lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANn89iKV0usnRRcywkDqytOhnJNu8Bfs72D+BCg8+ESn6EA3Qw@mail.gmail.com>
Date: Mon, 19 Aug 2024 18:27:14 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Andrew Lunn <andrew@...n.ch>
Cc: Shane Francis <bigbeeshane@...il.com>, davem@...emloft.net, kuba@...nel.org, 
	pabeni@...hat.com, mcoquelin.stm32@...il.com, 
	linux-arm-kernel@...ts.infradead.org, netdev@...r.kernel.org
Subject: Re: [BUG] net: stmmac: crash within stmmac_rx()

On Mon, Aug 19, 2024 at 6:25 PM Andrew Lunn <andrew@...n.ch> wrote:
>
> On Mon, Aug 19, 2024 at 01:26:37PM +0100, Shane Francis wrote:
> > Summary of the problem:
> > ===================
> > Crash observed within stmmac_rx when under high RX demand
> >
> > Hardware : Rockchip RK3588 platform with an RTL8211F NIC
> >
> > the issue seems identical to the one described here :
> > https://lore.kernel.org/netdev/20210514214927.GC1969@qmqm.qmqm.pl/T/
> >
> > Full description of the problem/report:
> > =============================
> > I have observed that when under high upload scenarios the stmmac
> > driver will crash due to what I think is an overflow error, after some
> > debugging I found that stmmac_rx_buf2_len() is returning an
> > unexpectedly high value and assigning to buf2_len here
> > https://github.com/torvalds/linux/blob/v6.6/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c#L5466
> >
> > an example value set that i have observed to causes the crash :
> >     buf1_len = 0
> >     buf2_len = 4294966330
> >
> > from within the stmmac_rx_buf2_len function
> >     plen = 2106
> >     len = 3072
> >
> > the return value would be plen-len or -966 (4294966330 as a uint32
> > that matches the buf2_len)
> >
> > I am unsure on how to debug this further, would clamping
> > stmmac_rx_buf2_len function to return the dma_buf_sz if the return
> > value would have otherwise exceeded it ?
>
> Clamping will just paper over the problem, not fix it. You need to
> keep debugging to really understand what the issue is.
>
> Clearly len > plen is a problem, so you could add a BUG_ON(len > plen)
> which will give you a stack trace. But i doubt that is very
> interesting. You probably want to get into stmmac_get_rx_frame_len()
> and see how it calculates plan. stmmac obfustication makes it hard to
> say which of:
>
> dwmac4_descs.c: .get_rx_frame_len = dwmac4_wrback_get_rx_frame_len,
> dwxgmac2_descs.c:       .get_rx_frame_len = dwxgmac2_get_rx_frame_len,
> enh_desc.c:     .get_rx_frame_len = enh_desc_get_rx_frame_len,
> norm_desc.c:    .get_rx_frame_len = ndesc_get_rx_frame_len,
>
> is being used. But they all look pretty similar.
>
> What i find interesting is that both are greater than 1512, a typical
> ethernet frame size. Are you using jumbo packets? Is the hardware
> doing some sort of GRO?

Could this be related to IP fragments ?

Header splitting might not work as intended for IP fragments.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