From: Igor Russkikh <igor.russk...@aquantia.com>
Date: Sat, 15 Sep 2018 18:03:39 +0300
> From: Friedemann Gerold <f.ger...@b-c-s.de>
>
> This patch fixes skb_shared area, which will be corrupted
> upon reception of 4K jumbo packets.
>
> Originally build_skb usage purpose was to reuse page for skb to eliminate
> needs of extra fragments. But that logic does not take into account that
> skb_shared_info should be reserved at the end of skb data area.
>
> In case packet data consumes all the page (4K), skb_shinfo location
> overflows the page. As a consequence, __build_skb zeroed shinfo data above
> the allocated page, corrupting next page.
>
> The issue is rarely seen in real life because jumbo are normally larger
> than 4K and that causes another code path to trigger.
> But it 100% reproducible with simple scapy packet, like:
>
> sendp(IP(dst="192.168.100.3") / TCP(dport=443) \
> / Raw(RandString(size=(4096-40))), iface="enp1s0")
>
> Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code")
>
> Reported-by: Friedemann Gerold <f.ger...@b-c-s.de>
> Reported-by: Michael Rauch <mich...@rauch.be>
> Signed-off-by: Friedemann Gerold <f.ger...@b-c-s.de>
> Tested-by: Nikita Danilov <nikita.dani...@aquantia.com>
> Signed-off-by: Igor Russkikh <igor.russk...@aquantia.com>
APplied and queued up for -stable.
