An issue was found on the RTL8125b when transmitting small fragmented
packets, whereby invalid entries were inserted into the transmit ring
buffer, subsequently leading to calls to dma_unmap_single() with a null
address.
This was caused by rtl8169_start_xmit() not noticing changes to nr_frags
which may occur when small packets are padded (to work around hardware
quirks) in rtl8169_tso_csum_v2().
To fix this, postpone inspecting nr_frags until after any padding has been
applied.
Fixes: 9020845fb5d6 ("r8169: improve rtl8169_start_xmit")
Cc: [email protected]
Signed-off-by: Ken Milmore <[email protected]>
---
drivers/net/ethernet/realtek/r8169_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
index 86a6d4225bc..9b0ef00b99d 100644
--- a/drivers/net/ethernet/realtek/r8169_main.c
+++ b/drivers/net/ethernet/realtek/r8169_main.c
@@ -4337,11 +4337,11 @@ static void rtl8169_doorbell(struct rtl8169_private *tp)
static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb,
struct net_device *dev)
{
- unsigned int frags = skb_shinfo(skb)->nr_frags;
struct rtl8169_private *tp = netdev_priv(dev);
unsigned int entry = tp->cur_tx % NUM_TX_DESC;
struct TxDesc *txd_first, *txd_last;
bool stop_queue, door_bell;
+ unsigned int frags;
u32 opts[2];
if (unlikely(!rtl_tx_slots_avail(tp))) {
@@ -4364,6 +4364,7 @@ static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb,
txd_first = tp->TxDescArray + entry;
+ frags = skb_shinfo(skb)->nr_frags;
if (frags) {
if (rtl8169_xmit_frags(tp, skb, opts, entry))
goto err_dma_1;
--
2.39.2
On 22.05.2024 00:45, Ken Milmore wrote:
> An issue was found on the RTL8125b when transmitting small fragmented
> packets, whereby invalid entries were inserted into the transmit ring
> buffer, subsequently leading to calls to dma_unmap_single() with a null
> address.
>
> This was caused by rtl8169_start_xmit() not noticing changes to nr_frags
> which may occur when small packets are padded (to work around hardware
> quirks) in rtl8169_tso_csum_v2().
>
> To fix this, postpone inspecting nr_frags until after any padding has been
> applied.
>
> Fixes: 9020845fb5d6 ("r8169: improve rtl8169_start_xmit")
> Cc: [email protected]
> Signed-off-by: Ken Milmore <[email protected]>
> ---
Reviewed-by: Heiner Kallweit <[email protected]>
Hello:
This patch was applied to netdev/net.git (main)
by Paolo Abeni <[email protected]>:
On Tue, 21 May 2024 23:45:50 +0100 you wrote:
> An issue was found on the RTL8125b when transmitting small fragmented
> packets, whereby invalid entries were inserted into the transmit ring
> buffer, subsequently leading to calls to dma_unmap_single() with a null
> address.
>
> This was caused by rtl8169_start_xmit() not noticing changes to nr_frags
> which may occur when small packets are padded (to work around hardware
> quirks) in rtl8169_tso_csum_v2().
>
> [...]
Here is the summary with links:
- [net,v2] r8169: Fix possible ring buffer corruption on fragmented Tx packets.
https://git.kernel.org/netdev/net/c/c71e3a5cffd5
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html