From: Dean Jenkins <Dean_Jenkins@mentor.com>
To: "David B. Robins" <linux@davidrobins.net>, <netdev@vger.kernel.org>
Cc: "Craske, Mark" <Mark_Craske@mentor.com>
Subject: Re: [PATCH] net: usb: asix: Fix crash on skb alloc failure
Date: Thu, 1 Oct 2015 11:51:31 +0100 [thread overview]
Message-ID: <560D1033.6020301@mentor.com> (raw)
> If asix_rx_fixup_internal() fails to allocate rx->ax_skb, it will return
> but not clear rx->size. rx points to driver private data. A later call
> assumes that nonzero size means ax_skb was allocated and passes a null
> ax_skb to skb_put. Changed allocation failure return to clear size first.
>
> Found testing board with AX88772B devices.
>
> Signed-off-by: David B. Robins <linux@xxxxxxxxxxxxxxx>
> ---
> drivers/net/usb/asix_common.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
> index 75d6f26..079069a 100644
> --- a/drivers/net/usb/asix_common.c
> +++ b/drivers/net/usb/asix_common.c
> @@ -91,8 +91,10 @@ int asix_rx_fixup_internal(struct usbnet *dev, struct sk_buff *skb,
> }
> rx->ax_skb = netdev_alloc_skb_ip_align(dev->net,
> rx->size);
> - if (!rx->ax_skb)
> + if (!rx->ax_skb) {
> + rx->size = 0;
> return 0;
> + }
> }
>
> if (rx->size > dev->net->mtu + ETH_HLEN + VLAN_HLEN) {
> --
> 1.9.1
Hi David,
I copied your patch from
http://www.spinics.net/lists/netdev/msg345724.html and resubscribed to
netdev@vger.kernel.org so I am unable to directly reply to your original
post. But I should now see any subsequent reply on the mailing list.
We are preparing to release some fixes in this area of the asix driver
which fixes your observation. Unfortunately, your simple proposal has a
flaw because state variables exist outside of the scope of
asix_rx_fixup_internal() which handles Ethernet frames spanning multiple
URBs (depends on the variant of the USB ASIX chipset). Therefore,
subsequent URBs with the remainder of the Ethernet frame need to be
handled when no netdev socket buffer exists.
We intend to release the patches within the next few days so please
watch out for them.
Regards,
Dean
--
Dean Jenkins
Embedded Software Engineer
Linux Transportation Solutions
Mentor Embedded Software Division
Mentor Graphics (UK) Ltd.
next reply other threads:[~2015-10-01 10:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-01 10:51 Dean Jenkins [this message]
-- strict thread matches above, loose matches on Subject: below --
2015-09-30 20:20 [PATCH] net: usb: asix: Fix crash on skb alloc failure David B. Robins
2015-10-05 10:31 ` David Miller
2015-10-05 13:40 ` David B. Robins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=560D1033.6020301@mentor.com \
--to=dean_jenkins@mentor.com \
--cc=Mark_Craske@mentor.com \
--cc=linux@davidrobins.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.