From nobody Tue Dec 2 02:43:46 2025 Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 11E4727FB18 for ; Tue, 18 Nov 2025 07:04:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763449463; cv=none; b=fmG0RMvax6nJ59duMyvQCr92fLxI62iKphuyJknsHt/ikS1hvC2dRg/sMHp5q5UUAxNWpHXMHyu10THjNUhsSVXk/37WqqdGtT3XC0mQlxuZXPTgKhlnHlKZIYf4zKeDo/QeQhsmGZrPZPxS1Q7CvYViDY5W6q2XlD+m8BVwpGA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763449463; c=relaxed/simple; bh=QM3d5KZwlDTYqlEAfpn9wkt9114sgt9NvWr/a3iuPVw=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=nEYdNk+ZqCr2wdptINuxo1rkSat3RPggq/OYIpCF1crB4juKDv/Ff+8MfSs9XxxqCFkPp3KX4ZB6kxIJ5XM0RcyYCoSfX+Kp8PgasWMH0Ej4vv+aPaMFi4u3zcL2gI2tZiBRekK7NTHRrQDfA2YWdtRieqaYAxYnVdlscGSAhc8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CB+0rRN8; arc=none smtp.client-ip=209.85.214.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CB+0rRN8" Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-297f35be2ffso72579815ad.2 for ; Mon, 17 Nov 2025 23:04:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763449461; x=1764054261; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=rzPjqqd/KWxOgO2W+6Z8f1qGfvSxbwM8UkM0u1p+nzs=; b=CB+0rRN8S6YPM29bHtT6mvTzhBXs5Gkg4S14baI/Nkqk8f7/SpqAQHURjb669MZza8 B73y7NTBsryZZfx5KxHm0Rm2EFuLrQdFe3yr6CbmS/q2PWBGM1LdW0pQPvaPfjJfoakQ DadTYXlzUabjRf7bKQ2MjKdqdjHSgCW7SHaYf1i0law50W9oRwYXr/d6luwZBlNw1wHJ nyYPVn5dN9onZ+7fEZYWYdpKv8C+PM+4xtaI4hwTgGtomwgt0Lb7LRfuezGr1PWuujII oddZR7XjDQf8CIPl2GuOg7yupxGMKhtXz2aXvydYy7SAT7ETihvRhExeCVGJCLtV5Hl+ 7Opg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763449461; x=1764054261; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=rzPjqqd/KWxOgO2W+6Z8f1qGfvSxbwM8UkM0u1p+nzs=; b=bD3W2ZbyNDS6sQILZSD3FOVHigNY9lp6/NvbIsdCpiedVoHM9kNtdHeIyJbQJpe7CF liK7RKliLjfJZKsuv2V5FVNv8Kb+rxS1ZghO3/+W8H5xFbTu4i1hIAW9KaRPb6g+Fe6L soTQh7NXg9oPEqGjuiE0plgJywEobNOHijDpo/GppXLSCJusLeZzdVUe6XjNfE1FKFJn jJYbKu71lNzAqUNNeVL/fCV5RJ15vHVSrDmdvJJuvE7mpJjc1/2YDr3ZA/J7PgHZ2Inv N+f43SvE5ZJbiBRSEjScQvMZh/td60Z/CS9yalPYSWoERCJdlj5gDwBZ3Hsjg6voobxg ISGQ== X-Forwarded-Encrypted: i=1; AJvYcCUdU+yp1sKGYQLkKjFT2ZHRlz0VLlKAGUDgG997VpHWUdqWF1BFgb4K5lv//eTaqBOT0TDSLCndv1dKo1c=@vger.kernel.org X-Gm-Message-State: AOJu0YzradaR4ijIlxqlhlQPeFh7S93E7Xh30yxyOpuKkn4TgE28cvJk yPoOVBfdTmtbI/f3XsjveAk6j66wghrFEIzMyxEhIxwJ2cdqktVoqNPR X-Gm-Gg: ASbGncvm2bz4sH/gWPakuCzV+f355G+WwV62XoaYgLMGnrLGmg/Fz9FtStfuPZjFj0h jVAaNiUclJcuGWPmTAhhtzriG2QzWNHgAKs54xO8+se6T/2tSG/oBcJ8e4pEPRReBhPBk40OtQu 4qYf7wvNrLWplFEGu0KoXXzFEpPH/t7zwAaOQhyUhfXKt7vMNPLSwe/U2e8i3yfRIjwUIKXSsK3 gpH+KFqE5VT2hyqFdeB3jBbBgVrzCwGcNhhJxqWVdVHNAKdK74ZkNRePZ1X3nQUbJrwPjX+TnHg DMK171NQ0tbri1JFV/BrtpW1j7m8kjyFVWeGCzSanjkwl71ojAUVdM3sbJbQFGEHmPxx8K2WOU0 Ny8hb+rTbQmiXi5p2BzFN1AbZdy3ztnRu8d9BkMOMRF/KpHgcqcpZo8LJfEklqJsjOeDaMhubP5 kB558WMr8zMZWQ9DYJPHD+eki2 X-Google-Smtp-Source: AGHT+IEMdNz9Fmc12jWXTcv/fnh+qy3HVv4Rm1a0OlxUBcLOs1+Ombv+jZHLtgrWtNZLtivW4qfwDw== X-Received: by 2002:a17:903:1b47:b0:295:543a:f7e3 with SMTP id d9443c01a7336-2986a6f0acdmr177344435ad.27.1763449461260; Mon, 17 Nov 2025 23:04:21 -0800 (PST) Received: from gmail.com ([119.123.172.101]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2985c2345e3sm161573215ad.1.2025.11.17.23.04.18 