refill_rx() and start_tx() do not check if mapping dma memory succeed.
The patch adds the checks and failure handling.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <[email protected]>
---
drivers/net/ethernet/natsemi/natsemi.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/net/ethernet/natsemi/natsemi.c b/drivers/net/ethernet/natsemi/natsemi.c
index b83f7c0fcf99..282e59d66a52 100644
--- a/drivers/net/ethernet/natsemi/natsemi.c
+++ b/drivers/net/ethernet/natsemi/natsemi.c
@@ -1937,6 +1937,12 @@ static void refill_rx(struct net_device *dev)
break; /* Better luck next round. */
np->rx_dma[entry] = pci_map_single(np->pci_dev,
skb->data, buflen, PCI_DMA_FROMDEVICE);
+ if (pci_dma_mapping_error(np->pci_dev,
+ np->rx_dma[entry])) {
+ dev_kfree_skb_any(skb);
+ np->rx_skbuff[entry] = NULL;
+ break; /* Better luck next round. */
+ }
np->rx_ring[entry].addr = cpu_to_le32(np->rx_dma[entry]);
}
np->rx_ring[entry].cmd_status = cpu_to_le32(np->rx_buf_sz);
@@ -2093,6 +2099,10 @@ static netdev_tx_t start_tx(struct sk_buff *skb, struct net_device *dev)
np->tx_skbuff[entry] = skb;
np->tx_dma[entry] = pci_map_single(np->pci_dev,
skb->data,skb->len, PCI_DMA_TODEVICE);
+ if (pci_dma_mapping_error(np->pci_dev, np->tx_dma[entry])) {
+ np->tx_skbuff[entry] = NULL;
+ return NETDEV_TX_BUSY;
+ }
np->tx_ring[entry].addr = cpu_to_le32(np->tx_dma[entry]);
--
1.9.1
From: Alexey Khoroshilov <[email protected]>
Date: Sat, 19 Dec 2015 00:55:37 +0300
> @@ -2093,6 +2099,10 @@ static netdev_tx_t start_tx(struct sk_buff *skb, struct net_device *dev)
> np->tx_skbuff[entry] = skb;
> np->tx_dma[entry] = pci_map_single(np->pci_dev,
> skb->data,skb->len, PCI_DMA_TODEVICE);
> + if (pci_dma_mapping_error(np->pci_dev, np->tx_dma[entry])) {
> + np->tx_skbuff[entry] = NULL;
> + return NETDEV_TX_BUSY;
> + }
>
> np->tx_ring[entry].addr = cpu_to_le32(np->tx_dma[entry]);
>
Returning NETDEV_TX_BUSY and freeing the SKB will crash the system.
NETDEV_TX_BUSY is only for buggy drivers that do not manage their
TX ring busy condition correctly, and thus need retries.
On 19.12.2015 05:36, David Miller wrote:
> From: Alexey Khoroshilov <[email protected]>
> Date: Sat, 19 Dec 2015 00:55:37 +0300
>
>> @@ -2093,6 +2099,10 @@ static netdev_tx_t start_tx(struct sk_buff
*skb, struct net_device *dev)
>> np->tx_skbuff[entry] = skb;
>> np->tx_dma[entry] = pci_map_single(np->pci_dev,
>> skb->data,skb->len, PCI_DMA_TODEVICE);
>> + if (pci_dma_mapping_error(np->pci_dev, np->tx_dma[entry])) {
>> + np->tx_skbuff[entry] = NULL;
>> + return NETDEV_TX_BUSY;
>> + }
>>
>> np->tx_ring[entry].addr = cpu_to_le32(np->tx_dma[entry]);
>>
>
> Returning NETDEV_TX_BUSY and freeing the SKB will crash the system.
I do not quite understand what do you mean by 'freeing the SKB'.
At least the patch left skb untouched.
But I saw such pattern, for example, in
drivers/net/ethernet/freescale/fec_main.c:
addr = dma_map_single(&fep->pdev->dev, data, size, DMA_TO_DEVICE);
if (dma_mapping_error(&fep->pdev->dev, addr)) {
dev_kfree_skb_any(skb);
if (net_ratelimit())
netdev_err(ndev, "Tx DMA memory map failed\n");
return NETDEV_TX_BUSY;
}
>
> NETDEV_TX_BUSY is only for buggy drivers that do not manage their
> TX ring busy condition correctly, and thus need retries.
