Commit def045a5 authored by Ken Milmore's avatar Ken Milmore Committed by Liu Jian
Browse files

r8169: Fix possible ring buffer corruption on fragmented Tx packets. 

mainline inclusion
from mainline-v6.10-rc1
commit c71e3a5cffd5309d7f84444df03d5b72600cc417
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SF4
CVE: CVE-2024-38586

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c71e3a5cffd5309d7f84444df03d5b72600cc417



---------------------------

An issue was found on the RTL8125b when transmitting small fragmented
packets, whereby invalid entries were inserted into the transmit ring
buffer, subsequently leading to calls to dma_unmap_single() with a null
address.

This was caused by rtl8169_start_xmit() not noticing changes to nr_frags
which may occur when small packets are padded (to work around hardware
quirks) in rtl8169_tso_csum_v2().

To fix this, postpone inspecting nr_frags until after any padding has been
applied.

Fixes: 9020845f ("r8169: improve rtl8169_start_xmit")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarKen Milmore <ken.milmore@gmail.com>
Reviewed-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
Link: https://lore.kernel.org/r/27ead18b-c23d-4f49-a020-1fc482c5ac95@gmail.com


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>

Conflicts:
	drivers/net/ethernet/realtek/r8169_main.c
[We did not backport bd4bdeb4.]
Signed-off-by: default avatarLiu Jian <liujian56@huawei.com>
parent 14449093

drivers/net/ethernet/realtek/r8169_main.c

+2 −1
Original line number Diff line number Diff line
@@ -4285,11 +4285,11 @@ static void rtl8169_doorbell(struct rtl8169_private *tp) 
static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb,

				      struct net_device *dev)

{

	unsigned int frags = skb_shinfo(skb)->nr_frags;

	struct rtl8169_private *tp = netdev_priv(dev);

	unsigned int entry = tp->cur_tx % NUM_TX_DESC;

	struct TxDesc *txd_first, *txd_last;

	bool stop_queue, door_bell;

	unsigned int frags;

	u32 opts[2];



	txd_first = tp->TxDescArray + entry;
@@ -4315,6 +4315,7 @@ static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb, 
				    entry, false)))

		goto err_dma_0;



	frags = skb_shinfo(skb)->nr_frags;

	if (frags) {

		if (rtl8169_xmit_frags(tp, skb, opts, entry))

			goto err_dma_1;