_rx_frag() > writes past shinfo->frags[]. > > The driver now drops a packet that would need more fragments than the skb > can hold. octep_oq_drop_rx() consumes its descriptors, as on the build_skb > failure path. The same class was fixed in other RX paths, including > commit 5ffcb7b890f6 ("net: atlantic: fix fragment overflow handling in RX > path") and commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags > overflow in RX path"). > > Fixes: 37d79d059606 ("octeon_ep: add Tx/Rx processing and interrupt support") > Co-developed-by: Kaixuan Li <kaixuan.li@ntu.edu.sg> > Signed-off-by: Kaixuan Li <kaixuan.li@ntu.edu.sg> > Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> > --- > drivers/net/ethernet/marvell/octeon_ep/octep_rx.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c b/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c > index e6ebc7e44a00c..4ee911b6c0107 100644 > --- a/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c > +++ b/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c > @@ -476,6 +476,12 @@ static int __octep_oq_process_rx(struct octep_device *oct, > skb_put(skb, oq->max_single_buffer_size); > shinfo = skb_shinfo(skb); > data_len = buff_info->len - oq->max_single_buffer_size; > + if (DIV_ROUND_UP(data_len, oq->buffer_size) > MAX_SKB_FRAGS) { > + dev_kfree_skb_any(skb); > + octep_oq_drop_rx(oq, buff_info, > + &read_idx, &desc_used); nit: would it make sense to pass data_len to octep_oq_drop_rx() to avoid re-calculation here But besides, wouldn't this be better to do even before build_skb() call ? > + continue; > + } > while (data_len) { > buff_info = (struct octep_rx_buffer *) > &oq->buff_info[read_idx]; > -- > 2.34.1 > > ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net 2/2] octeon_ep_vf: fix skb frags overflow in the RX path 2026-07-01 11:28 [PATCH net 0/2] octeon_ep, octeon_ep_vf: fix skb frags overflow in the RX path Maoyi Xie 2026-07-01 11:28 ` [PATCH net 1/2] octeon_ep: " Maoyi Xie @ 2026-07-01 11:28 ` Maoyi Xie 2026-07-01 14:17 ` Maciej Fijalkowski 1 sibling, 1 reply; 5+ messages in thread From: Maoyi Xie @ 2026-07-01 11:28 UTC (permalink / raw) To: Veerasenareddy Burru, Sathesh Edara Cc: Andrew Lunn, David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, netdev, linux-kernel __octep_vf_oq_process_rx() has the same unbounded fragment loop as the PF driver. buff_info->len comes from the device response header, and one fragment is added per buffer_size chunk with no check against MAX_SKB_FRAGS. A long packet yields about 18 fragments, one past the default MAX_SKB_FRAGS of 17, so skb_add_rx_frag() writes past shinfo->frags[]. The driver now drops a packet that would need more fragments than the skb can hold. It drains the descriptors the same way the build_skb failure path does. Fixes: 1cd3b407977c ("octeon_ep_vf: add Tx/Rx processing and interrupt support") Co-developed-by: Kaixuan Li <kaixuan.li@ntu.edu.sg> Signed-off-by: Kaixuan Li <kaixuan.li@ntu.edu.sg> Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> --- .../ethernet/marvell/octeon_ep_vf/octep_vf_rx.