If the hardware receives an oversized packet with too many rx fragments, skb_shinfo(skb)->frags can overflow and corrupt memory of adjacent pages. This becomes especially visible if it corrupts the freelist pointer of a slab page.
Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau nbd@nbd.name --- drivers/net/wireless/mediatek/mt76/dma.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c index 6173c80189ba..1847f55e199b 100644 --- a/drivers/net/wireless/mediatek/mt76/dma.c +++ b/drivers/net/wireless/mediatek/mt76/dma.c @@ -447,10 +447,13 @@ mt76_add_fragment(struct mt76_dev *dev, struct mt76_queue *q, void *data, struct page *page = virt_to_head_page(data); int offset = data - page_address(page); struct sk_buff *skb = q->rx_head; + struct skb_shared_info *shinfo = skb_shinfo(skb);
- offset += q->buf_offset; - skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page, offset, len, - q->buf_size); + if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) { + offset += q->buf_offset; + skb_add_rx_frag(skb, shinfo->nr_frags, page, offset, len, + q->buf_size); + }
if (more) return;
Hi,
[This is an automated email]
This commit has been processed because it contains a -stable tag. The stable tag indicates that it's relevant for the following trees: all
The bot has tested the following trees: v5.5.5, v5.4.21, v4.19.105, v4.14.171, v4.9.214, v4.4.214.
v5.5.5: Build OK! v5.4.21: Build OK! v4.19.105: Build OK! v4.14.171: Failed to apply! Possible dependencies: 17f1de56df05 ("mt76: add common code shared between multiple chipsets")
v4.9.214: Failed to apply! Possible dependencies: 17f1de56df05 ("mt76: add common code shared between multiple chipsets")
v4.4.214: Failed to apply! Possible dependencies: 17f1de56df05 ("mt76: add common code shared between multiple chipsets")
NOTE: The patch will not be queued to stable trees until it is upstream.
How should we proceed with this patch?
Felix Fietkau nbd@nbd.name wrote:
If the hardware receives an oversized packet with too many rx fragments, skb_shinfo(skb)->frags can overflow and corrupt memory of adjacent pages. This becomes especially visible if it corrupts the freelist pointer of a slab page.
Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau nbd@nbd.name
Patch applied to wireless-drivers.git, thanks.
b102f0c522cf mt76: fix array overflow on receiving too many fragments for a packet
linux-stable-mirror@lists.linaro.org
-
Felix Fietkau -
Kalle Valo -
Sasha Levin