Received: by 2002:ab2:1347:0:b0:1f4:ac9d:b246 with SMTP id g7csp335659lqg; Thu, 11 Apr 2024 04:47:40 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWr8bJZdgYMeCA4U1ve2yx0szD7DU+h6lK3x+vSQ6EVFzAR6bKHHfd++4E2ak2m99ZaXK+MrQauNwcGyAIg+0iJSlmHNm2oVIa3lAIw1Q== X-Google-Smtp-Source: AGHT+IHMaPgYeRgpR8l5AxRFdTqye2QnnaoGogeXgEGqV6DVwIz2fu2/SZgomRfd2N3L2wxDEe1h X-Received: by 2002:a05:620a:1456:b0:78d:3b37:eb09 with SMTP id i22-20020a05620a145600b0078d3b37eb09mr5073365qkl.28.1712836059789; Thu, 11 Apr 2024 04:47:39 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712836059; cv=pass; d=google.com; s=arc-20160816; b=kLCnJEFpdNp7zmtrBY9OzFhekgZ66F4XjJXYp1SiigCYcqaXrj5bveC/QG6iUUorRw Rc9nFovrztBZGy9vtZrSC70vNhzjGhAFzuzxoLUCYaqz8RfV9raDAJtDhC6syBXDj1E4 6r7ZqLN90qOqho416A5X9Qb5yOh33uzt5v7E4NiYzxTfYlloXeU6U+fL4or9Xnde6Pno xu2RMCWViLuhT5b87lXKb1iXt1ZkinpS2rJ4+lkfKSi6Zq6UElATuoAdKE1e7c6rn074 3ERMSCquTHcAD21pF8FOqcVImr6rcn1GMjDqpAl0ZzTp4jLfcTLYQQtiadb0jLDuRhxn JMBw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from; bh=l9o+l4ernhuqjmBHutV9wDzhiDDbswL+jFPr4H1h1Ic=; fh=l55LBwCPu+wSDalSufX0aRSb1ticG861yGU2rLmDH4k=; b=POR9SRJ/ioz/siC4qfUr09J4EnYjX67JKcls364ZlEdcic4JzH58ximK4RLSaC09Wp AnVXGIBDooWXu+N6NGY/bY8BiEWoCIKrZcYtYNWmgEuVJLS4JpeIzk31TenoVq8yB6Oj 2UyUakQJSEbFMR+fsBvDcYAg8x359sb5VHLOEcAIweZM99DTk5jse19icD4Edy795nJg UiICpPU7Ev5cnGkKl99fq12VC28X2LA6De09/AOjMy6gPc6bD7WizRdPOytsvibJ/YhK sr6alWOejdP2QgDShhM0CnXyyya7eE6/NM+jsn1IWEtNahFpqI7kwOEfBhoimuf0gvRT Sqiw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=bp.renesas.com dmarc=pass fromdomain=bp.renesas.com); spf=pass (google.com: domain of linux-kernel+bounces-140374-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-140374-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=renesas.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id vu14-20020a05620a560e00b0078ec516dee7si583354qkn.485.2024.04.11.04.47.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Apr 2024 04:47:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-140374-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=bp.renesas.com dmarc=pass fromdomain=bp.renesas.com); spf=pass (google.com: domain of linux-kernel+bounces-140374-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-140374-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=renesas.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 6E2571C220AE for ; Thu, 11 Apr 2024 11:47:30 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 886A014EC61; Thu, 11 Apr 2024 11:45:14 +0000 (UTC) Received: from relmlie6.idc.renesas.com (relmlor2.renesas.com [210.160.252.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DB4AA14E2D2; Thu, 11 Apr 2024 11:45:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=210.160.252.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712835914; cv=none; b=a9Ewb6GUrEgfCkSPzHCVKXd8HzV4Ju8DhDdXLa4P5XGZxXYde1F4r+gQa/3sS2oo9SZ6SA1+Dxn2iGfJ9SuOqsW3eiVRGlD6YoWUGoVN9vrYevQu88hY/KvbbewtPIZdGOq91fZgVrNCW2iCt3lD1KplFudW1zttgdSoPLw6CHI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712835914; c=relaxed/simple; bh=xzaNmpas9IX7MCCSyZu3dKk1kInftLGPetmtFm3BUL8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=SyOFPtCO+Byd+i9arYMb96BdcBKj/wTRh3ccQcSFm1hQelDuftjkD0qoe6JJc7BSZnR/TBp0QYnIhmG9dKM7jpll+dwYdYk8WJKIn7+hEbma+uKBcw/+bsuxwGVehj0WJW+Yj7IsiXfwmePA6uz2OFfRPobNLmFuVKg7APHJGPg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=bp.renesas.com; spf=pass smtp.mailfrom=bp.renesas.com; arc=none smtp.client-ip=210.160.252.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=bp.renesas.