summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorholger@eitzenberger.org <holger@eitzenberger.org>2013-05-03 02:02:20 +0200
committerDavid S. Miller <davem@davemloft.net>2013-05-03 22:10:33 +0200
commitc5060cec6ba27ad3f0e7facfdf05d2f18e3e3010 (patch)
tree9e26cd284b22e5a9362e1229190203111b9abe76
parentnet: qmi_wwan: Add Telewell TW-LTE 4G (diff)
downloadlinux-c5060cec6ba27ad3f0e7facfdf05d2f18e3e3010.tar.xz
linux-c5060cec6ba27ad3f0e7facfdf05d2f18e3e3010.zip
asix: fix BUG in receive path when lowering MTU
There is bug in the receive path of the asix driver at the time a packet is received larger than MTU size and DF bit set: BUG: unable to handle kernel paging request at 0000004000000001 IP: [<ffffffff8126f65b>] skb_release_head_state+0x2d/0xd2 ... Call Trace: <IRQ> [<ffffffff8126f86d>] ? skb_release_all+0x9/0x1e [<ffffffff8126f8ad>] ? __kfree_skb+0x9/0x6f [<ffffffffa00b4200>] ? asix_rx_fixup_internal+0xff/0x1ae [asix] [<ffffffffa00fb3dc>] ? usbnet_bh+0x4f/0x226 [usbnet] ... It is easily reproducable by setting an MTU of 512 e. g. and sending something like ping -s 1472 -c 1 -M do $SELF from another box. And this is because the rx->ax_skb is freed on error, but rx->ax_skb is not reset, and the size is not reset to zero in this case. And since the skb is added again to the usbnet->done skb queue it is accessing already freed memory, resulting in the BUG when freeing a 2nd time. I therefore think the value 0x0000004000000001 show in the trace is more or less random data. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/net/usb/asix_common.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
index f7f623a5390e..577c72d5f369 100644
--- a/drivers/net/usb/asix_common.c
+++ b/drivers/net/usb/asix_common.c
@@ -100,6 +100,9 @@ int asix_rx_fixup_internal(struct usbnet *dev, struct sk_buff *skb,
netdev_err(dev->net, "asix_rx_fixup() Bad RX Length %d\n",
rx->size);
kfree_skb(rx->ax_skb);
+ rx->ax_skb = NULL;
+ rx->size = 0U;
+
return 0;
}