lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BLAPR16MB392407EDC7DFA3089CC42E3CF0BE2@BLAPR16MB3924.namprd16.prod.outlook.com>
Date: Mon, 5 Aug 2024 11:40:25 +0000
From: "Oleksandr Makarov [GL]" <Oleksandr.Makarov@....com>
To: Alexandre Torgue <alexandre.torgue@...s.st.com>, Jose Abreu
	<joabreu@...opsys.com>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet
	<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
	<pabeni@...hat.com>, Maxime Coquelin <mcoquelin.stm32@...il.com>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"linux-stm32@...md-mailman.stormreply.com"
	<linux-stm32@...md-mailman.stormreply.com>,
	"linux-arm-kernel@...ts.infradead.org"
	<linux-arm-kernel@...ts.infradead.org>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>
Subject: BUG: UDP Packet Corruption Issue with stmmac Driver on Linux
 5.15.21-rt30

Hello all,

On my MSC SM2S-EL [1] there is an Ethernet device driven by the stmmac driver, running on Linux version 5.15.21-rt30. I've encountered an issue where UDP packets with multiple fragments are being corrupted.

The problem appears to be that the stmmac driver is truncating UDP packets with payloads larger than 1470 bytes down to 256 bytes. UDP payloads of 1470 bytes or less, which do not set the "More fragments" IP field, are transmitted correctly.

This issue can be reproduced by sending large test data over UDP to my Elkhart Lake machine and observing the data corruption. Attached are two packet captures: sender.pcap, showing the result of `nc -u [EHL machine IP] 2323 < pattern.txt` from my workstation, where the outgoing UDP fragments have the correct content, and receiver.pcap, showing packets captured on the EHL machine with corrupted UDP fragments. The contents are trimmed at 256 bytes.

I tracked the issue down to drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:5553, where the data corruption occurs:

```
                if (!skb) {
                        unsigned int pre_len, sync_len;

                        dma_sync_single_for_cpu(priv->device, buf->addr,
                                                buf1_len, dma_dir);

                        xdp_init_buff(&ctx.xdp, buf_sz, &rx_q->xdp_rxq);

```

After the driver finishes synchronizing the DMA-mapped memory for consumption by calling dma_sync_single_for_cpu, the content of buf->page is incomplete. A diagnostic message using print_hex_bytes shows that buf->page contains nothing (or sometimes garbage bytes) past the 0xff mark:

```
[  606.090539] dma: 00000000: 3000 29d6 c48d bf08 30b8 6280 0008 0045  .0.).....0.b..E.
[  606.090545] dma: 00000010: dc05 b373 0020 1140 25af a8c0 6d58 a8c0  ..s. .@.....Xm..
[  606.090547] dma: 00000020: 7a58 13c2 1309 ca05 4e6c 3030 3130 203a  Xz......lN0001:
[  606.090549] dma: 00000030: 6f59 7275 7320 7274 6e69 2067 6568 6572  Your string here
[  606.090551] dma: 00000040: 300a 3030 3a32 5920 756f 2072 7473 6972  .0002: Your stri
[  606.090553] dma: 00000050: 676e 6820 7265 0a65 3030 3330 203a 6f59  ng here.0003: Yo
[  606.090555] dma: 00000060: 7275 7320 7274 6e69 2067 6568 6572 300a  ur string here.0
[  606.090556] dma: 00000070: 3030 3a34 5920 756f 2072 7473 6972 676e  004: Your string
[  606.090558] dma: 00000080: 6820 7265 0a65 3030 3530 203a 6f59 7275   here.0005: Your
[  606.090560] dma: 00000090: 7320 7274 6e69 2067 6568 6572 300a 3030   string here.000
[  606.090562] dma: 000000a0: 3a36 5920 756f 2072 7473 6972 676e 6820  6: Your string h
[  606.090564] dma: 000000b0: 7265 0a65 3030 3730 203a 6f59 7275 7320  ere.0007: Your s
[  606.090566] dma: 000000c0: 7274 6e69 2067 6568 6572 300a 3030 3a38  tring here.0008:
[  606.090567] dma: 000000d0: 5920 756f 2072 7473 6972 676e 6820 7265   Your string her
[  606.090569] dma: 000000e0: 0a65 3030 3930 203a 6f59 7275 7320 7274  e.0009: Your str
[  606.090571] dma: 000000f0: 6e69 2067 6568 6572 300a 3130 3a30 5920  ing here.0010: Y
[  606.090573] dma: 00000100: 0000 0000 0000 0000 0000 0000 0000 0000  ................
[  606.090575] dma: 00000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
[  606.090577] dma: 00000120: 0000 0000 0000 0000 0000 0000 0000 0000  ................
[  606.090578] dma: 00000130: 0000 0000 0000 0000 0000 0000 0000 0000  ................
```

I would appreciate any insights or suggestions on how to resolve this issue.

Best regards,

Aleksandr

1 - https://embedded.avnet.com/product/msc-sm2s-el/

View attachment "pattern.txt" of type "text/plain" (23000 bytes)

Download attachment "sender.pcap" of type "application/vnd.tcpdump.pcap" (23890 bytes)

Download attachment "receiver.pcap" of type "application/vnd.tcpdump.pcap" (23890 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