From: Jiawen Wu jiawenwu@trustnetic.com
[ Upstream commit fd4aa243f154a80bbeb3dd311d2114eeb538f479 ]
Add limitation on tx_max_coalesced_frames_irq as 0 ~ 65535, because 'wx->tx_work_limit' is declared as a member of type u16.
Signed-off-by: Jiawen Wu jiawenwu@trustnetic.com Reviewed-by: Jacob Keller jacob.e.keller@intel.com Link: https://patch.msgid.link/20250821023408.53472-3-jiawenwu@trustnetic.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
## BACKPORT RECOMMENDATION: YES
## COMPREHENSIVE ANALYSIS
### Executive Summary
This commit **SHOULD be backported** to stable kernel trees. It fixes a real input validation bug in the wangxun ethernet driver that could cause unexpected behavior when users configure network coalescing parameters via ethtool. The fix is small, contained, low-risk, and has been in mainline since August 2025.
---
### Detailed Technical Analysis
#### 1. What the Commit Does
The commit adds proper bounds checking for the `tx_max_coalesced_frames_irq` ethtool parameter in the wangxun driver's `wx_set_coalesce()` function at `drivers/net/ethernet/wangxun/libwx/wx_ethtool.c:337-338`.
**Before the fix:** ```c if (ec->tx_max_coalesced_frames_irq) wx->tx_work_limit = ec->tx_max_coalesced_frames_irq; ```
**After the fix:** ```c if (ec->tx_max_coalesced_frames_irq > U16_MAX || !ec->tx_max_coalesced_frames_irq) return -EINVAL;
wx->tx_work_limit = ec->tx_max_coalesced_frames_irq; ```
#### 2. Root Cause Analysis
The bug stems from a **type mismatch**:
- **Source type**: `ec->tx_max_coalesced_frames_irq` is `__u32` (32-bit unsigned, range: 0 to 4,294,967,295) - Defined in `include/uapi/linux/ethtool.h` as part of `struct ethtool_coalesce`
- **Destination type**: `wx->tx_work_limit` is `u16` (16-bit unsigned, range: 0 to 65,535) - Defined in `drivers/net/ethernet/wangxun/libwx/wx_type.h:1265` as part of `struct wx`
Without validation, assigning a u32 value to a u16 field causes **silent truncation** of the upper 16 bits.
#### 3. Impact Analysis
**How tx_work_limit is Used:**
The `tx_work_limit` field controls the NAPI poll budget for TX descriptor cleanup in `wx_clean_tx_irq()` at `drivers/net/ethernet/wangxun/libwx/wx_lib.c:713`:
```c unsigned int budget = q_vector->wx->tx_work_limit; ... do { // Clean TX descriptors ... budget--; } while (likely(budget)); ```
**Consequences of the Bug:**
1. **Value = 0**: If a user sets `tx_max_coalesced_frames_irq` to 0, the loop would execute once and then `budget--` would underflow to UINT_MAX, causing excessive processing.
2. **Value = 65536**: Would be truncated to 0, same issue as above.
3. **Value = 65537**: Would be truncated to 1, severely limiting TX cleanup to only 1 descriptor per poll, causing **severe performance degradation**.
4. **Value > 65535**: All values would be truncated to `(value & 0xFFFF)`, causing **unpredictable and unintended behavior**.
**User Impact:** - Users attempting to tune network performance via `ethtool -C` would experience: - Unexpected performance degradation - Silent parameter truncation (no error message) - Incorrect system behavior without explanation - Difficult-to-diagnose network issues
#### 4. Historical Context
- **Vulnerable code introduced**: Commit `4ac2d9dff4b01` on **January 4, 2024** (v6.8-rc1) - **Fix committed**: Commit `fd4aa243f154a` on **August 21, 2025** - **Bug lifetime**: Approximately **19-20 months** - **Affected kernel versions**: 6.8, 6.9, 6.10, 6.11, 6.12, 6.13, 6.14, 6.15, 6.16, 6.17
The wangxun driver itself was introduced in February 2023 (commit `1b8d1c5088efa`), but the vulnerable `wx_set_coalesce()` function was added later in January 2024.
