--- /dev/null
+From 49c2c3f246e2fc3009039e31a826333dcd0283cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 8 Jun 2018 09:15:24 +0200
+Subject: cdc_ncm: avoid padding beyond end of skb
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bjørn Mork <bjorn@mork.no>
+
+commit 49c2c3f246e2fc3009039e31a826333dcd0283cd upstream.
+
+Commit 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end
+of NCM frame") added logic to reserve space for the NDP at the
+end of the NTB/skb. This reservation did not take the final
+alignment of the NDP into account, causing us to reserve too
+little space. Additionally the padding prior to NDP addition did
+not ensure there was enough space for the NDP.
+
+The NTB/skb with the NDP appended would then exceed the configured
+max size. This caused the final padding of the NTB to use a
+negative count, padding to almost INT_MAX, and resulting in:
+
+[60103.825970] BUG: unable to handle kernel paging request at ffff9641f2004000
+[60103.825998] IP: __memset+0x24/0x30
+[60103.826001] PGD a6a06067 P4D a6a06067 PUD 4f65a063 PMD 72003063 PTE 0
+[60103.826013] Oops: 0002 [#1] SMP NOPTI
+[60103.826018] Modules linked in: (removed(
+[60103.826158] CPU: 0 PID: 5990 Comm: Chrome_DevTools Tainted: G O 4.14.0-3-amd64 #1 Debian 4.14.17-1
+[60103.826162] Hardware name: LENOVO 20081 BIOS 41CN28WW(V2.04) 05/03/2012
+[60103.826166] task: ffff964193484fc0 task.stack: ffffb2890137c000
+[60103.826171] RIP: 0010:__memset+0x24/0x30
+[60103.826174] RSP: 0000:ffff964316c03b68 EFLAGS: 00010216
+[60103.826178] RAX: 0000000000000000 RBX: 00000000fffffffd RCX: 000000001ffa5000
+[60103.826181] RDX: 0000000000000005 RSI: 0000000000000000 RDI: ffff9641f2003ffc
+[60103.826184] RBP: ffff964192f6c800 R08: 00000000304d434e R09: ffff9641f1d2c004
+[60103.826187] R10: 0000000000000002 R11: 00000000000005ae R12: ffff9642e6957a80
+[60103.826190] R13: ffff964282ff2ee8 R14: 000000000000000d R15: ffff9642e4843900
+[60103.826194] FS: 00007f395aaf6700(0000) GS:ffff964316c00000(0000) knlGS:0000000000000000
+[60103.826197] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[60103.826200] CR2: ffff9641f2004000 CR3: 0000000013b0c000 CR4: 00000000000006f0
+[60103.826204] Call Trace:
+[60103.826212] <IRQ>
+[60103.826225] cdc_ncm_fill_tx_frame+0x5e3/0x740 [cdc_ncm]
+[60103.826236] cdc_ncm_tx_fixup+0x57/0x70 [cdc_ncm]
+[60103.826246] usbnet_start_xmit+0x5d/0x710 [usbnet]
+[60103.826254] ? netif_skb_features+0x119/0x250
+[60103.826259] dev_hard_start_xmit+0xa1/0x200
+[60103.826267] sch_direct_xmit+0xf2/0x1b0
+[60103.826273] __dev_queue_xmit+0x5e3/0x7c0
+[60103.826280] ? ip_finish_output2+0x263/0x3c0
+[60103.826284] ip_finish_output2+0x263/0x3c0
+[60103.826289] ? ip_output+0x6c/0xe0
+[60103.826293] ip_output+0x6c/0xe0
+[60103.826298] ? ip_forward_options+0x1a0/0x1a0
+[60103.826303] tcp_transmit_skb+0x516/0x9b0
+[60103.826309] tcp_write_xmit+0x1aa/0xee0
+[60103.826313] ? sch_direct_xmit+0x71/0x1b0
+[60103.826318] tcp_tasklet_func+0x177/0x180
+[60103.826325] tasklet_action+0x5f/0x110
+[60103.826332] __do_softirq+0xde/0x2b3
+[60103.826337] irq_exit+0xae/0xb0
+[60103.826342] do_IRQ+0x81/0xd0
+[60103.826347] common_interrupt+0x98/0x98
+[60103.826351] </IRQ>
+[60103.826355] RIP: 0033:0x7f397bdf2282
+[60103.826358] RSP: 002b:00007f395aaf57d8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff6e
+[60103.826362] RAX: 0000000000000000 RBX: 00002f07bc6d0900 RCX: 00007f39752d7fe7
+[60103.826365] RDX: 0000000000000022 RSI: 0000000000000147 RDI: 00002f07baea02c0
+[60103.826368] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
+[60103.826371] R10: 00000000ffffffff R11: 0000000000000000 R12: 00002f07baea02c0
+[60103.826373] R13: 00002f07bba227a0 R14: 00002f07bc6d090c R15: 0000000000000000
+[60103.826377] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83
+e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48
+ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1
+[60103.826442] RIP: __memset+0x24/0x30 RSP: ffff964316c03b68
+[60103.826444] CR2: ffff9641f2004000
+
+Commit e1069bbfcf3b ("net: cdc_ncm: Reduce memory use when kernel
+memory low") made this bug much more likely to trigger by reducing
+the NTB size under memory pressure.
