lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Tue, 18 Oct 2022 02:00:48 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Ariel Elior <aelior@...vell.com>
Cc:     Kees Cook <keescook@...omium.org>,
        Manish Chopra <manishc@...vell.com>,
        "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: [PATCH] qed: Track allocation size of qed_ll2_buffer

In preparation for requiring that build_skb() have a non-zero size
argument, track the qed_ll2_buffer data allocation size explicitly
and pass it into build_skb(). To retain the original result of using
the ksize() side-effect on the skb size, explicitly round up the size
during allocation.

Cc: Ariel Elior <aelior@...vell.com>
Cc: Manish Chopra <manishc@...vell.com>
Cc: "David S. Miller" <davem@...emloft.net>
Cc: Eric Dumazet <edumazet@...gle.com>
Cc: Jakub Kicinski <kuba@...nel.org>
Cc: Paolo Abeni <pabeni@...hat.com>
Cc: netdev@...r.kernel.org
Signed-off-by: Kees Cook <keescook@...omium.org>
---
 drivers/net/ethernet/qlogic/qed/qed_ll2.c | 37 ++++++++++++-----------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/drivers/net/ethernet/qlogic/qed/qed_ll2.c b/drivers/net/ethernet/qlogic/qed/qed_ll2.c
index ed274f033626..750391e4d80a 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_ll2.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.c
@@ -62,6 +62,7 @@ struct qed_cb_ll2_info {
 struct qed_ll2_buffer {
 	struct list_head list;
 	void *data;
+	u32 len;
 	dma_addr_t phys_addr;
 };
 
@@ -111,20 +112,23 @@ static void qed_ll2b_complete_tx_packet(void *cxt,
 }
 
 static int qed_ll2_alloc_buffer(struct qed_dev *cdev,
-				u8 **data, dma_addr_t *phys_addr)
+				struct qed_ll2_buffer *buffer)
 {
-	*data = kmalloc(cdev->ll2->rx_size, GFP_ATOMIC);
-	if (!(*data)) {
+	buffer->len = kmalloc_size_roundup(cdev->ll2->rx_size);
+	buffer->data = kmalloc(buffer->len, GFP_ATOMIC);
+	if (!buffer->data) {
 		DP_INFO(cdev, "Failed to allocate LL2 buffer data\n");
+		buffer->len = 0;
 		return -ENOMEM;
 	}
 
-	*phys_addr = dma_map_single(&cdev->pdev->dev,
-				    ((*data) + NET_SKB_PAD),
-				    cdev->ll2->rx_size, DMA_FROM_DEVICE);
-	if (dma_mapping_error(&cdev->pdev->dev, *phys_addr)) {
+	buffer->phys_addr = dma_map_single(&cdev->pdev->dev,
+					   buffer->data + NET_SKB_PAD,
+					   buffer->len, DMA_FROM_DEVICE);
+	if (dma_mapping_error(&cdev->pdev->dev, buffer->phys_addr)) {
 		DP_INFO(cdev, "Failed to map LL2 buffer data\n");
-		kfree((*data));
+		kfree(buffer->data);
+		buffer->len = 0;
 		return -ENOMEM;
 	}
 
@@ -139,6 +143,7 @@ static int qed_ll2_dealloc_buffer(struct qed_dev *cdev,
 	dma_unmap_single(&cdev->pdev->dev, buffer->phys_addr,
 			 cdev->ll2->rx_size, DMA_FROM_DEVICE);
 	kfree(buffer->data);
+	buffer->len = 0;
 	list_del(&buffer->list);
 
 	cdev->ll2->rx_cnt--;
@@ -164,11 +169,10 @@ static void qed_ll2b_complete_rx_packet(void *cxt,
 	struct qed_hwfn *p_hwfn = cxt;
 	struct qed_ll2_buffer *buffer = data->cookie;
 	struct qed_dev *cdev = p_hwfn->cdev;
-	dma_addr_t new_phys_addr;
+	struct qed_ll2_buffer new_buffer = { };
 	struct sk_buff *skb;
 	bool reuse = false;
 	int rc = -EINVAL;
-	u8 *new_data;
 
 	DP_VERBOSE(p_hwfn,
 		   (NETIF_MSG_RX_STATUS | QED_MSG_STORAGE | NETIF_MSG_PKTDATA),
@@ -191,8 +195,7 @@ static void qed_ll2b_complete_rx_packet(void *cxt,
 
 	/* Allocate a replacement for buffer; Reuse upon failure */
 	if (!reuse)
-		rc = qed_ll2_alloc_buffer(p_hwfn->cdev, &new_data,
-					  &new_phys_addr);
+		rc = qed_ll2_alloc_buffer(p_hwfn->cdev, &new_buffer);
 
 	/* If need to reuse or there's no replacement buffer, repost this */
 	if (rc)
@@ -200,7 +203,7 @@ static void qed_ll2b_complete_rx_packet(void *cxt,
 	dma_unmap_single(&cdev->pdev->dev, buffer->phys_addr,
 			 cdev->ll2->rx_size, DMA_FROM_DEVICE);
 
-	skb = build_skb(buffer->data, 0);
+	skb = build_skb(buffer->data, buffer->len);
 	if (!skb) {
 		DP_INFO(cdev, "Failed to build SKB\n");
 		kfree(buffer->data);
@@ -235,8 +238,9 @@ static void qed_ll2b_complete_rx_packet(void *cxt,
 
 out_post1:
 	/* Update Buffer information and update FW producer */
-	buffer->data = new_data;
-	buffer->phys_addr = new_phys_addr;
+	buffer->data = new_buffer.data;
+	buffer->len = new_buffer.len;
+	buffer->phys_addr = new_buffer.phys_addr;
 
 out_post:
 	rc = qed_ll2_post_rx_buffer(p_hwfn, cdev->ll2->handle,
@@ -2608,8 +2612,7 @@ static int qed_ll2_start(struct qed_dev *cdev, struct qed_ll2_params *params)
 			goto err0;
 		}
 
-		rc = qed_ll2_alloc_buffer(cdev, (u8 **)&buffer->data,
-					  &buffer->phys_addr);
+		rc = qed_ll2_alloc_buffer(cdev, buffer);
 		if (rc) {
 			kfree(buffer);
 			goto err0;
-- 
2.34.1

Powered by blists - more mailing lists