aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Dumazet <eric.dumazet@gmail.com>2009-06-09 07:01:02 -0400
committerDavid S. Miller <davem@davemloft.net>2009-06-09 07:01:02 -0400
commitfdd7b4c3302c93f6833e338903ea77245eb510b4 (patch)
treef09d48d0fbdde7c643b81fad64c402d7fe93b3d0
parent12186be7d2e1106cede1cc728526e3d7998cbe94 (diff)
r8169: fix crash when large packets are received
Michael Tokarev reported receiving a large packet could crash a machine with RTL8169 NIC. ( original thread at http://lkml.org/lkml/2009/6/8/192 ) Problem is this driver tells that NIC frames up to 16383 bytes can be received but provides skb to rx ring allocated with smaller sizes (1536 bytes in case standard 1500 bytes MTU is used) When a frame larger than what was allocated by driver is received, dma transfert can occurs past the end of buffer and corrupt kernel memory. Fix is to tell to NIC what is the maximum size a frame can be. This bug is very old, (before git introduction, linux-2.6.10), and should be backported to stable versions. Reported-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Tested-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/net/r8169.c11
1 files changed, 5 insertions, 6 deletions
diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
index 8247a945a1d9..3b19e0ce290f 100644
--- a/drivers/net/r8169.c
+++ b/drivers/net/r8169.c
@@ -66,7 +66,6 @@ static const int multicast_filter_limit = 32;
66#define RX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */ 66#define RX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
67#define TX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */ 67#define TX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
68#define EarlyTxThld 0x3F /* 0x3F means NO early transmit */ 68#define EarlyTxThld 0x3F /* 0x3F means NO early transmit */
69#define RxPacketMaxSize 0x3FE8 /* 16K - 1 - ETH_HLEN - VLAN - CRC... */
70#define SafeMtu 0x1c20 /* ... actually life sucks beyond ~7k */ 69#define SafeMtu 0x1c20 /* ... actually life sucks beyond ~7k */
71#define InterFrameGap 0x03 /* 3 means InterFrameGap = the shortest one */ 70#define InterFrameGap 0x03 /* 3 means InterFrameGap = the shortest one */
72 71
@@ -2357,10 +2356,10 @@ static u16 rtl_rw_cpluscmd(void __iomem *ioaddr)
2357 return cmd; 2356 return cmd;
2358} 2357}
2359 2358
2360static void rtl_set_rx_max_size(void __iomem *ioaddr) 2359static void rtl_set_rx_max_size(void __iomem *ioaddr, unsigned int rx_buf_sz)
2361{ 2360{
2362 /* Low hurts. Let's disable the filtering. */ 2361 /* Low hurts. Let's disable the filtering. */
2363 RTL_W16(RxMaxSize, 16383); 2362 RTL_W16(RxMaxSize, rx_buf_sz);
2364} 2363}
2365 2364
2366static void rtl8169_set_magic_reg(void __iomem *ioaddr, unsigned mac_version) 2365static void rtl8169_set_magic_reg(void __iomem *ioaddr, unsigned mac_version)
@@ -2407,7 +2406,7 @@ static void rtl_hw_start_8169(struct net_device *dev)
2407 2406
2408 RTL_W8(EarlyTxThres, EarlyTxThld); 2407 RTL_W8(EarlyTxThres, EarlyTxThld);
2409 2408
2410 rtl_set_rx_max_size(ioaddr); 2409 rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
2411 2410
2412 if ((tp->mac_version == RTL_GIGA_MAC_VER_01) || 2411 if ((tp->mac_version == RTL_GIGA_MAC_VER_01) ||
2413 (tp->mac_version == RTL_GIGA_MAC_VER_02) || 2412 (tp->mac_version == RTL_GIGA_MAC_VER_02) ||
@@ -2668,7 +2667,7 @@ static void rtl_hw_start_8168(struct net_device *dev)
2668 2667
2669 RTL_W8(EarlyTxThres, EarlyTxThld); 2668 RTL_W8(EarlyTxThres, EarlyTxThld);
2670 2669
2671 rtl_set_rx_max_size(ioaddr); 2670 rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
2672 2671
2673 tp->cp_cmd |= RTL_R16(CPlusCmd) | PktCntrDisable | INTT_1; 2672 tp->cp_cmd |= RTL_R16(CPlusCmd) | PktCntrDisable | INTT_1;
2674 2673
@@ -2846,7 +2845,7 @@ static void rtl_hw_start_8101(struct net_device *dev)
2846 2845
2847 RTL_W8(EarlyTxThres, EarlyTxThld); 2846 RTL_W8(EarlyTxThres, EarlyTxThld);
2848 2847
2849 rtl_set_rx_max_size(ioaddr); 2848 rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
2850 2849
2851 tp->cp_cmd |= rtl_rw_cpluscmd(ioaddr) | PCIMulRW; 2850 tp->cp_cmd |= rtl_rw_cpluscmd(ioaddr) | PCIMulRW;
2852 2851