Commit 7b7963b6 authored by Ken Milmore's avatar Ken Milmore Committed by Liu Jian
Browse files

r8169: Fix possible ring buffer corruption on fragmented Tx packets. 

stable inclusion
from stable-v6.6.33
commit 68222d7b4b72aa321135cd453dac37f00ec41fd1
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SF4
CVE: CVE-2024-38586

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=68222d7b4b72aa321135cd453dac37f00ec41fd1



---------------------------

commit c71e3a5cffd5309d7f84444df03d5b72600cc417 upstream.

An issue was found on the RTL8125b when transmitting small fragmented
packets, whereby invalid entries were inserted into the transmit ring
buffer, subsequently leading to calls to dma_unmap_single() with a null
address.

This was caused by rtl8169_start_xmit() not noticing changes to nr_frags
which may occur when small packets are padded (to work around hardware
quirks) in rtl8169_tso_csum_v2().

To fix this, postpone inspecting nr_frags until after any padding has been
applied.

Fixes: 9020845f ("r8169: improve rtl8169_start_xmit")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarKen Milmore <ken.milmore@gmail.com>
Reviewed-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
Link: https://lore.kernel.org/r/27ead18b-c23d-4f49-a020-1fc482c5ac95@gmail.com


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarLiu Jian <liujian56@huawei.com>
parent 307f7fa9

drivers/net/ethernet/realtek/r8169_main.c

+2 −1
Original line number Diff line number Diff line
@@ -4246,11 +4246,11 @@ static void rtl8169_doorbell(struct rtl8169_private *tp) 
static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb,

				      struct net_device *dev)

{

	unsigned int frags = skb_shinfo(skb)->nr_frags;

	struct rtl8169_private *tp = netdev_priv(dev);

	unsigned int entry = tp->cur_tx % NUM_TX_DESC;

	struct TxDesc *txd_first, *txd_last;

	bool stop_queue, door_bell;

	unsigned int frags;

	u32 opts[2];



	if (unlikely(!rtl_tx_slots_avail(tp))) {
@@ -4273,6 +4273,7 @@ static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb, 


	txd_first = tp->TxDescArray + entry;



	frags = skb_shinfo(skb)->nr_frags;

	if (frags) {

		if (rtl8169_xmit_frags(tp, skb, opts, entry))

			goto err_dma_1;