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c index d982474082423..2e666df26b4c3 100644 --- a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c +++ b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c @@ -463,6 +463,23 @@ static int __octep_vf_oq_process_rx(struct octep_vf_device *oct, shinfo = skb_shinfo(skb); data_len = buff_info->len - oq->max_single_buffer_size; + if (DIV_ROUND_UP(data_len, oq->buffer_size) > MAX_SKB_FRAGS) { + dev_kfree_skb_any(skb); + while (data_len) { + dma_unmap_page(oq->dev, oq->desc_ring[read_idx].buffer_ptr, + PAGE_SIZE, DMA_FROM_DEVICE); + buff_info = (struct octep_vf_rx_buffer *) + &oq->buff_info[read_idx]; + buff_info->page = NULL; + if (data_len < oq->buffer_size) + data_len = 0; + else + data_len -= oq->buffer_size; + desc_used++; + read_idx = octep_vf_oq_next_idx(oq, read_idx); + } + continue; + } while (data_len) { dma_unmap_page(oq->dev, oq->desc_ring[read_idx].buffer_ptr, PAGE_SIZE, DMA_FROM_DEVICE); -- 2.34.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net 2/2] octeon_ep_vf: fix skb frags overflow in the RX path 2026-07-01 11:28 ` [PATCH net 2/2] octeon_ep_vf: " Maoyi Xie @ 2026-07-01 14:17 ` Maciej Fijalkowski 0 siblings, 0 replies; 5+ messages in thread From: Maciej Fijalkowski @ 2026-07-01 14:17 UTC (permalink / raw) To: Maoyi Xie Cc: Veerasenareddy Burru, Sathesh Edara, Andrew Lunn, David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, netdev, linux-kernel On Wed, Jul 01, 2026 at 07:28:25PM +0800, Maoyi Xie wrote: > __octep_vf_oq_process_rx() has the same unbounded fragment loop as the PF > driver. buff_info->len comes from the device response header, and one > fragment is added per buffer_size chunk with no check against > MAX_SKB_FRAGS. A long packet yields about 18 fragments, one past the > default MAX_SKB_FRAGS of 17, so skb_add_rx_frag() writes past > shinfo->frags[]. > > The driver now drops a packet that would need more fragments than the skb > can hold. It drains the descriptors the same way the build_skb failure > path does. > > Fixes: 1cd3b407977c ("octeon_ep_vf: add Tx/Rx processing and interrupt support") > Co-developed-by: Kaixuan Li <kaixuan.li@ntu.edu.sg> > Signed-off-by: Kaixuan Li <kaixuan.li@ntu.edu.sg> > Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> > --- > .../ethernet/marvell/octeon_ep_vf/octep_vf_rx.c | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c > index d982474082423..2e666df26b4c3 100644 > --- a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c > +++ b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c > @@ -463,6 +463,23 @@ static int __octep_vf_oq_process_rx(struct octep_vf_device *oct, > > shinfo = skb_shinfo(skb); > data_len = buff_info->len - oq->max_single_buffer_size; > + if (DIV_ROUND_UP(data_len, oq->buffer_size) > MAX_SKB_FRAGS) { > + dev_kfree_skb_any(skb); > + while (data_len) { > + dma_unmap_page(oq->dev, oq->desc_ring[read_idx].buffer_ptr, > + PAGE_SIZE, DMA_FROM_DEVICE); > + buff_info = (struct octep_vf_rx_buffer *) > + &oq->buff_info[read_idx]; > + buff_info->page = NULL; > + if (data_len < oq->buffer_size) > + data_len = 0; > + else > + data_len -= oq->buffer_size; > + desc_used++; > + read_idx = octep_vf_oq_next_idx(oq, read_idx); > + } > + continue; > + } same suggestion/question here pluse there seems to be a bunch of repeated code between linear and non-linear skb processing paths... > while (data_len) { > dma_unmap_page(oq->dev, oq->desc_ring[read_idx].buffer_ptr, > PAGE_SIZE, DMA_FROM_DEVICE); > -- > 2.34.1 > > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-07-01 14:18 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-07-01 11:28 [PATCH net 0/2] octeon_ep, octeon_ep_vf: fix skb frags overflow in the RX path Maoyi Xie 2026-07-01 11:28 ` [PATCH net 1/2] octeon_ep: " Maoyi Xie 2026-07-01 13:31 ` Maciej Fijalkowski 2026-07-01 11:28 ` [PATCH net 2/2] octeon_ep_vf: " Maoyi Xie 2026-07-01 14:17 ` Maciej Fijalkowski
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox