From: Bjørn Mork <bjorn@xxxxxxx> Date: Fri, 8 Jun 2018 09:15:24 +0200 > Commit 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end > of NCM frame") added logic to reserve space for the NDP at the > end of the NTB/skb. This reservation did not take the final > alignment of the NDP into account, causing us to reserve too > little space. Additionally the padding prior to NDP addition did > not ensure there was enough space for the NDP. > > The NTB/skb with the NDP appended would then exceed the configured > max size. This caused the final padding of the NTB to use a > negative count, padding to almost INT_MAX, and resulting in: ... > Commit e1069bbfcf3b ("net: cdc_ncm: Reduce memory use when kernel > memory low") made this bug much more likely to trigger by reducing > the NTB size under memory pressure. > > Link: https://bugs.debian.org/893393 > Reported-by: Горбешко Богдан <bodqhrohro@xxxxxxxxx> > Reported-and-tested-by: Dennis Wassenberg <dennis.wassenberg@xxxxxxxxxxx> > Cc: Enrico Mioso <mrkiko.rs@xxxxxxxxx> > Fixes: 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end of NCM frame") > Signed-off-by: Bjørn Mork <bjorn@xxxxxxx> > --- > Big thanks to Dennis for the observation that this crash depended on > FLAG_SEND_ZLP not being set. This made it possible to pinpoint where > the problem was. Applied and queued up for -stable. ��.n��������+%������w��{.n�����{���)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