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bp.renesas.com X-IronPort-AV: E=Sophos;i="6.07,193,1708354800"; d="scan'208";a="205076292" Received: from unknown (HELO relmlir6.idc.renesas.com) ([10.200.68.152]) by relmlie6.idc.renesas.com with ESMTP; 11 Apr 2024 20:45:11 +0900 Received: from renesas-deb12.cephei.uk (unknown [10.226.93.85]) by relmlir6.idc.renesas.com (Postfix) with ESMTP id C47C242017DE; Thu, 11 Apr 2024 20:45:07 +0900 (JST) From: Paul Barker To: Sergey Shtylyov , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , =?UTF-8?q?Niklas=20S=C3=B6derlund?= , Geert Uytterhoeven Cc: Paul Barker , netdev@vger.kernel.org, linux-renesas-soc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH net 4/4] net: ravb: Fix RX byte accounting for jumbo packets Date: Thu, 11 Apr 2024 12:44:33 +0100 Message-Id: <20240411114434.26186-5-paul.barker.ct@bp.renesas.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240411114434.26186-1-paul.barker.ct@bp.renesas.com> References: <20240411114434.26186-1-paul.barker.ct@bp.renesas.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The RX byte accounting for jumbo packets was changed to fix a potential use-after-free bug. However, that fix used the wrong variable and so only accounted for the number of bytes in the final descriptor, not the number of bytes in the whole packet. To fix this, we can simply update our stats with the correct number of bytes before calling napi_gro_receive(). Also rename pkt_len to desc_len in ravb_rx_gbeth() to avoid any future confusion. The variable name pkt_len is correct in ravb_rx_rcar() as that function does not handle packets spanning multiple descriptors. Fixes: 5a5a3e564de6 ("ravb: Fix potential use-after-free in ravb_rx_gbeth()") Signed-off-by: Paul Barker --- drivers/net/ethernet/renesas/ravb_main.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c index e1e39f65224c..c4ac9fbe0af4 100644 --- a/drivers/net/ethernet/renesas/ravb_main.c +++ b/drivers/net/ethernet/renesas/ravb_main.c @@ -769,7 +769,7 @@ static bool ravb_rx_gbeth(struct net_device *ndev, int *quota, int q) dma_addr_t dma_addr; int rx_packets = 0; u8 desc_status; - u16 pkt_len; + u16 desc_len; u8 die_dt; int entry; int limit; @@ -787,10 +787,10 @@ static bool ravb_rx_gbeth(struct net_device *ndev, int *quota, int q) /* Descriptor type must be checked before all other reads */ dma_rmb(); desc_status = desc->msc; - pkt_len = le16_to_cpu(desc->ds_cc) & RX_DS; + desc_len = le16_to_cpu(desc->ds_cc) & RX_DS; /* We use 0-byte descriptors to mark the DMA mapping errors */ - if (!pkt_len) + if (!desc_len) continue; if (desc_status & MSC_MC) @@ -811,25 +811,25 @@ static bool ravb_rx_gbeth(struct net_device *ndev, int *quota, int q) switch (die_dt) { case DT_FSINGLE: skb = ravb_get_skb_gbeth(ndev, entry, desc); - skb_put(skb, pkt_len); + skb_put(skb, desc_len); skb->protocol = eth_type_trans(skb, ndev); if (ndev->features & NETIF_F_RXCSUM) ravb_rx_csum_gbeth(skb); napi_gro_receive(&priv->napi[q], skb); rx_packets++; - stats->rx_bytes += pkt_len; + stats->rx_bytes += desc_len; break; case DT_FSTART: priv->rx_1st_skb = ravb_get_skb_gbeth(ndev, entry, desc); - skb_put(priv->rx_1st_skb, pkt_len); + skb_put(priv->rx_1st_skb, desc_len); break; case DT_FMID: skb = ravb_get_skb_gbeth(ndev, entry, desc); skb_copy_to_linear_data_offset(priv->rx_1st_skb, priv->rx_1st_skb->len, skb->data, - pkt_len); - skb_put(priv->rx_1st_skb, pkt_len); + desc_len); + skb_put(priv->rx_1st_skb, desc_len); dev_kfree_skb(skb); break; case DT_FEND: @@ -837,17 +837,17 @@ static bool ravb_rx_gbeth(struct net_device *ndev, int *quota, int q) skb_copy_to_linear_data_offset(priv->rx_1st_skb, priv->rx_1st_skb->len, skb->data, - pkt_len); - skb_put(priv->rx_1st_skb, pkt_len); + desc_len); + skb_put(priv->rx_1st_skb, desc_len); dev_kfree_skb(skb); priv->rx_1st_skb->protocol = eth_type_trans(priv->rx_1st_skb, ndev); if (ndev->features & NETIF_F_RXCSUM) ravb_rx_csum_gbeth(priv->rx_1st_skb); + stats->rx_bytes += priv->rx_1st_skb->len; napi_gro_receive(&priv->napi[q], priv->rx_1st_skb); rx_packets++; - stats->rx_bytes += pkt_len; break; } } -- 2.39.2