aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorNeil Horman <nhorman@redhat.com>2010-03-29 16:16:02 -0400
committerDavid S. Miller <davem@davemloft.net>2010-03-29 16:16:02 -0400
commitc0cd884af045338476b8e69a61fceb3f34ff22f1 (patch)
tree982581a29cbb2028d6ed14c0ed9493695daa4c17 /drivers
parent54c1a859efd9fd6cda05bc700315ba2519c14eba (diff)
r8169: offical fix for CVE-2009-4537 (overlength frame DMAs)
Official patch to fix the r8169 frame length check error. Based on this initial thread: http://marc.info/?l=linux-netdev&m=126202972828626&w=1 This is the official patch to fix the frame length problems in the r8169 driver. As noted in the previous thread, while this patch incurs a performance hit on the driver, its possible to improve performance dynamically by updating the mtu and rx_copybreak values at runtime to return performance to what it was for those NICS which are unaffected by the ideosyncracy (if there are any). Summary: A while back Eric submitted a patch for r8169 in which the proper allocated frame size was written to RXMaxSize to prevent the NIC from dmaing too much data. This was done in commit fdd7b4c3302c93f6833e338903ea77245eb510b4. A long time prior to that however, Francois posted 126fa4b9ca5d9d7cb7d46f779ad3bd3631ca387c, which expiclitly disabled the MaxSize setting due to the fact that the hardware behaved in odd ways when overlong frames were received on NIC's supported by this driver. This was mentioned in a security conference recently: http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html It seems that if we can't enable frame size filtering, then, as Eric correctly noticed, we can find ourselves DMA-ing too much data to a buffer, causing corruption. As a result is seems that we are forced to allocate a frame which is ready to handle a maximally sized receive. This obviously has performance issues with it, so to mitigate that issue, this patch does two things: 1) Raises the copybreak value to the frame allocation size, which should force appropriately sized packets to get allocated on rx, rather than a full new 16k buffer. 2) This patch only disables frame filtering initially (i.e., during the NIC open), changing the MTU results in ring buffer allocation of a size in relation to the new mtu (along with a warning indicating that this is dangerous). Because of item (2), individuals who can't cope with the performance hit (or can otherwise filter frames to prevent the bug), or who have hardware they are sure is unaffected by this issue, can manually lower the copybreak and reset the mtu such that performance is restored easily. Signed-off-by: Neil Horman <nhorman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/r8169.c29
1 files changed, 24 insertions, 5 deletions
diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
index 7193afc00e47..96740051cdcc 100644
--- a/drivers/net/r8169.c
+++ b/drivers/net/r8169.c
@@ -186,7 +186,12 @@ static DEFINE_PCI_DEVICE_TABLE(rtl8169_pci_tbl) = {
186 186
187MODULE_DEVICE_TABLE(pci, rtl8169_pci_tbl); 187MODULE_DEVICE_TABLE(pci, rtl8169_pci_tbl);
188 188
189static int rx_copybreak = 200; 189/*
190 * we set our copybreak very high so that we don't have
191 * to allocate 16k frames all the time (see note in
192 * rtl8169_open()
193 */
194static int rx_copybreak = 16383;
190static int use_dac; 195static int use_dac;
191static struct { 196static struct {
192 u32 msg_enable; 197 u32 msg_enable;
@@ -3217,9 +3222,13 @@ static void __devexit rtl8169_remove_one(struct pci_dev *pdev)
3217} 3222}
3218 3223
3219static void rtl8169_set_rxbufsize(struct rtl8169_private *tp, 3224static void rtl8169_set_rxbufsize(struct rtl8169_private *tp,
3220 struct net_device *dev) 3225 unsigned int mtu)
3221{ 3226{
3222 unsigned int max_frame = dev->mtu + VLAN_ETH_HLEN + ETH_FCS_LEN; 3227 unsigned int max_frame = mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
3228
3229 if (max_frame != 16383)
3230 printk(KERN_WARNING "WARNING! Changing of MTU on this NIC"
3231 "May lead to frame reception errors!\n");
3223 3232
3224 tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE; 3233 tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE;
3225} 3234}
@@ -3231,7 +3240,17 @@ static int rtl8169_open(struct net_device *dev)
3231 int retval = -ENOMEM; 3240 int retval = -ENOMEM;
3232 3241
3233 3242
3234 rtl8169_set_rxbufsize(tp, dev); 3243 /*
3244 * Note that we use a magic value here, its wierd I know
3245 * its done because, some subset of rtl8169 hardware suffers from
3246 * a problem in which frames received that are longer than
3247 * the size set in RxMaxSize register return garbage sizes
3248 * when received. To avoid this we need to turn off filtering,
3249 * which is done by setting a value of 16383 in the RxMaxSize register
3250 * and allocating 16k frames to handle the largest possible rx value
3251 * thats what the magic math below does.
3252 */
3253 rtl8169_set_rxbufsize(tp, 16383 - VLAN_ETH_HLEN - ETH_FCS_LEN);
3235 3254
3236 /* 3255 /*
3237 * Rx and Tx desscriptors needs 256 bytes alignment. 3256 * Rx and Tx desscriptors needs 256 bytes alignment.
@@ -3884,7 +3903,7 @@ static int rtl8169_change_mtu(struct net_device *dev, int new_mtu)
3884 3903
3885 rtl8169_down(dev); 3904 rtl8169_down(dev);
3886 3905
3887 rtl8169_set_rxbufsize(tp, dev); 3906 rtl8169_set_rxbufsize(tp, dev->mtu);
3888 3907
3889 ret = rtl8169_init_ring(dev); 3908 ret = rtl8169_init_ring(dev);
3890 if (ret < 0) 3909 if (ret < 0)