#### 5. Security Assessment
**Not a critical security vulnerability**, but it is a **correctness and robustness issue**:
- No CVEs were found associated with this bug - No public exploit reports or bug reports found - Requires privileged access (CAP_NET_ADMIN) to modify ethtool parameters - Impact is limited to performance degradation and unexpected behavior - Does not allow privilege escalation or memory corruption - Does not expose kernel memory
However, it does violate the **principle of least surprise** and proper **input validation**, which are important for system reliability.
#### 6. Code Review Quality
The fix demonstrates good code quality:
- **Reviewed-by**: Jacob Keller (Intel kernel developer) - **Clear commit message**: Explains the rationale - **Simple and focused**: Only changes what's necessary - **Proper error handling**: Returns -EINVAL for invalid input - **No side effects**: Pure input validation
#### 7. Backport Suitability Assessment
| Criterion | Assessment | Details | |-----------|------------|---------| | **Fixes user-affecting bug?** | ✅ YES | Users configuring ethtool coalescing will hit this | | **Small and contained?** | ✅ YES | 7 lines changed in 1 file | | **Low regression risk?** | ✅ YES | Only adds validation, no logic changes | | **Architectural changes?** | ✅ NO | Simple validation addition | | **Critical subsystem?** | ✅ NO | Limited to wangxun driver | | **Stable tree mention?** | ⚠️ NO | No Cc: stable tag, but should still backport | | **Follows stable rules?** | ✅ YES | Important bugfix, minimal risk | | **Dependencies?** | ✅ NO | Standalone fix, no dependencies |
#### 8. Testing Considerations
The fix is **easily testable** using ethtool:
```bash # Before fix: Values > 65535 would be silently truncated ethtool -C eth0 tx-max-coalesced-frames-irq 100000 # After fix: Returns error: "Invalid argument"
# Before fix: Value of 0 would be accepted (breaking the loop) ethtool -C eth0 tx-max-coalesced-frames-irq 0 # After fix: Returns error: "Invalid argument"
# Valid values should still work ethtool -C eth0 tx-max-coalesced-frames-irq 256 # ✓ Should work ```
#### 9. Related Commits in the Series
This was **patch 3 of 5** in a series (msgid: 20250821023408.53472): 1. Patch 1: `6d3f753c9ce16` - "net: ngbe: change the default ITR setting" 2. Patch 2: Unknown 3. **Patch 3**: `fd4aa243f154a` - "net: wangxun: limit tx_max_coalesced_frames_irq" ← **THIS COMMIT** 4. Patch 4: `5f43f2171abb4` - "net: wangxun: cleanup the code in wx_set_coalesce()" 5. Patch 5: `40477b8bb0487` - "net: wangxun: support to use adaptive RX/TX coalescing"
**This commit can be backported independently** - it does not depend on patches 4 and 5, which are enhancements rather than fixes.
---
### Recommendation
**BACKPORT TO STABLE TREES: YES**
**Target stable kernel versions:** - 6.8.x (where the bug was introduced) - 6.9.x - 6.10.x - 6.11.x - 6.12.x - 6.13.x - 6.14.x - 6.15.x - 6.16.x - All future LTS kernels that include the wangxun driver
**Justification:** 1. Fixes a real bug affecting users who tune network parameters 2. Prevents silent data corruption (truncation) 3. Small, clean, well-reviewed fix 4. No risk of regression 5. Improves kernel robustness and follows best practices 6. Bug has existed for 19+ months across many stable releases 7. Proper error reporting improves user experience
**Priority:** Medium (not critical, but important for correctness)
drivers/net/ethernet/wangxun/libwx/wx_ethtool.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/wangxun/libwx/wx_ethtool.c b/drivers/net/ethernet/wangxun/libwx/wx_ethtool.c index c12a4cb951f68..254a48ede2660 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_ethtool.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_ethtool.c @@ -334,8 +334,11 @@ int wx_set_coalesce(struct net_device *netdev, return -EOPNOTSUPP; }
- if (ec->tx_max_coalesced_frames_irq) - wx->tx_work_limit = ec->tx_max_coalesced_frames_irq; + if (ec->tx_max_coalesced_frames_irq > U16_MAX || + !ec->tx_max_coalesced_frames_irq) + return -EINVAL; + + wx->tx_work_limit = ec->tx_max_coalesced_frames_irq;
switch (wx->mac.type) { case wx_mac_sp: