* [PATCH net] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
@ 2026-04-11 11:01 Greg Kroah-Hartman
2026-04-14 9:47 ` Paolo Abeni
2026-04-14 10:20 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Greg Kroah-Hartman @ 2026-04-11 11:01 UTC (permalink / raw)
To: linux-usb, netdev
Cc: linux-kernel, Greg Kroah-Hartman, Andrew Lunn, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, stable
A malicious USB device claiming to be a CDC Phonet modem can overflow
the skb_shared_info->frags[] array by sending an unbounded sequence of
full-page bulk transfers.
Drop the skb and increment the length error when the frag limit is
reached. This matches the same fix that commit f0813bcd2d9d ("net:
wwan: t7xx: fix potential skb->frags overflow in RX path") did for the
t7xx driver.
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/cdc-phonet.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/cdc-phonet.c b/drivers/net/usb/cdc-phonet.c
index ad5121e9cf5d..165650ecef64 100644
--- a/drivers/net/usb/cdc-phonet.c
+++ b/drivers/net/usb/cdc-phonet.c
@@ -157,11 +157,16 @@ static void rx_complete(struct urb *req)
PAGE_SIZE);
page = NULL;
}
- } else {
+ } else if (skb_shinfo(skb)->nr_frags < MAX_SKB_FRAGS) {
skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
page, 0, req->actual_length,
PAGE_SIZE);
page = NULL;
+ } else {
+ dev_kfree_skb_any(skb);
+ pnd->rx_skb = NULL;
+ skb = NULL;
+ dev->stats.rx_length_errors++;
}
if (req->actual_length < PAGE_SIZE)
pnd->rx_skb = NULL; /* Last fragment */
--
2.53.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
2026-04-11 11:01 [PATCH net] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() Greg Kroah-Hartman
@ 2026-04-14 9:47 ` Paolo Abeni
2026-04-14 10:20 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Paolo Abeni @ 2026-04-14 9:47 UTC (permalink / raw)
To: Greg Kroah-Hartman, linux-usb, netdev
Cc: linux-kernel, Andrew Lunn, David S. Miller, Eric Dumazet,
Jakub Kicinski, stable
On 4/11/26 1:01 PM, Greg Kroah-Hartman wrote:
> A malicious USB device claiming to be a CDC Phonet modem can overflow
> the skb_shared_info->frags[] array by sending an unbounded sequence of
> full-page bulk transfers.
>
> Drop the skb and increment the length error when the frag limit is
> reached. This matches the same fix that commit f0813bcd2d9d ("net:
> wwan: t7xx: fix potential skb->frags overflow in RX path") did for the
> t7xx driver.
>
> Cc: Andrew Lunn <andrew+netdev@lunn.ch>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: stable <stable@kernel.org>
> Assisted-by: gregkh_clanker_t1000
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
It looks like the fixes tag should be:
Fixes: 87cf65601e17 ("USB host CDC Phonet network interface driver")
Right?
/P
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
2026-04-11 11:01 [PATCH net] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() Greg Kroah-Hartman
2026-04-14 9:47 ` Paolo Abeni
@ 2026-04-14 10:20 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-04-14 10:20 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-usb, netdev, linux-kernel, andrew+netdev, davem, edumazet,
kuba, pabeni, stable
Hello:
This patch was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:
On Sat, 11 Apr 2026 13:01:35 +0200 you wrote:
> A malicious USB device claiming to be a CDC Phonet modem can overflow
> the skb_shared_info->frags[] array by sending an unbounded sequence of
> full-page bulk transfers.
>
> Drop the skb and increment the length error when the frag limit is
> reached. This matches the same fix that commit f0813bcd2d9d ("net:
> wwan: t7xx: fix potential skb->frags overflow in RX path") did for the
> t7xx driver.
>
> [...]
Here is the summary with links:
- [net] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
https://git.kernel.org/netdev/net/c/600dc40554dc
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-14 10:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-11 11:01 [PATCH net] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() Greg Kroah-Hartman
2026-04-14 9:47 ` Paolo Abeni
2026-04-14 10:20 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox