leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1e37d0e5bd
linux/drivers/net/usb
History
Lee Jones 2be6d4d16a net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero 
Currently, due to the sequential use of min_t() and clamp_t() macros,
in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is not set, the logic
sets tx_max to 0.  This is then used to allocate the data area of the
SKB requested later in cdc_ncm_fill_tx_frame().

This does not cause an issue presently because when memory is
allocated during initialisation phase of SKB creation, more memory
(512b) is allocated than is required for the SKB headers alone (320b),
leaving some space (512b - 320b = 192b) for CDC data (172b).

However, if more elements (for example 3 x u64 = [24b]) were added to
one of the SKB header structs, say 'struct skb_shared_info',
increasing its original size (320b [320b aligned]) to something larger
(344b [384b aligned]), then suddenly the CDC data (172b) no longer
fits in the spare SKB data area (512b - 384b = 128b).

Consequently the SKB bounds checking semantics fails and panics:

  skbuff: skb_over_panic: text:ffffffff830a5b5f len:184 put:172   \
     head:ffff888119227c00 data:ffff888119227c00 tail:0xb8 end:0x80 dev:<NULL>

  ------------[ cut here ]------------
  kernel BUG at net/core/skbuff.c:110!
  RIP: 0010:skb_panic+0x14f/0x160 net/core/skbuff.c:106
  <snip>
  Call Trace:
   <IRQ>
   skb_over_panic+0x2c/0x30 net/core/skbuff.c:115
   skb_put+0x205/0x210 net/core/skbuff.c:1877
   skb_put_zero include/linux/skbuff.h:2270 [inline]
   cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1116 [inline]
   cdc_ncm_fill_tx_frame+0x127f/0x3d50 drivers/net/usb/cdc_ncm.c:1293
   cdc_ncm_tx_fixup+0x98/0xf0 drivers/net/usb/cdc_ncm.c:1514

By overriding the max value with the default CDC_NCM_NTB_MAX_SIZE_TX
when not offered through the system provided params, we ensure enough
data space is allocated to handle the CDC data, meaning no crash will
occur.

Cc: Oliver Neukum <oliver@neukum.org>
Fixes: 289507d336 ("net: cdc_ncm: use sysfs for rx/tx aggregation tuning")
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Reviewed-by: Bjørn Mork <bjorn@mork.no>
Link: https://lore.kernel.org/r/20211202143437.1411410-1-lee.jones@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-12-03 16:56:02 -08:00
..
aqc111.c ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
aqc111.h
asix_common.c net: usb: use eth_hw_addr_set() 2021-10-02 14:18:25 +01:00
asix_devices.c net: usb: use eth_hw_addr_set() 2021-10-02 14:18:25 +01:00
asix.h net: usb: asix: ax88772: move embedded PHY detection as early as possible 2021-08-23 12:39:41 +01:00
ax88172a.c net: usb: use eth_hw_addr_set() 2021-10-02 14:18:25 +01:00
ax88179_178a.c ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
catc.c usbb: catc: use correct API for MAC addresses 2021-10-25 15:34:02 +01:00
cdc_eem.c net: cdc_eem: fix tx fixup skb leak 2021-06-17 11:30:25 -07:00
cdc_ether.c net: usb: Fix spelling mistakes 2021-06-01 17:05:05 -07:00
cdc_mbim.c net: usb: cdc_mbim: avoid altsetting toggling for Telit LN920 2021-09-02 13:27:11 +01:00
cdc_ncm.c net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero 2021-12-03 16:56:02 -08:00
cdc_subset.c
cdc-phonet.c net: remove single-byte netdev->dev_addr writes 2021-10-13 10:03:59 -07:00
ch9200.c net: usb: don't write directly to netdev->dev_addr 2021-10-22 10:16:01 -07:00
cx82310_eth.c net: usb: don't write directly to netdev->dev_addr 2021-10-22 10:16:01 -07:00
dm9601.c ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
gl620a.c
hso.c net: hso: fix muxed tty registration 2021-09-17 11:19:58 +01:00
huawei_cdc_ncm.c usb: class: cdc-wdm: WWAN framework integration 2021-05-11 16:17:56 -07:00
int51x1.c net: usb: Fix spelling mistakes 2021-06-01 17:05:05 -07:00
ipheth.c net: usb: use eth_hw_addr_set() 2021-10-02 14:18:25 +01:00
kalmia.c net: usb: use eth_hw_addr_set() 2021-10-02 14:18:25 +01:00
kaweth.c net: usb: don't write directly to netdev->dev_addr 2021-10-22 10:16:01 -07:00
Kconfig lan78xx: select CRC32 2021-10-15 14:34:35 +01:00
lan78xx.c net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available 2021-11-29 12:22:07 +00:00
lan78xx.h
lg-vl600.c net: usb: Fix spelling mistakes 2021-06-01 17:05:05 -07:00
Makefile r8153_ecm: avoid to be prior to r8152 driver 2020-11-19 08:23:46 -08:00
mcs7830.c net: usb: don't write directly to netdev->dev_addr 2021-10-22 10:16:01 -07:00
net1080.c net: usb: net1080: Remove in_interrupt() comment 2020-09-29 14:02:54 -07:00
pegasus.c ethernet: manually convert memcpy(dev_addr,..., sizeof(addr)) 2021-10-14 09:22:19 -07:00
pegasus.h
plusb.c
qmi_wwan.c net: qmi_wwan: use dev_addr_mod() 2021-10-22 10:15:58 -07:00
r8152.c net: usb: r8152: Add MAC passthrough support for more Lenovo Docks 2021-11-17 14:46:19 +00:00
r8153_ecm.c r8153_ecm: Add Lenovo Powered USB-C Hub as a fallback of r8152 2021-01-12 20:00:51 -08:00
rndis_host.c net: usb: use eth_hw_addr_set() instead of ether_addr_copy() 2021-10-02 14:18:25 +01:00
rtl8150.c net: usb: use eth_hw_addr_set() for dev->addr_len cases 2021-10-05 13:16:48 +01:00
sierra_net.c net: usb: don't write directly to netdev->dev_addr 2021-10-22 10:16:01 -07:00
smsc75xx.c usb: smsc: use eth_hw_addr_set() 2021-10-22 10:15:56 -07:00
smsc75xx.h
smsc95xx.c net: usb: Correct PHY handling of smsc95xx 2021-11-23 12:24:41 +00:00
smsc95xx.h
sr9700.c net: usb: don't write directly to netdev->dev_addr 2021-10-22 10:16:01 -07:00
sr9700.h
sr9800.c net: usb: don't write directly to netdev->dev_addr 2021-10-22 10:16:01 -07:00
sr9800.h
usbnet.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-10-28 10:43:58 -07:00
zaurus.c