+
+Link: https://bugs.debian.org/893393
+Reported-by: Горбешко Богдан <bodqhrohro@gmail.com>
+Reported-and-tested-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+Cc: Enrico Mioso <mrkiko.rs@gmail.com>
+Fixes: 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end of NCM frame")
+[ bmork: tx_curr_size => tx_max and context fixup for v4.12 and older ]
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/cdc_ncm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1124,7 +1124,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev
+ * accordingly. Otherwise, we should check here.
+ */
+ if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END)
+- delayed_ndp_size = ctx->max_ndp_size;
++ delayed_ndp_size = ALIGN(ctx->max_ndp_size, ctx->tx_ndp_modulus);
+ else
+ delayed_ndp_size = 0;
+
+@@ -1257,7 +1257,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev
+ /* If requested, put NDP at end of frame. */
+ if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) {
+ nth16 = (struct usb_cdc_ncm_nth16 *)skb_out->data;
+- cdc_ncm_align_tail(skb_out, ctx->tx_ndp_modulus, 0, ctx->tx_max);
++ cdc_ncm_align_tail(skb_out, ctx->tx_ndp_modulus, 0, ctx->tx_max - ctx->max_ndp_size);
+ nth16->wNdpIndex = cpu_to_le16(skb_out->len);
+ memcpy(skb_put(skb_out, ctx->max_ndp_size), ctx->delayed_ndp16, ctx->max_ndp_size);
+
--- /dev/null
+From 9383b33771e566fa547daa2d09c6e0f1aaa298c3 Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Thu, 2 Mar 2017 15:26:20 -0800
+Subject: nfp: don't tell FW about the reserved buffer space
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+commit 9383b33771e566fa547daa2d09c6e0f1aaa298c3 upstream.
+
+Since commit c0f031bc8866 ("nfp_net: use alloc_frag() and build_skb()")
+we are allocating buffers which have to hold both the data and skb to
+be created in place by build_skb().
+
+FW should only be told about the buffer space it can DMA to, that
+is without the build_skb() headroom and tailroom. Note: firmware
+applications should validate the buffers against both MTU and
+free list buffer size so oversized packets would not pass through
+the NIC anyway.
+
+Fixes: c0f031bc8866 ("nfp: use alloc_frag() and build_skb()")
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
+@@ -2000,7 +2000,8 @@ static int __nfp_net_set_config_and_enab
+ nfp_net_write_mac_addr(nn);
+
+ nn_writel(nn, NFP_NET_CFG_MTU, nn->netdev->mtu);
+- nn_writel(nn, NFP_NET_CFG_FLBUFSZ, nn->fl_bufsz);
++ nn_writel(nn, NFP_NET_CFG_FLBUFSZ,
++ nn->fl_bufsz - NFP_NET_RX_BUF_NON_DATA);
+
+ /* Enable device */
+ new_ctrl |= NFP_NET_CFG_CTRL_ENABLE;
projects / thirdparty / kernel / stable-queue.git / commitdiff
