linux/drivers
Aaro Koskinen 223a960c01 net: stmmac: fix memory corruption with large MTUs
When using 16K DMA buffers and ring mode, the DES3 refill is not working
correctly as the function is using a bogus pointer for checking the
private data. As a result stale pointers will remain in the RX descriptor
ring, so DMA will now likely overwrite/corrupt some already freed memory.

As simple reproducer, just receive some UDP traffic:

	# ifconfig eth0 down; ifconfig eth0 mtu 9000; ifconfig eth0 up
	# iperf3 -c 192.168.253.40 -u -b 0 -R

If you didn't crash by now check the RX descriptors to find non-contiguous
RX buffers:

	cat /sys/kernel/debug/stmmaceth/eth0/descriptors_status
	[...]
	1 [0x2be5020]: 0xa3220321 0x9ffc1ffc 0x72d70082 0x130e207e
					     ^^^^^^^^^^^^^^^^^^^^^
	2 [0x2be5040]: 0xa3220321 0x9ffc1ffc 0x72998082 0x1311a07e
					     ^^^^^^^^^^^^^^^^^^^^^

A simple ping test will now report bad data:

	# ping -s 8200 192.168.253.40
	PING 192.168.253.40 (192.168.253.40) 8200(8228) bytes of data.
	8208 bytes from 192.168.253.40: icmp_seq=1 ttl=64 time=1.00 ms
	wrong data byte #8144 should be 0xd0 but was 0x88

Fix the wrong pointer. Also we must refill DES3 only if the DMA buffer
size is 16K.

