On Sat, Jan 11, 2014 at 6:10 AM, Bjørn Mork <bjorn@xxxxxxx> wrote:
> Commit 60e453a940ac ("USBNET: fix handling padding packet")
> added an extra SG entry in case padding is necessary, but
> failed to update the initialisation of the list. This can
> cause list traversal to fall off the end of the list,
> resulting in an oops.
>
> Fixes: 60e453a940ac ("USBNET: fix handling padding packet")
> Reported-by: Thomas Kear <thomas@xxxxxxxxxx>
> Cc: Ming Lei <ming.lei@xxxxxxxxxxxxx>
> Signed-off-by: Bjørn Mork <bjorn@xxxxxxx>
> ---
> I don't have the hardware to verify this fix. It would be good if
> someone could test it before it goes to stable...
>
> But in case this works, it should go into v3.12 stable.
Yes, the problem can only be triggered when the zlp padding
packet is needed, I remember I have a quick approach to
reproduce and test the case, and I will do it when I return
home tonight.
Looks the fix is correct, and sorry for introducing the issue.
>
>
> Bjørn
>
> drivers/net/usb/usbnet.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
> index 8494bb53ebdc..aba04f561760 100644
> --- a/drivers/net/usb/usbnet.c
> +++ b/drivers/net/usb/usbnet.c
> @@ -1245,7 +1245,7 @@ static int build_dma_sg(const struct sk_buff *skb, struct urb *urb)
> return -ENOMEM;
>
> urb->num_sgs = num_sgs;
> - sg_init_table(urb->sg, urb->num_sgs);
> + sg_init_table(urb->sg, urb->num_sgs + 1);
>
> sg_set_buf(&urb->sg[s++], skb->data, skb_headlen(skb));
> total_len += skb_headlen(skb);
Thanks,
--
Ming Lei
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
