Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp468974pxu; Tue, 5 Jan 2021 16:54:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJykoxnNNDIAsRSIGnLcfNApGmIK475bCl8xGM3lqJ3g8aMUtPFo9qhTgB9Xyp3AHOOVxODE X-Received: by 2002:a50:ed04:: with SMTP id j4mr2324135eds.84.1609894480607; Tue, 05 Jan 2021 16:54:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609894480; cv=none; d=google.com; s=arc-20160816; b=NiMfCR9+PFFC++GpOzm6eQuaWMFFfdhbufr2NZWqqAEsgnl2Z7WjEviSP2QfB2HZVn vB91NVaCW1Yd4APJjOKa1+EuPogHJ4tAcS2VWce6001QNz4oTax5XL9W64fW4STVgvuU tR2PrLz9FvenQYiG7K2uq6/BUkkzOJJcj7Zby3BQZ6pBYHgO2JTUmQnEH1HA518M/HxY e8uY4e0JXAqu+3skkRvez3k3h0bbf8vC26FWaZbIjAK5MhdL9i8eyw1luOcTbfsJ7FrN 91UzbmUe3+49+156D7Ad6MrcxJMMsK9LjelGKLsAh6Ll2CLsBNAJZh+/fKUDXqejhc/p jeWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=cdqdPoVpAMUIJrmeIxMtu1a76vVY8b89Q661c3cfMF4=; b=EMPlFs/LN+J6nxf+gAW4JxMSy6Vghers3eeaKInH1KimOe/g1aP0yHjpC3+Bvpy+FP bDt4aFoH2Rix7vQAUCPPczqcFy9WyFi5U1n0Qt6DzQ5QAi/6YbLAEFYo96BpRH/T8RIv EbpbkC3EydO7NpWuA6qVWaKzr2SQtDF13Gn9uqMBG0mUy1Xa0QsVpCa3Msyw4b1wXYIE G9AouDIjsfFmr+CpxqRPAbOMybTPdIJbUpThw4UElYI5J8GhLa51nA0nUz6Fjy7JNfG0 Iszldet5g2aFBQzYBCdjLBmx+p71HSksBjoCrO+/HnzTx/MHkCe9GLAtX2bMCVxvYecE TCnQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y11si300362ejd.56.2021.01.05.16.54.17; Tue, 05 Jan 2021 16:54:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726730AbhAFAx3 convert rfc822-to-8bit (ORCPT + 99 others); Tue, 5 Jan 2021 19:53:29 -0500 Received: from shards.monkeyblade.net ([23.128.96.9]:56964 "EHLO mail.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726038AbhAFAx2 (ORCPT ); Tue, 5 Jan 2021 19:53:28 -0500 Received: from localhost (unknown [IPv6:2601:601:9f00:477::3d5]) by mail.monkeyblade.net (Postfix) with ESMTPSA id A281B4CBCE120; Tue, 5 Jan 2021 16:52:47 -0800 (PST) Date: Tue, 05 Jan 2021 16:52:47 -0800 (PST) Message-Id: <20210105.165247.1975563309057158543.davem@davemloft.net> To: jks@iki.fi Cc: bjorn@mork.no, kuba@kernel.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, lkp@intel.com, mrkiko.rs@gmail.com, netdev@vger.kernel.org, oliver@neukum.org Subject: Re: [PATCH net,stable v3] net: cdc_ncm: correct overhead in delayed_ndp_size From: David Miller In-Reply-To: <20210105045249.5590-1-jks@iki.fi> References: <20210103202309.1201-1-jks@iki.fi> <20210105045249.5590-1-jks@iki.fi> X-Mailer: Mew version 6.8 on Emacs 27.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: 8BIT X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (mail.monkeyblade.net [0.0.0.0]); Tue, 05 Jan 2021 16:52:48 -0800 (PST) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jouni Sepp?nen Date: Tue, 5 Jan 2021 06:52:49 +0200 > From: Jouni K. Sepp?nen > > Aligning to tx_ndp_modulus is not sufficient because the next align > call can be cdc_ncm_align_tail, which can add up to ctx->tx_modulus + > ctx->tx_remainder - 1 bytes. This used to lead to occasional crashes > on a Huawei 909s-120 LTE module as follows: > > - the condition marked /* if there is a remaining skb [...] */ is true > so the swaps happen > - skb_out is set from ctx->tx_curr_skb > - skb_out->len is exactly 0x3f52 > - ctx->tx_curr_size is 0x4000 and delayed_ndp_size is 0xac > (note that the sum of skb_out->len and delayed_ndp_size is 0x3ffe) > - the for loop over n is executed once > - the cdc_ncm_align_tail call marked /* align beginning of next frame */ > increases skb_out->len to 0x3f56 (the sum is now 0x4002) > - the condition marked /* check if we had enough room left [...] */ is > false so we break out of the loop > - the condition marked /* If requested, put NDP at end of frame. */ is > true so the NDP is written into skb_out > - now skb_out->len is 0x4002, so padding_count is minus two interpreted > as an unsigned number, which is used as the length argument to memset, > leading to a crash with various symptoms but usually including > >> Call Trace: >> >> cdc_ncm_fill_tx_frame+0x83a/0x970 [cdc_ncm] >> cdc_mbim_tx_fixup+0x1d9/0x240 [cdc_mbim] >> usbnet_start_xmit+0x5d/0x720 [usbnet] > > The cdc_ncm_align_tail call first aligns on a ctx->tx_modulus > boundary (adding at most ctx->tx_modulus-1 bytes), then adds > ctx->tx_remainder bytes. Alternatively, the next alignment call can > occur in cdc_ncm_ndp16 or cdc_ncm_ndp32, in which case at most > ctx->tx_ndp_modulus-1 bytes are added. > > A similar problem has occurred before, and the code is nontrivial to > reason about, so add a guard before the crashing call. By that time it > is too late to prevent any memory corruption (we'll have written past > the end of the buffer already) but we can at least try to get a warning > written into an on-disk log by avoiding the hard crash caused by padding > past the buffer with a huge number of zeros. > > Signed-off-by: Jouni K. Sepp?nen > Fixes: 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end of NCM frame") > Link: https://bugzilla.kernel.org/show_bug.cgi?id=209407 > Reported-by: kernel test robot > Reviewed-by: Bj?rn Mork Applied and queued up for -stable, thanks.