mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-03 01:36:44 +07:00
c5060cec6b
There is bug in the receive path of the asix driver at the time a packet is received larger than MTU size and DF bit set: BUG: unable to handle kernel paging request at 0000004000000001 IP: [<ffffffff8126f65b>] skb_release_head_state+0x2d/0xd2 ... Call Trace: <IRQ> [<ffffffff8126f86d>] ? skb_release_all+0x9/0x1e [<ffffffff8126f8ad>] ? __kfree_skb+0x9/0x6f [<ffffffffa00b4200>] ? asix_rx_fixup_internal+0xff/0x1ae [asix] [<ffffffffa00fb3dc>] ? usbnet_bh+0x4f/0x226 [usbnet] ... It is easily reproducable by setting an MTU of 512 e. g. and sending something like ping -s 1472 -c 1 -M do $SELF from another box. And this is because the rx->ax_skb is freed on error, but rx->ax_skb is not reset, and the size is not reset to zero in this case. And since the skb is added again to the usbnet->done skb queue it is accessing already freed memory, resulting in the BUG when freeing a 2nd time. I therefore think the value 0x0000004000000001 show in the trace is more or less random data. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|---|---|---|
| .. | ||
| asix_common.c | ||
| asix_devices.c | ||
| asix.h | ||
| ax88172a.c | ||
| ax88179_178a.c | ||
| catc.c | ||
| cdc_eem.c | ||
| cdc_ether.c | ||
| cdc_mbim.c | ||
| cdc_ncm.c | ||
| cdc_subset.c | ||
| cdc-phonet.c | ||
| cx82310_eth.c | ||
| dm9601.c | ||
| gl620a.c | ||
| hso.c | ||
| int51x1.c | ||
| ipheth.c | ||
| kalmia.c | ||
| kaweth.c | ||
| Kconfig | ||
| lg-vl600.c | ||
| Makefile | ||
| mcs7830.c | ||
| net1080.c | ||
| pegasus.c | ||
| pegasus.h | ||
| plusb.c | ||
| qmi_wwan.c | ||
| rndis_host.c | ||
| rtl8150.c | ||
| sierra_net.c | ||
| smsc75xx.c | ||
| smsc75xx.h | ||
| smsc95xx.c | ||
| smsc95xx.h | ||
| usbnet.c | ||
| zaurus.c | ||