linux/drivers/net/ethernet/freescale
Andy Spencer 202a0a70e4 gianfar: prevent integer wrapping in the rx handler
When the frame check sequence (FCS) is split across the last two frames
of a fragmented packet, part of the FCS gets counted twice, once when
subtracting the FCS, and again when subtracting the previously received
data.

For example, if 1602 bytes are received, and the first fragment contains
the first 1600 bytes (including the first two bytes of the FCS), and the
second fragment contains the last two bytes of the FCS:

  'skb->len == 1600' from the first fragment

  size  = lstatus & BD_LENGTH_MASK; # 1602
  size -= ETH_FCS_LEN;              # 1598
  size -= skb->len;                 # -2

Since the size is unsigned, it wraps around and causes a BUG later in
the packet handling, as shown below:

  kernel BUG at ./include/linux/skbuff.h:2068!
  Oops: Exception in kernel mode, sig: 5 [#1]
  ...
  NIP [c021ec60] skb_pull+0x24/0x44
  LR [c01e2fbc] gfar_clean_rx_ring+0x498/0x690
  Call Trace:
  [df7edeb0] [c01e2c1c] gfar_clean_rx_ring+0xf8/0x690 (unreliable)
  [df7edf20] [c01e33a8] gfar_poll_rx_sq+0x3c/0x9c
  [df7edf40] [c023352c] net_rx_action+0x21c/0x274
  [df7edf90] [c0329000] __do_softirq+0xd8/0x240
  [df7edff0] [c000c108] call_do_irq+0x24/0x3c
  [c0597e90] [c00041dc] do_IRQ+0x64/0xc4
  [c0597eb0] [c000d920] ret_from_except+0x0/0x18
  --- interrupt: 501 at arch_cpu_idle+0x24/0x5c

Change the size to a signed integer and then trim off any part of the
FCS that was received prior to the last fragment.

Fixes: 6c389fc931 ("gianfar: fix size of scatter-gathered frames")
Signed-off-by: Andy Spencer <aspencer@spacex.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-01-29 14:17:09 -05:00
..
dpaa dpaa_eth: fix error return code in dpaa_eth_probe() 2017-11-08 13:24:44 +09:00
fman fsl/fman_port: mark expected switch fall-throughs 2017-11-11 18:50:33 +09:00
fs_enet net: fs_enet: do not call phy_stop() in interrupts 2018-01-17 15:44:16 -05:00
fec_main.c net: fec: add necessary defines to work on ARM64 2018-01-22 15:35:31 -05:00
fec_mpc52xx_phy.c mdio: Move allocation of interrupts into core 2016-01-07 14:31:26 -05:00
fec_mpc52xx.c net: Convert to using %pOF instead of full_name 2017-07-24 13:41:48 -07:00
fec_mpc52xx.h
fec_ptp.c net: fec: Let fec_ptp have its own interrupt routine 2017-11-08 10:36:11 +09:00
fec.h net: fec: add necessary defines to work on ARM64 2018-01-22 15:35:31 -05:00
fsl_pq_mdio.c net: Convert to using %pOF instead of full_name 2017-07-24 13:41:48 -07:00
gianfar_ethtool.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
gianfar_ptp.c net: gianfar_ptp: move set_fipers() to spinlock protecting area 2018-01-10 14:54:13 -05:00
gianfar.c gianfar: prevent integer wrapping in the rx handler 2018-01-29 14:17:09 -05:00
gianfar.h Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
Kconfig Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-12-12 19:56:15 -08:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ucc_geth_ethtool.c net: phy: Make phy_ethtool_ksettings_get return void 2017-06-13 12:59:06 -04:00
ucc_geth.c net/ethernet/freescale: fix warning for ucc_geth 2017-09-18 14:56:34 -07:00
ucc_geth.h QE: Move QE from arch/powerpc to drivers/soc 2015-12-22 17:12:56 -06:00
xgmac_mdio.c net/fsl: use of_property_read_bool 2016-08-08 16:15:00 -07:00