From patchwork Thu Sep 23 23:50:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1531971 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=OZj3WmDD; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4HFsQj4fMdz9t6g for ; Fri, 24 Sep 2021 09:52:13 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mTYVX-0001to-Ss; Thu, 23 Sep 2021 23:52:03 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mTYVV-0001t1-2o for kernel-team@lists.ubuntu.com; Thu, 23 Sep 2021 23:52:01 +0000 Received: from localhost.localdomain (1.general.cascardo.us.vpn [10.172.70.58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id 2F929412AC for ; Thu, 23 Sep 2021 23:51:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632441120; bh=2NmsvVDizGZX3dYfKLzpK2i8HJiy6YJHC+upPyqVyvk=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=OZj3WmDDKLeYGd8uU8vHIn9K0ZKZK20OcBSdPQvhme3+jUOzoZ7+cOvN42sTecDkM 6MKeJZCcN4NwyoyRTQmwugmryF/deAcvRGUEgk8cXenzqUwO6M9UUQ/Him6nupjybi 4QcEHisPzI4LgMrTuhvmcnL4VrJilxpRNUbrw7lQjix5nBKREqRGluaxhcwUF7iKA7 +F8izMp7Aaf9xQslW9OxaZpfAWzfcTr6CIlGJMsyEFqGxzaLCg31CR5vG/dpzfeKr1 41sxeE7xHjwqoXGoqzKDN5awWHQwi1EriPKc+dpnQ7RpMVURLYDQc4vzAvqIX5QK4Z DB59s1icn5Icw== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU focal/linux-hwe-5.8 1/4] net: ll_temac: Fix TX BD buffer overwrite Date: Thu, 23 Sep 2021 20:50:58 -0300 Message-Id: <20210923235101.49134-2-cascardo@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210923235101.49134-1-cascardo@canonical.com> References: <20210923235101.49134-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Esben Haabendal Just as the initial check, we need to ensure num_frag+1 buffers available, as that is the number of buffers we are going to use. This fixes a buffer overflow, which might be seen during heavy network load. Complete lockup of TEMAC was reproducible within about 10 minutes of a particular load. Fixes: 84823ff80f74 ("net: ll_temac: Fix race condition causing TX hang") Cc: stable@vger.kernel.org # v5.4+ Signed-off-by: Esben Haabendal Signed-off-by: David S. Miller (cherry picked from commit c364df2489b8ef2f5e3159b1dff1ff1fdb16040d) CVE-2021-38207 Signed-off-by: Thadeu Lima de Souza Cascardo --- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c index 030185301014..f8992e530549 100644 --- a/drivers/net/ethernet/xilinx/ll_temac_main.c +++ b/drivers/net/ethernet/xilinx/ll_temac_main.c @@ -849,7 +849,7 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev) smp_mb(); /* Space might have just been freed - check again */ - if (temac_check_tx_bd_space(lp, num_frag)) + if (temac_check_tx_bd_space(lp, num_frag + 1)) return NETDEV_TX_BUSY; netif_wake_queue(ndev);