* [PATCH net,stable] net: usbnet: fix SG initialisation
@ 2014-01-10 22:10 Bjørn Mork
2014-01-11 9:16 ` Ming Lei
0 siblings, 1 reply; 3+ messages in thread
From: Bjørn Mork @ 2014-01-10 22:10 UTC (permalink / raw)
To: netdev; +Cc: linux-usb, Thomas Kear, Ben Hutchings, Bjørn Mork, Ming Lei
Commit 60e453a940ac ("USBNET: fix handling padding packet")
added an extra SG entry in case padding is necessary, but
failed to update the initialisation of the list. This can
cause list traversal to fall off the end of the list,
resulting in an oops.
Fixes: 60e453a940ac ("USBNET: fix handling padding packet")
Reported-by: Thomas Kear <thomas@kear.co.nz>
Cc: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
---
I don't have the hardware to verify this fix. It would be good if
someone could test it before it goes to stable...
But in case this works, it should go into v3.12 stable.
Bjørn
drivers/net/usb/usbnet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 8494bb53ebdc..aba04f561760 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1245,7 +1245,7 @@ static int build_dma_sg(const struct sk_buff *skb, struct urb *urb)
return -ENOMEM;
urb->num_sgs = num_sgs;
- sg_init_table(urb->sg, urb->num_sgs);
+ sg_init_table(urb->sg, urb->num_sgs + 1);
sg_set_buf(&urb->sg[s++], skb->data, skb_headlen(skb));
total_len += skb_headlen(skb);
--
1.8.5.2
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH net,stable] net: usbnet: fix SG initialisation
2014-01-10 22:10 [PATCH net,stable] net: usbnet: fix SG initialisation Bjørn Mork
@ 2014-01-11 9:16 ` Ming Lei
[not found] ` <CACVXFVPbi47ZLWm-AMeX1NLp3_BQWRSuWz7YjTXz-z3JmVoyRA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
0 siblings, 1 reply; 3+ messages in thread
From: Ming Lei @ 2014-01-11 9:16 UTC (permalink / raw)
To: Bjørn Mork
Cc: Network Development, linux-usb, Thomas Kear, Ben Hutchings
On Sat, Jan 11, 2014 at 6:10 AM, Bjørn Mork <bjorn@mork.no> wrote:
> Commit 60e453a940ac ("USBNET: fix handling padding packet")
> added an extra SG entry in case padding is necessary, but
> failed to update the initialisation of the list. This can
> cause list traversal to fall off the end of the list,
> resulting in an oops.
>
> Fixes: 60e453a940ac ("USBNET: fix handling padding packet")
> Reported-by: Thomas Kear <thomas@kear.co.nz>
> Cc: Ming Lei <ming.lei@canonical.com>
> Signed-off-by: Bjørn Mork <bjorn@mork.no>
> ---
> I don't have the hardware to verify this fix. It would be good if
> someone could test it before it goes to stable...
>
> But in case this works, it should go into v3.12 stable.
Yes, the problem can only be triggered when the zlp padding
packet is needed, I remember I have a quick approach to
reproduce and test the case, and I will do it when I return
home tonight.
Looks the fix is correct, and sorry for introducing the issue.
>
>
> Bjørn
>
> drivers/net/usb/usbnet.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
> index 8494bb53ebdc..aba04f561760 100644
> --- a/drivers/net/usb/usbnet.c
> +++ b/drivers/net/usb/usbnet.c
> @@ -1245,7 +1245,7 @@ static int build_dma_sg(const struct sk_buff *skb, struct urb *urb)
> return -ENOMEM;
>
> urb->num_sgs = num_sgs;
> - sg_init_table(urb->sg, urb->num_sgs);
> + sg_init_table(urb->sg, urb->num_sgs + 1);
>
> sg_set_buf(&urb->sg[s++], skb->data, skb_headlen(skb));
> total_len += skb_headlen(skb);
Thanks,
--
Ming Lei
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-01-11 16:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-01-10 22:10 [PATCH net,stable] net: usbnet: fix SG initialisation Bjørn Mork
2014-01-11 9:16 ` Ming Lei
[not found] ` <CACVXFVPbi47ZLWm-AMeX1NLp3_BQWRSuWz7YjTXz-z3JmVoyRA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-01-11 16:22 ` Ming Lei
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox