diff mbox series

[1/1] ice: fix array overflow on receiving too many fragments for a packet

Message ID 20201207011415.463-1-ruc_zhangxiaohui@163.com (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show
Series [1/1] ice: fix array overflow on receiving too many fragments for a packet | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present success Link
netdev/patch_count success Link
netdev/tree_selection success Guessed tree name to be net-next
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit fail Errors and warnings before: 0 this patch: 4
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch warning CHECK: Alignment should match open parenthesis
netdev/build_allmodconfig_warn fail Errors and warnings before: 0 this patch: 5
netdev/header_inline success Link
netdev/stable success Stable not CCed

Commit Message

Xiaohui Zhang Dec. 7, 2020, 1:14 a.m. UTC
From: Zhang Xiaohui <ruc_zhangxiaohui@163.com>

If the hardware receives an oversized packet with too many rx fragments,
skb_shinfo(skb)->frags can overflow and corrupt memory of adjacent pages.
This becomes especially visible if it corrupts the freelist pointer of
a slab page.

Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
---
 drivers/net/ethernet/intel/ice/ice_txrx.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

kernel test robot Dec. 7, 2020, 9 a.m. UTC | #1
Hi Xiaohui,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on tnguy-next-queue/dev-queue]
[also build test WARNING on v5.10-rc7 next-20201204]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Xiaohui-Zhang/ice-fix-array-overflow-on-receiving-too-many-fragments-for-a-packet/20201207-141033
base:   https://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue.git dev-queue
config: riscv-allyesconfig (attached as .config)
compiler: riscv64-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/b3906f69dcad641195cbf1ce9af3e9105a6f72e1
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Xiaohui-Zhang/ice-fix-array-overflow-on-receiving-too-many-fragments-for-a-packet/20201207-141033
        git checkout b3906f69dcad641195cbf1ce9af3e9105a6f72e1
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=riscv 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

   In file included from include/vdso/processor.h:10,
                    from arch/riscv/include/asm/processor.h:11,
                    from include/linux/prefetch.h:15,
                    from drivers/net/ethernet/intel/ice/ice_txrx.c:6:
   arch/riscv/include/asm/vdso/processor.h: In function 'cpu_relax':
   arch/riscv/include/asm/vdso/processor.h:14:2: error: implicit declaration of function 'barrier' [-Werror=implicit-function-declaration]
      14 |  barrier();
         |  ^~~~~~~
   drivers/net/ethernet/intel/ice/ice_txrx.c: In function 'ice_add_rx_frag':
>> drivers/net/ethernet/intel/ice/ice_txrx.c:828:2: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
     828 |  struct skb_shared_info *shinfo = skb_shinfo(skb);
         |  ^~~~~~
>> drivers/net/ethernet/intel/ice/ice_txrx.c:831:24: warning: passing argument 2 of 'skb_add_rx_frag' makes integer from pointer without a cast [-Wint-conversion]
     831 |   skb_add_rx_frag(skb, shinfo, rx_buf->page,
         |                        ^~~~~~
         |                        |
         |                        struct skb_shared_info *
   In file included from include/net/net_namespace.h:39,
                    from include/linux/netdevice.h:37,
                    from include/trace/events/xdp.h:8,
                    from include/linux/bpf_trace.h:5,
                    from drivers/net/ethernet/intel/ice/ice_txrx.c:8:
   include/linux/skbuff.h:2187:47: note: expected 'int' but argument is of type 'struct skb_shared_info *'
    2187 | void skb_add_rx_frag(struct sk_buff *skb, int i, struct page *page, int off,
         |                                           ~~~~^
   cc1: some warnings being treated as errors

vim +828 drivers/net/ethernet/intel/ice/ice_txrx.c

   825	
   826		if (!size)
   827			return;
 > 828		struct skb_shared_info *shinfo = skb_shinfo(skb);
   829	
   830		if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) {
 > 831			skb_add_rx_frag(skb, shinfo, rx_buf->page,
   832				rx_buf->page_offset, size, truesize);
   833		}
   834	
   835		/* page is being used so we must update the page offset */
   836		ice_rx_buf_adjust_pg_offset(rx_buf, truesize);
   837	}
   838	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
diff mbox series

Patch

diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c
index eae75260f..f0f034fa5 100644
--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
+++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
@@ -823,8 +823,12 @@  ice_add_rx_frag(struct ice_ring *rx_ring, struct ice_rx_buf *rx_buf,
 
 	if (!size)
 		return;
-	skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, rx_buf->page,
+	struct skb_shared_info *shinfo = skb_shinfo(skb);
+
+	if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) {
+		skb_add_rx_frag(skb, shinfo, rx_buf->page,
 			rx_buf->page_offset, size, truesize);
+	}
 
 	/* page is being used so we must update the page offset */
 	ice_rx_buf_adjust_pg_offset(rx_buf, truesize);