| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <E1vdDiF-00000002E1d-30rR@rmk-PC.armlinux.org.uk>
Date: Tue, 06 Jan 2026 20:31:31 +0000
From: "Russell King (Oracle)" <rmk+kernel@...linux.org.uk>
To: Andrew Lunn <andrew@...n.ch>,
Heiner Kallweit <hkallweit1@...il.com>
Cc: Alexandre Torgue <alexandre.torgue@...s.st.com>,
Andrew Lunn <andrew+netdev@...n.ch>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
linux-arm-kernel@...ts.infradead.org,
linux-stm32@...md-mailman.stormreply.com,
Maxime Chevallier <maxime.chevallier@...tlin.com>,
Maxime Coquelin <mcoquelin.stm32@...il.com>,
netdev@...r.kernel.org,
Paolo Abeni <pabeni@...hat.com>
Subject: [PATCH net-next 4/9] net: stmmac: descs: fix buffer 1 off-by-one
error
norm_set_tx_desc_len_on_ring() incorrectly tests the buffer length,
leading to a length of 2048 being squeezed into a bitfield covering
bits 10:0 - which results in the buffer 1 size being zero.
If this field is zero, buffer 1 is ignored, and thus is equivalent
to transmitting a zero length buffer.
Signed-off-by: Russell King (Oracle) <rmk+kernel@...linux.org.uk>
---
.../net/ethernet/stmicro/stmmac/descs_com.h | 26 ++++++++++++-------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/descs_com.h b/drivers/net/ethernet/stmicro/stmmac/descs_com.h
index 40f7f2da9c5e..cb3bfc1571f9 100644
--- a/drivers/net/ethernet/stmicro/stmmac/descs_com.h
+++ b/drivers/net/ethernet/stmicro/stmmac/descs_com.h
@@ -39,15 +39,19 @@ static inline void enh_desc_end_tx_desc_on_ring(struct dma_desc *p, int end)
p->des0 &= cpu_to_le32(~ETDES0_END_RING);
}
+/* The maximum buffer 1 size is 8KiB - 1. However, we limit to 4KiB. */
static inline void enh_set_tx_desc_len_on_ring(struct dma_desc *p, int len)
{
- if (unlikely(len > BUF_SIZE_4KiB)) {
- p->des1 |= cpu_to_le32((((len - BUF_SIZE_4KiB)
+ unsigned int buffer1_max_length = BUF_SIZE_4KiB;
+
+ if (unlikely(len > buffer1_max_length)) {
+ p->des1 |= cpu_to_le32((((len - buffer1_max_length)
<< ETDES1_BUFFER2_SIZE_SHIFT)
- & ETDES1_BUFFER2_SIZE_MASK) | (BUF_SIZE_4KiB
+ & ETDES1_BUFFER2_SIZE_MASK) | (buffer1_max_length
& ETDES1_BUFFER1_SIZE_MASK));
- } else
+ } else {
p->des1 |= cpu_to_le32((len & ETDES1_BUFFER1_SIZE_MASK));
+ }
}
/* Normal descriptors */
@@ -73,16 +77,20 @@ static inline void ndesc_end_tx_desc_on_ring(struct dma_desc *p, int end)
p->des1 &= cpu_to_le32(~TDES1_END_RING);
}
+/* The maximum buffer 1 size is 2KiB - 1, limited by the mask width */
static inline void norm_set_tx_desc_len_on_ring(struct dma_desc *p, int len)
{
- if (unlikely(len > BUF_SIZE_2KiB)) {
- unsigned int buffer1 = (BUF_SIZE_2KiB - 1)
- & TDES1_BUFFER1_SIZE_MASK;
- p->des1 |= cpu_to_le32((((len - buffer1)
+ unsigned int buffer1_max_length = BUF_SIZE_2KiB - 1;
+
+ if (unlikely(len > buffer1_max_length)) {
+ unsigned int buffer1 = buffer1_max_length &
+ TDES1_BUFFER1_SIZE_MASK;
+ p->des1 |= cpu_to_le32((((len - buffer1_max_length)
<< TDES1_BUFFER2_SIZE_SHIFT)
& TDES1_BUFFER2_SIZE_MASK) | buffer1);
- } else
+ } else {
p->des1 |= cpu_to_le32((len & TDES1_BUFFER1_SIZE_MASK));
+ }
}
/* Specific functions used for Chain mode */
--
2.47.3
Powered by blists - more mailing lists