Fixes: 54139cf3bb ("net: stmmac: adding multiple buffers for rx")
Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
Acked-by: Jose Abreu <joabreu@synopsys.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-03-19 13:30:30 -07:00
..
accessibility
acpi Additional ACPI updates for 5.1-rc1 2019-03-14 10:48:14 -07:00
amba
android
ata SCSI misc on 20190306 2019-03-09 16:53:47 -08:00
atm
auxdisplay
base Additional power management updates for 5.1-rc1 2019-03-14 10:30:06 -07:00
bcma
block zram: default to lzo-rle instead of lzo 2019-03-14 14:36:20 -07:00
bluetooth Bluetooth: mediatek: add support for MediaTek MT7663U and MT7668U UART devices 2019-03-02 19:51:23 +01:00
bus ARM: SoC driver updates for 5.1 2019-03-06 09:41:12 -08:00
cdrom
char Merge branch 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2019-03-10 17:37:29 -07:00
clk We have a fairly balanced mix of clk driver updates and clk framework 2019-03-14 08:46:17 -07:00
clocksource ARM: New SoC family support 2019-03-06 10:15:42 -08:00
connector connector: fix unsafe usage of ->real_parent 2019-03-08 15:06:38 -08:00
cpufreq cpufreq: intel_pstate: Fix up iowait_boost computation 2019-03-12 09:47:30 +01:00
cpuidle cpuidle: governor: Add new governors to cpuidle_governors again 2019-03-12 23:46:55 +01:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2019-03-13 09:51:17 -07:00
dax
dca
devfreq
dio
dma dmaengine updates for v5.1-rc1 2019-03-14 09:11:54 -07:00
dma-buf
edac Merge branch 'ras-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-03-08 09:11:39 -08:00
eisa
extcon
firewire
firmware memblock: drop memblock_alloc_*_nopanic() variants 2019-03-12 10:04:02 -07:00
fmc
fpga
fsi
gnss
gpio pci-v5.1-changes 2019-03-09 14:57:08 -08:00
gpu mm/hmm: convert to use vm_fault_t 2019-03-12 10:04:00 -07:00
hid Merge branch 'for-5.1/wacom' into for-linus 2019-03-05 15:43:05 +01:00
hsi
hv Char/Misc driver patches for 5.1-rc1 2019-03-06 14:18:59 -08:00
hwmon hwmon: (ad7418) Add device tree probing 2019-02-25 09:06:00 -08:00
hwspinlock
hwtracing Char/Misc driver patches for 5.1-rc1 2019-03-06 14:18:59 -08:00
i2c pci-v5.1-changes 2019-03-09 14:57:08 -08:00
i3c - Add a /* fall-through */ comment in the dw-i3c-master driver 2019-03-04 19:05:02 -08:00
ide Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide 2019-03-11 09:34:00 -07:00
idle
iio - New Drivers 2019-03-08 10:02:58 -08:00
infiniband XArray updates for 5.1-rc1 2019-03-11 20:06:18 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2019-03-11 10:57:11 -07:00
interconnect
iommu IOMMU Updates for Linux v5.1 2019-03-10 12:29:52 -07:00
ipack
irqchip arm64 updates for 5.1: 2019-03-10 10:17:23 -07:00
isdn mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S 2019-03-18 18:32:44 -07:00
leds platform-drivers-x86 for v5.1-1 2019-03-10 13:16:37 -07:00
lightnvm
macintosh treewide: add checks for the return value of memblock_alloc*() 2019-03-12 10:04:02 -07:00
mailbox mailbox: imx: keep MU irq working during suspend/resume 2019-03-11 02:51:43 -05:00
mcb
md md: convert to kvmalloc 2019-03-12 10:04:02 -07:00
media DMA mapping updates for 5.1 2019-03-10 11:54:48 -07:00
memory
memstick
message
mfd DMA mapping updates for 5.1 2019-03-10 11:54:48 -07:00
misc 5.1 Merge Window Pull Request 2019-03-09 15:53:03 -08:00
mmc for-5.1/block-20190302 2019-03-08 14:12:17 -08:00
mtd This pull request contains updates for both UBI and UBIFS: 2019-03-13 09:34:35 -07:00
mux
net net: stmmac: fix memory corruption with large MTUs 2019-03-19 13:30:30 -07:00
nfc
ntb
nubus
nvdimm libnvdimm for v5.1 2019-03-13 09:41:18 -07:00
nvme for-5.1/block-20190302 2019-03-08 14:12:17 -08:00
nvmem Char/Misc driver patches for 5.1-rc1 2019-03-06 14:18:59 -08:00
of of: fix kmemleak crash caused by imbalance in early memory reservation 2019-03-12 10:04:02 -07:00
opp PM / OPP: Update performance state when freq == old_freq 2019-03-12 09:45:56 +01:00
oprofile
parisc DMA mapping updates for 5.1 2019-03-10 11:54:48 -07:00
parport
pci IOMMU Updates for Linux v5.1 2019-03-10 12:29:52 -07:00
pcmcia
perf arm64 updates for 5.1: 2019-03-10 10:17:23 -07:00
phy drm next pull request for 5.1 2019-03-08 08:23:15 -08:00
pinctrl This is the bulk of pin control changes for the v5.1 kernel cycle. 2019-03-11 11:12:50 -07:00
platform chrome platform changes for v5.1 2019-03-12 09:46:32 -07:00
pnp ACPI/ACPICA: Trivial: fix spelling mistakes and fix whitespace formatting 2019-02-24 21:12:01 +01:00
power
powercap
pps
ps3
ptp Merge branch 'timers-2038-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-03-05 14:08:26 -08:00
pwm pwm: atmel: Remove useless symbolic definitions 2019-03-04 12:52:49 +01:00
rapidio rapidio/mport_cdev: mark expected switch fall-through 2019-03-07 18:32:02 -08:00
ras
regulator regulator: mc13xxx: Constify regulator_ops variables 2019-03-04 00:01:08 +00:00
remoteproc remoteproc updates for v5.1 2019-03-14 09:00:06 -07:00
reset
rpmsg
rtc chrome platform changes for v5.1 2019-03-12 09:46:32 -07:00
s390 s390/qeth: be drop monitor friendly 2019-03-18 18:34:45 -07:00
sbus
scsi SCSI misc on 20190306 2019-03-09 16:53:47 -08:00
sfi
sh
siox
slimbus
sn
soc ARM: SoC driver updates for 5.1 2019-03-06 09:41:12 -08:00
soundwire
spi pci-v5.1-changes 2019-03-09 14:57:08 -08:00
spmi
ssb
staging media updates for v5.1-rc1 2019-03-09 14:45:54 -08:00
target SCSI misc on 20190306 2019-03-09 16:53:47 -08:00
tc
tee ARM: SoC driver updates for 5.1 2019-03-06 09:41:12 -08:00
thermal Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal 2019-03-08 09:52:41 -08:00
thunderbolt
tty dmaengine updates for v5.1-rc1 2019-03-14 09:11:54 -07:00
uio
usb memblock: drop memblock_alloc_*_nopanic() variants 2019-03-12 10:04:02 -07:00
uwb
vfio powerpc updates for 5.1 2019-03-07 12:56:26 -08:00
vhost virtio: fixes, cleanups 2019-03-10 12:47:57 -07:00
video - Fix-ups 2019-03-08 09:58:20 -08:00
virt virt: vbox: Mark expected switch fall-through 2019-02-27 16:00:20 +01:00
virtio virtio: hint if callbacks surprisingly might sleep 2019-03-06 11:19:57 -05:00
visorbus
vlynq
vme
w1
watchdog linux-watchdog 5.1-rc1 tag 2019-03-11 11:22:15 -07:00
xen Merge branch 'akpm' (patches from Andrew) 2019-03-12 10:39:53 -07:00
zorro
Kconfig
Makefile IOMMU Updates for Linux v5.1 2019-03-10 12:29:52 -07:00