Ok, I will replace NETDEV_TX_BUSY by dropping the packet.
--
Alexey
refill_rx() and start_tx() do not check if mapping dma memory succeed.
The patch adds the checks and failure handling.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <[email protected]>
---
drivers/net/ethernet/natsemi/natsemi.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/net/ethernet/natsemi/natsemi.c b/drivers/net/ethernet/natsemi/natsemi.c
index b83f7c0fcf99..122c2ee3dfe2 100644
--- a/drivers/net/ethernet/natsemi/natsemi.c
+++ b/drivers/net/ethernet/natsemi/natsemi.c
@@ -1937,6 +1937,12 @@ static void refill_rx(struct net_device *dev)
break; /* Better luck next round. */
np->rx_dma[entry] = pci_map_single(np->pci_dev,
skb->data, buflen, PCI_DMA_FROMDEVICE);
+ if (pci_dma_mapping_error(np->pci_dev,
+ np->rx_dma[entry])) {
+ dev_kfree_skb_any(skb);
+ np->rx_skbuff[entry] = NULL;
+ break; /* Better luck next round. */
+ }
np->rx_ring[entry].addr = cpu_to_le32(np->rx_dma[entry]);
}
np->rx_ring[entry].cmd_status = cpu_to_le32(np->rx_buf_sz);
@@ -2093,6 +2099,12 @@ static netdev_tx_t start_tx(struct sk_buff *skb, struct net_device *dev)
np->tx_skbuff[entry] = skb;
np->tx_dma[entry] = pci_map_single(np->pci_dev,
skb->data,skb->len, PCI_DMA_TODEVICE);
+ if (pci_dma_mapping_error(np->pci_dev, np->tx_dma[entry])) {
+ np->tx_skbuff[entry] = NULL;
+ dev_kfree_skb_irq(skb);
+ dev->stats.tx_dropped++;
+ return NETDEV_TX_OK;
+ }
np->tx_ring[entry].addr = cpu_to_le32(np->tx_dma[entry]);
--
1.9.1
From: Alexey Khoroshilov <[email protected]>
Date: Sat, 19 Dec 2015 15:06:45 +0300
> On 19.12.2015 05:36, David Miller wrote:
>> From: Alexey Khoroshilov <[email protected]>
>> Date: Sat, 19 Dec 2015 00:55:37 +0300
>>
>>> @@ -2093,6 +2099,10 @@ static netdev_tx_t start_tx(struct sk_buff
> *skb, struct net_device *dev)
>>> np->tx_skbuff[entry] = skb;
>>> np->tx_dma[entry] = pci_map_single(np->pci_dev,
>>> skb->data,skb->len, PCI_DMA_TODEVICE);
>>> + if (pci_dma_mapping_error(np->pci_dev, np->tx_dma[entry])) {
>>> + np->tx_skbuff[entry] = NULL;
>>> + return NETDEV_TX_BUSY;
>>> + }
>>>
>>> np->tx_ring[entry].addr = cpu_to_le32(np->tx_dma[entry]);
>>>
>>
>> Returning NETDEV_TX_BUSY and freeing the SKB will crash the system.
>
> I do not quite understand what do you mean by 'freeing the SKB'.
> At least the patch left skb untouched.
Sorry, I misread your patch, I thought I saw a kfree there but
obviously there isn't.
>> NETDEV_TX_BUSY is only for buggy drivers that do not manage their
>> TX ring busy condition correctly, and thus need retries.
>
> Ok, I will replace NETDEV_TX_BUSY by dropping the packet.
Thanks.
From: Alexey Khoroshilov <[email protected]>
Date: Sat, 19 Dec 2015 15:13:49 +0300
> refill_rx() and start_tx() do not check if mapping dma memory succeed.
> The patch adds the checks and failure handling.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Alexey Khoroshilov <[email protected]>
Applied, thanks.