Netdev List
 help / color / mirror / Atom feed
* [PATCH net,stable] net: usbnet: fix SG initialisation
@ 2014-01-10 22:10 Bjørn Mork
  2014-01-11  9:16 ` Ming Lei
  0 siblings, 1 reply; 3+ messages in thread
From: Bjørn Mork @ 2014-01-10 22:10 UTC (permalink / raw)
  To: netdev; +Cc: linux-usb, Thomas Kear, Ben Hutchings, Bjørn Mork, Ming Lei

Commit 60e453a940ac ("USBNET: fix handling padding packet")
added an extra SG entry in case padding is necessary, but
failed to update the initialisation of the list. This can
cause list traversal to fall off the end of the list,
resulting in an oops.

Fixes: 60e453a940ac ("USBNET: fix handling padding packet")
Reported-by: Thomas Kear <thomas@kear.co.nz>
Cc: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
---
I don't have the hardware to verify this fix.  It would be good if
someone could test it before it goes to stable...

But in case this works, it should go into v3.12 stable.


Bjørn

 drivers/net/usb/usbnet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 8494bb53ebdc..aba04f561760 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1245,7 +1245,7 @@ static int build_dma_sg(const struct sk_buff *skb, struct urb *urb)
 		return -ENOMEM;
 
 	urb->num_sgs = num_sgs;
-	sg_init_table(urb->sg, urb->num_sgs);
+	sg_init_table(urb->sg, urb->num_sgs + 1);
 
 	sg_set_buf(&urb->sg[s++], skb->data, skb_headlen(skb));
 	total_len += skb_headlen(skb);
-- 
1.8.5.2

^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2014-01-11 16:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-01-10 22:10 [PATCH net,stable] net: usbnet: fix SG initialisation Bjørn Mork
2014-01-11  9:16 ` Ming Lei
     [not found]   ` <CACVXFVPbi47ZLWm-AMeX1NLp3_BQWRSuWz7YjTXz-z3JmVoyRA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-01-11 16:22     ` Ming Lei

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox