diff options
author | Grant Grundler <grundler@chromium.org> | 2022-05-10 05:28:25 +0300 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2022-05-11 14:25:07 +0300 |
commit | 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f (patch) | |
tree | 141469645eb863fb6d534d7a60ed5e8274cb73ef /drivers | |
parent | 79784d77ebbd3ec516b7a5ce555d979fb7946202 (diff) | |
download | linux-6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f.tar.xz |
net: atlantic: add check for MAX_SKB_FRAGS
Enforce that the CPU can not get stuck in an infinite loop.
Reported-by: Aashay Shringarpure <aashay@google.com>
Reported-by: Yi Chou <yich@google.com>
Reported-by: Shervin Oloumi <enlightened@google.com>
Signed-off-by: Grant Grundler <grundler@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c index bc1952131799..8201ce7adb77 100644 --- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c @@ -363,6 +363,7 @@ int aq_ring_rx_clean(struct aq_ring_s *self, continue; if (!buff->is_eop) { + unsigned int frag_cnt = 0U; buff_ = buff; do { bool is_rsc_completed = true; @@ -371,6 +372,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self, err = -EIO; goto err_exit; } + + frag_cnt++; next_ = buff_->next, buff_ = &self->buff_ring[next_]; is_rsc_completed = @@ -378,7 +381,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self, next_, self->hw_head); - if (unlikely(!is_rsc_completed)) { + if (unlikely(!is_rsc_completed) || + frag_cnt > MAX_SKB_FRAGS) { err = 0; goto err_exit; } |