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 17 Nov 2025 23:04:20 -0800 (PST) From: jiefeng.z.zhang@gmail.com To: netdev@vger.kernel.org Cc: davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, andrew+netdev@lunn.ch, edumazet@google.com, linux-kernel@vger.kernel.org, irusskikh@marvell.com, Jiefeng Zhang Subject: [PATCH net] net: atlantic: fix fragment overflow handling in RX path Date: Tue, 18 Nov 2025 15:04:02 +0800 Message-Id: <20251118070402.56150-1-jiefeng.z.zhang@gmail.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jiefeng Zhang The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17) fragments when handling large multi-descriptor packets. This causes an out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic. The issue occurs because the driver doesn't check the total number of fragments before calling skb_add_rx_frag(). When a packet requires more than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds. Add a check in __aq_ring_rx_clean() to ensure the total number of fragments (including the initial header fragment and subsequent descriptor fragments) does not exceed MAX_SKB_FRAGS. If it does, drop the packet gracefully and increment the error counter. Signed-off-by: Jiefeng Zhang --- .../net/ethernet/aquantia/atlantic/aq_ring.c | 26 ++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net= /ethernet/aquantia/atlantic/aq_ring.c index f21de0c21e52..51e0c6cc71d7 100644 --- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c @@ -538,6 +538,7 @@ static int __aq_ring_rx_clean(struct aq_ring_s *self, s= truct napi_struct *napi, bool is_ptp_ring =3D aq_ptp_ring(self->aq_nic, self); struct aq_ring_buff_s *buff_ =3D NULL; struct sk_buff *skb =3D NULL; + unsigned int frag_cnt =3D 0U; unsigned int next_ =3D 0U; unsigned int i =3D 0U; u16 hdr_len; @@ -546,7 +547,6 @@ static int __aq_ring_rx_clean(struct aq_ring_s *self, s= truct napi_struct *napi, continue; =20 if (!buff->is_eop) { - unsigned int frag_cnt =3D 0U; buff_ =3D buff; do { bool is_rsc_completed =3D true; @@ -628,6 +628,30 @@ static int __aq_ring_rx_clean(struct aq_ring_s *self, = struct napi_struct *napi, aq_buf_vaddr(&buff->rxdata), AQ_CFG_RX_HDR_SIZE); =20 + /* Check if total fragments exceed MAX_SKB_FRAGS limit. + * The total fragment count consists of: + * - One fragment from the first buffer if (buff->len > hdr_len) + * - frag_cnt fragments from subsequent descriptors + * If the total exceeds MAX_SKB_FRAGS (17), we must drop the + * packet to prevent an out-of-bounds write in skb_add_rx_frag(). + */ + if (unlikely(((buff->len - hdr_len) > 0 ? 1 : 0) + frag_cnt > MAX_SKB_FR= AGS)) { + /* Drop packet: fragment count exceeds kernel limit */ + if (!buff->is_eop) { + buff_ =3D buff; + do { + next_ =3D buff_->next; + buff_ =3D &self->buff_ring[next_]; + buff_->is_cleaned =3D 1; + } while (!buff_->is_eop); + } + u64_stats_update_begin(&self->stats.rx.syncp); + ++self->stats.rx.errors; + u64_stats_update_end(&self->stats.rx.syncp); + dev_kfree_skb_any(skb); + continue; + } + memcpy(__skb_put(skb, hdr_len), aq_buf_vaddr(&buff->rxdata), ALIGN(hdr_len, sizeof(long))); =20 --=20 2.39.5