From: Bjørn Mork <bjorn@xxxxxxx>
Date: Fri, 8 Jun 2018 09:15:24 +0200
> Commit 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end
> of NCM frame") added logic to reserve space for the NDP at the
> end of the NTB/skb. This reservation did not take the final
> alignment of the NDP into account, causing us to reserve too
> little space. Additionally the padding prior to NDP addition did
> not ensure there was enough space for the NDP.
>
> The NTB/skb with the NDP appended would then exceed the configured
> max size. This caused the final padding of the NTB to use a
> negative count, padding to almost INT_MAX, and resulting in:
...
> Commit e1069bbfcf3b ("net: cdc_ncm: Reduce memory use when kernel
> memory low") made this bug much more likely to trigger by reducing
> the NTB size under memory pressure.
>
> Link: https://bugs.debian.org/893393
> Reported-by: Горбешко Богдан <bodqhrohro@xxxxxxxxx>
> Reported-and-tested-by: Dennis Wassenberg <dennis.wassenberg@xxxxxxxxxxx>
> Cc: Enrico Mioso <mrkiko.rs@xxxxxxxxx>
> Fixes: 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end of NCM frame")
> Signed-off-by: Bjørn Mork <bjorn@xxxxxxx>
> ---
> Big thanks to Dennis for the observation that this crash depended on
> FLAG_SEND_ZLP not being set. This made it possible to pinpoint where
> the problem was.
Applied and queued up for -stable.
��.n��������+%�������w��{.n�����{���)���jg���������ݢj�����G��������j:+v���w�m������w�������h�����٥
