[PATCH] Net: ethernet: ti: netcp: Fix inbound ping crash if MTU size is greater than 1500

From: Rex Chang
Date: Tue Jan 16 2018 - 15:16:34 EST

Next message: Guenter Roeck: "Re: [03/12] watchdog: sp5100_tco: Use request_muxed_region where possible"
Previous message: Luck, Tony: "Re: [PATCH v2] x86/microcode/intel: Extend BDW late-loading with LLC size check"
Next in thread: David Miller: "Re: [PATCH] Net: ethernet: ti: netcp: Fix inbound ping crash if MTU size is greater than 1500"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In the receive queue for 4096 bytes fragments, the page address
set in the SW data0 field of the descriptor is not the one we got
when doing the reassembly in receive. The page structure was retrieved
from the wrong descriptor into SW data0 which is then causing a
page fault when UDP checksum is accessing data above 1500.

Signed-off-by: Rex Chang <rchang@xxxxxx>
---
drivers/net/ethernet/ti/netcp_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c
index ed58c74..f5a7eb2 100644
--- a/drivers/net/ethernet/ti/netcp_core.c
+++ b/drivers/net/ethernet/ti/netcp_core.c
@@ -715,7 +715,7 @@ static int netcp_process_one_rx_packet(struct netcp_intf *netcp)
/* warning!!!! We are retrieving the virtual ptr in the sw_data
* field as a 32bit value. Will not work on 64bit machines
*/
- page = (struct page *)GET_SW_DATA0(desc);
+ page = (struct page *)GET_SW_DATA0(ndesc);

if (likely(dma_buff && buf_len && page)) {
dma_unmap_page(netcp->dev, dma_buff, PAGE_SIZE,
--
2.9.3

Next message: Guenter Roeck: "Re: [03/12] watchdog: sp5100_tco: Use request_muxed_region where possible"
Previous message: Luck, Tony: "Re: [PATCH v2] x86/microcode/intel: Extend BDW late-loading with LLC size check"
Next in thread: David Miller: "Re: [PATCH] Net: ethernet: ti: netcp: Fix inbound ping crash if MTU size is greater than 1500"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]