| Message ID | 20240709111747.247-2-paul.barker.ct@bp.renesas.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Backport fix for use-after-free in ravb driver | expand |
Hi, > -----Original Message----- > From: Paul Barker <paul.barker.ct@bp.renesas.com> > Sent: Tuesday, July 9, 2024 8:18 PM > To: Pavel Machek <pavel@denx.de> > Cc: Paul Barker <paul.barker.ct@bp.renesas.com>; iwamatsu nobuhiro(岩松 > 信洋 ○DITC□DIT○OST) <nobuhiro1.iwamatsu@toshiba.co.jp>; > Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>; Biju Das > <biju.das.jz@bp.renesas.com>; cip-dev@lists.cip-project.org > Subject: [PATCH RESEND 6.1.y-cip 1/1] net: ravb: Fix GbEth jumbo packet RX > checksum handling > > commit c7c449502b51c5b5de79f97a42be750b28f6ecee upstream. > > Sending a 7kB ping packet to the RZ/G2L in v6.9-rc2 causes the following > backtrace: > > WARNING: CPU: 0 PID: 0 at include/linux/skbuff.h:3127 > skb_trim+0x30/0x38 > Hardware name: Renesas SMARC EVK based on r9a07g044l2 (DT) > pc : skb_trim+0x30/0x38 > lr : ravb_rx_csum_gbeth+0x40/0x90 > Call trace: > skb_trim+0x30/0x38 > ravb_rx_gbeth+0x56c/0x5cc > ravb_poll+0xa0/0x204 > __napi_poll+0x38/0x17c > > This is caused by ravb_rx_gbeth() calling ravb_rx_csum_gbeth() with the > wrong skb for a packet which spans multiple descriptors. To fix this, use the > correct skb. > > Fixes: c2da9408579d ("ravb: Add Rx checksum offload support for GbEth") > Signed-off-by: Paul Barker <paul.barker.ct@bp.renesas.com> > Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru> > Signed-off-by: Paolo Abeni <pabeni@redhat.com> > > [backported to 6.1.y-cip] > Signed-off-by: Paul Barker <paul.barker.ct@bp.renesas.com> > Reviewed-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp> > Reviewed-by: Pavel Machek <pavel@denx.de> > --- > drivers/net/ethernet/renesas/ravb_main.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > Applied, thanks. Best regards, Nobuhiro
diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c index dda7fb410657..07771bdf0fc7 100644 --- a/drivers/net/ethernet/renesas/ravb_main.c +++ b/drivers/net/ethernet/renesas/ravb_main.c @@ -897,7 +897,7 @@ static bool ravb_rx_gbeth(struct net_device *ndev, int *quota, int q) priv->rx_1st_skb->protocol = eth_type_trans(priv->rx_1st_skb, ndev); if (ndev->features & NETIF_F_RXCSUM) - ravb_rx_csum_gbeth(skb); + ravb_rx_csum_gbeth(priv->rx_1st_skb); napi_gro_receive(&priv->napi[q], priv->rx_1st_skb); stats->rx_packets++;
commit c7c449502b51c5b5de79f97a42be750b28f6ecee upstream. Sending a 7kB ping packet to the RZ/G2L in v6.9-rc2 causes the following backtrace: WARNING: CPU: 0 PID: 0 at include/linux/skbuff.h:3127 skb_trim+0x30/0x38 Hardware name: Renesas SMARC EVK based on r9a07g044l2 (DT) pc : skb_trim+0x30/0x38 lr : ravb_rx_csum_gbeth+0x40/0x90 Call trace: skb_trim+0x30/0x38 ravb_rx_gbeth+0x56c/0x5cc ravb_poll+0xa0/0x204 __napi_poll+0x38/0x17c This is caused by ravb_rx_gbeth() calling ravb_rx_csum_gbeth() with the wrong skb for a packet which spans multiple descriptors. To fix this, use the correct skb. Fixes: c2da9408579d ("ravb: Add Rx checksum offload support for GbEth") Signed-off-by: Paul Barker <paul.barker.ct@bp.renesas.com> Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru> Signed-off-by: Paolo Abeni <pabeni@redhat.com> [backported to 6.1.y-cip] Signed-off-by: Paul Barker <paul.barker.ct@bp.renesas.com> Reviewed-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp> Reviewed-by: Pavel Machek <pavel@denx.de> --- drivers/net/ethernet/renesas/ravb_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)