Message ID | 1389391817-27204-1-git-send-email-bjorn@mork.no |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On Sat, Jan 11, 2014 at 6:10 AM, Bjørn Mork <bjorn@mork.no> wrote: > Commit 60e453a940ac ("USBNET: fix handling padding packet") > added an extra SG entry in case padding is necessary, but > failed to update the initialisation of the list. This can > cause list traversal to fall off the end of the list, > resulting in an oops. > > Fixes: 60e453a940ac ("USBNET: fix handling padding packet") > Reported-by: Thomas Kear <thomas@kear.co.nz> > Cc: Ming Lei <ming.lei@canonical.com> > Signed-off-by: Bjørn Mork <bjorn@mork.no> > --- > I don't have the hardware to verify this fix. It would be good if > someone could test it before it goes to stable... > > But in case this works, it should go into v3.12 stable. Yes, the problem can only be triggered when the zlp padding packet is needed, I remember I have a quick approach to reproduce and test the case, and I will do it when I return home tonight. Looks the fix is correct, and sorry for introducing the issue. > > > Bjørn > > drivers/net/usb/usbnet.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c > index 8494bb53ebdc..aba04f561760 100644 > --- a/drivers/net/usb/usbnet.c > +++ b/drivers/net/usb/usbnet.c > @@ -1245,7 +1245,7 @@ static int build_dma_sg(const struct sk_buff *skb, struct urb *urb) > return -ENOMEM; > > urb->num_sgs = num_sgs; > - sg_init_table(urb->sg, urb->num_sgs); > + sg_init_table(urb->sg, urb->num_sgs + 1); > > sg_set_buf(&urb->sg[s++], skb->data, skb_headlen(skb)); > total_len += skb_headlen(skb); Thanks, -- Ming Lei -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Jan 11, 2014 at 5:16 PM, Ming Lei <ming.lei@canonical.com> wrote: > On Sat, Jan 11, 2014 at 6:10 AM, Bjørn Mork <bjorn@mork.no> wrote: >> Commit 60e453a940ac ("USBNET: fix handling padding packet") >> added an extra SG entry in case padding is necessary, but >> failed to update the initialisation of the list. This can >> cause list traversal to fall off the end of the list, >> resulting in an oops. >> >> Fixes: 60e453a940ac ("USBNET: fix handling padding packet") >> Reported-by: Thomas Kear <thomas@kear.co.nz> >> Cc: Ming Lei <ming.lei@canonical.com> >> Signed-off-by: Bjørn Mork <bjorn@mork.no> Tested-by: Ming Lei <ming.lei@canonical.com> On one of my arm box, I can reproduce the problem with below command every time: $iperf -c $SRV -l 2398 -n 1 #the 2nd tcp packet length is 1016 and the oops is same with Thomas's. After applying Oliver's patch, I still can see zlp padding packet is appended, but no oops any more. Thanks Oliver for fixing the problem. Thanks, -- Ming Lei -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index 8494bb53ebdc..aba04f561760 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -1245,7 +1245,7 @@ static int build_dma_sg(const struct sk_buff *skb, struct urb *urb) return -ENOMEM; urb->num_sgs = num_sgs; - sg_init_table(urb->sg, urb->num_sgs); + sg_init_table(urb->sg, urb->num_sgs + 1); sg_set_buf(&urb->sg[s++], skb->data, skb_headlen(skb)); total_len += skb_headlen(skb);
Commit 60e453a940ac ("USBNET: fix handling padding packet") added an extra SG entry in case padding is necessary, but failed to update the initialisation of the list. This can cause list traversal to fall off the end of the list, resulting in an oops. Fixes: 60e453a940ac ("USBNET: fix handling padding packet") Reported-by: Thomas Kear <thomas@kear.co.nz> Cc: Ming Lei <ming.lei@canonical.com> Signed-off-by: Bjørn Mork <bjorn@mork.no> --- I don't have the hardware to verify this fix. It would be good if someone could test it before it goes to stable... But in case this works, it should go into v3.12 stable. Bjørn drivers/net/usb/usbnet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)