| From f4bcda8e3a24737b925bba9fafb65622fe40a5aa Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Mon, 9 May 2022 19:28:25 -0700 |
| Subject: net: atlantic: add check for MAX_SKB_FRAGS |
| |
| From: Grant Grundler <grundler@chromium.org> |
| |
| [ Upstream commit 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f ] |
| |
| Enforce that the CPU can not get stuck in an infinite loop. |
| |
| Reported-by: Aashay Shringarpure <aashay@google.com> |
| Reported-by: Yi Chou <yich@google.com> |
| Reported-by: Shervin Oloumi <enlightened@google.com> |
| Signed-off-by: Grant Grundler <grundler@chromium.org> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 6 +++++- |
| 1 file changed, 5 insertions(+), 1 deletion(-) |
| |
| diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c |
| index 339efdfb1d49..e9c6f1fa0b1a 100644 |
| --- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c |
| +++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c |
| @@ -362,6 +362,7 @@ int aq_ring_rx_clean(struct aq_ring_s *self, |
| continue; |
| |
| if (!buff->is_eop) { |
| + unsigned int frag_cnt = 0U; |
| buff_ = buff; |
| do { |
| bool is_rsc_completed = true; |
| @@ -370,6 +371,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self, |
| err = -EIO; |
| goto err_exit; |
| } |
| + |
| + frag_cnt++; |
| next_ = buff_->next, |
| buff_ = &self->buff_ring[next_]; |
| is_rsc_completed = |
| @@ -377,7 +380,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self, |
| next_, |
| self->hw_head); |
| |
| - if (unlikely(!is_rsc_completed)) { |
| + if (unlikely(!is_rsc_completed) || |
| + frag_cnt > MAX_SKB_FRAGS) { |
| err = 0; |
| goto err_exit; |
| } |
| -- |
| 2.35.1 |
| |