Commit 5dcf3a5b authored Jan 13, 2025 by Russell King (Oracle) Committed by GONG Ruiqi Jan 13, 2025

net: stmmac: fix TSO DMA API usage causing oops

stable inclusion
from stable-v6.6.68
commit db3667c9bbfbbf5de98e6c9542f7e03fb5243286
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBFBOF
CVE: CVE-2024-56719

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=db3667c9bbfbbf5de98e6c9542f7e03fb5243286

--------------------------------

[ Upstream commit 4c49f38e20a57f8abaebdf95b369295b153d1f8e ]

Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap
for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s
members to be later in stmmac_tso_xmit().

The buf (dma cookie) and len stored in this structure are passed to
dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that
the dma cookie passed to dma_unmap_single() is the same as the value
returned from dma_map_single(). However, by moving the assignment
later, this is not the case when priv->dma_cap.addr64 > 32 as "des"
is offset by proto_hdr_len.

This causes problems such as:

  dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed

and with DMA_API_DEBUG enabled:

  DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes]

Fix this by maintaining "des" as the original DMA cookie, and use
tso_des to pass the offset DMA cookie to stmmac_tso_allocator().

Full details of the crashes can be found at:
https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/
https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/



Reported-by: Jon Hunter <jonathanh@nvidia.com>
Reported-by: Thierry Reding <thierry.reding@gmail.com>
Fixes: 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data")
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Reviewed-by: Furong Xu <0x1207@gmail.com>
Link: https://patch.msgid.link/E1tJXcx-006N4Z-PC@rmk-PC.armlinux.org.uk


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: GONG Ruiqi <gongruiqi1@huawei.com>

parent 628e30bc

drivers/net/ethernet/stmicro/stmmac/stmmac_main.c

+4 −3

Original line number	Original line	Diff line number	Diff line
	@@ -4136,9 +4136,9 @@ static netdev_tx_t stmmac_tso_xmit(struct sk_buff skb, struct net_device dev)
	int tmp_pay_len = 0, first_tx;		int tmp_pay_len = 0, first_tx;
	struct stmmac_tx_queue *tx_q;		struct stmmac_tx_queue *tx_q;
	bool has_vlan, set_ic;		bool has_vlan, set_ic;
			dma_addr_t tso_des, des;
	u8 proto_hdr_len, hdr;		u8 proto_hdr_len, hdr;
	u32 pay_len, mss;		u32 pay_len, mss;
	dma_addr_t des;
	int i;		int i;

	tx_q = &priv->dma_conf.tx_queue[queue];		tx_q = &priv->dma_conf.tx_queue[queue];
	@@ -4223,14 +4223,15 @@ static netdev_tx_t stmmac_tso_xmit(struct sk_buff skb, struct net_device dev)

	/* If needed take extra descriptors to fill the remaining payload */		/* If needed take extra descriptors to fill the remaining payload */
	tmp_pay_len = pay_len - TSO_MAX_BUFF_SIZE;		tmp_pay_len = pay_len - TSO_MAX_BUFF_SIZE;
			tso_des = des;
	} else {		} else {
	stmmac_set_desc_addr(priv, first, des);		stmmac_set_desc_addr(priv, first, des);
	tmp_pay_len = pay_len;		tmp_pay_len = pay_len;
	des += proto_hdr_len;		tso_des = des + proto_hdr_len;
	pay_len = 0;		pay_len = 0;
	}		}

	stmmac_tso_allocator(priv, des, tmp_pay_len, (nfrags == 0), queue);		stmmac_tso_allocator(priv, tso_des, tmp_pay_len, (nfrags == 0), queue);

	/* In case two or more DMA transmit descriptors are allocated for this		/* In case two or more DMA transmit descriptors are allocated for this
	* non-paged SKB data, the DMA buffer address should be saved to		* non-paged SKB data, the DMA buffer address should be saved to