[PATCH v2] drivers: net: axienet: safely drop oversized RX frames

From: Can Ayberk Demir
Date: Fri May 09 2025 - 02:38:06 EST

Next message: Ingo Molnar: "Re: linux-next: manual merge of the drivers-x86 tree with the tip tree"
Previous message: Ingo Molnar: "Re: x86: Boot failure on select chromebooks with v6.15-rc5"
In reply to: Gupta, Suraj: "RE: [PATCH] drivers: net: axienet: safely drop oversized RX frames"
Next in thread: Gupta, Suraj: "RE: [PATCH v2] drivers: net: axienet: safely drop oversized RX frames"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Can Ayberk DEMIR <ayberkdemir@xxxxxxxxx>

This patch addresses style issues pointed out in v1.

In AXI Ethernet (axienet) driver, receiving an Ethernet frame larger
than the allocated skb buffer may cause memory corruption or kernel panic,
especially when the interface MTU is small and a jumbo frame is received.

Signed-off-by: Can Ayberk DEMIR <ayberkdemir@xxxxxxxxx>
---
.../net/ethernet/xilinx/xilinx_axienet_main.c | 46 +++++++++++--------
1 file changed, 27 insertions(+), 19 deletions(-)

diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
index 1b7a653c1f4e..2b375dd06def 100644
--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
@@ -1223,28 +1223,36 @@ static int axienet_rx_poll(struct napi_struct *napi, int budget)
dma_unmap_single(lp->dev, phys, lp->max_frm_size,
DMA_FROM_DEVICE);

- skb_put(skb, length);
- skb->protocol = eth_type_trans(skb, lp->ndev);
- /*skb_checksum_none_assert(skb);*/
- skb->ip_summed = CHECKSUM_NONE;
-
- /* if we're doing Rx csum offload, set it up */
- if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
- csumstatus = (cur_p->app2 &
- XAE_FULL_CSUM_STATUS_MASK) >> 3;
- if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
- csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
- skb->ip_summed = CHECKSUM_UNNECESSARY;
+ if (unlikely(length > skb_tailroom(skb))) {
+ netdev_warn(ndev,
+ "Dropping oversized RX frame (len=%u, tailroom=%u)\n",
+ length, skb_tailroom(skb));
+ dev_kfree_skb(skb);
+ skb = NULL;
+ } else {
+ skb_put(skb, length);
+ skb->protocol = eth_type_trans(skb, lp->ndev);
+ /*skb_checksum_none_assert(skb);*/
+ skb->ip_summed = CHECKSUM_NONE;
+
+ /* if we're doing Rx csum offload, set it up */
+ if (lp->features & XAE_FEATURE_FULL_RX_CSUM) {
+ csumstatus = (cur_p->app2 &
+ XAE_FULL_CSUM_STATUS_MASK) >> 3;
+ if (csumstatus == XAE_IP_TCP_CSUM_VALIDATED ||
+ csumstatus == XAE_IP_UDP_CSUM_VALIDATED) {
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+ }
+ } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
+ skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
+ skb->ip_summed = CHECKSUM_COMPLETE;
}
- } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
- skb->csum = be32_to_cpu(cur_p->app3 & 0xFFFF);
- skb->ip_summed = CHECKSUM_COMPLETE;
- }

- napi_gro_receive(napi, skb);
+ napi_gro_receive(napi, skb);

- size += length;
- packets++;
+ size += length;
+ packets++;
+ }
}

new_skb = napi_alloc_skb(napi, lp->max_frm_size);
--
2.39.5 (Apple Git-154)

Next message: Ingo Molnar: "Re: linux-next: manual merge of the drivers-x86 tree with the tip tree"
Previous message: Ingo Molnar: "Re: x86: Boot failure on select chromebooks with v6.15-rc5"
In reply to: Gupta, Suraj: "RE: [PATCH] drivers: net: axienet: safely drop oversized RX frames"
Next in thread: Gupta, Suraj: "RE: [PATCH v2] drivers: net: axienet: safely drop oversized RX frames"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]