linux-hardened/drivers/net/usb
holger@eitzenberger.org c5060cec6b asix: fix BUG in receive path when lowering MTU
There is bug in the receive path of the asix driver at the time a
packet is received larger than MTU size and DF bit set:

 BUG: unable to handle kernel paging request at 0000004000000001
 IP: [<ffffffff8126f65b>] skb_release_head_state+0x2d/0xd2
 ...
 Call Trace:
  <IRQ>
  [<ffffffff8126f86d>] ? skb_release_all+0x9/0x1e
  [<ffffffff8126f8ad>] ? __kfree_skb+0x9/0x6f
  [<ffffffffa00b4200>] ? asix_rx_fixup_internal+0xff/0x1ae [asix]
  [<ffffffffa00fb3dc>] ? usbnet_bh+0x4f/0x226 [usbnet]
  ...

It is easily reproducable by setting an MTU of 512 e. g. and sending
something like

  ping -s 1472 -c 1 -M do $SELF

from another box.

And this is because the rx->ax_skb is freed on error, but rx->ax_skb
is not reset, and the size is not reset to zero in this case.

And since the skb is added again to the usbnet->done skb queue it is
accessing already freed memory, resulting in the BUG when freeing a
2nd time.  I therefore think the value 0x0000004000000001 show in the
trace is more or less random data.

Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-05-03 16:10:33 -04:00
..
asix.h net: asix: handle packets crossing URB boundaries 2013-01-18 14:13:29 -05:00
asix_common.c asix: fix BUG in receive path when lowering MTU 2013-05-03 16:10:33 -04:00
asix_devices.c usbnet: asix: apply usbnet_link_change 2013-04-11 15:57:16 -04:00
ax88172a.c drivers: net: usb: Remove unnecessary alloc/OOM messages 2013-02-04 13:22:34 -05:00
ax88179_178a.c usbnet: ax88179_1781: apply usbnet_link_change 2013-04-11 15:57:17 -04:00
catc.c ethtool: fix drvinfo strings set in drivers 2013-01-06 21:06:31 -08:00
cdc-phonet.c cdc-phonet: Don't leak in usbpn_open 2012-08-08 16:04:47 -07:00
cdc_eem.c net: usb: cdc_eem: Fix rx skb allocation for 802.1Q VLANs 2012-11-07 21:12:26 -05:00
cdc_ether.c net: cdc_ether: silence sparse __CHECK_ENDIAN__ warning 2013-04-17 14:15:39 -04:00
cdc_mbim.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-05-01 14:08:52 -07:00
cdc_ncm.c usbnet: cdc_ncm: apply usbnet_link_change 2013-04-11 15:57:16 -04:00
cdc_subset.c USB: Disable hub-initiated LPM for comms devices. 2012-05-18 15:42:55 -07:00
cx82310_eth.c net: cx82310_eth: use common match macro 2012-09-03 13:51:02 -04:00
dm9601.c usbnet: dm9601: apply usbnet_link_change 2013-04-11 15:57:17 -04:00
gl620a.c USB: remove dbg() usage in USB networking drivers 2012-09-20 17:53:14 -04:00
hso.c TTY: add tty_port_tty_hangup helper 2013-03-18 16:24:29 -07:00
int51x1.c usbnet: int51x1: apply introduced usb command APIs 2012-10-26 03:36:51 -04:00
ipheth.c usb/ipheth: Add iPhone 5 support 2012-10-18 15:34:30 -04:00
kalmia.c remove init of dev->perm_addr in drivers 2013-01-08 18:00:48 -08:00
kaweth.c kaweth: print correct debug ptr 2012-10-11 15:12:33 -04:00
Kconfig smsc75xx: configuration help incorrectly mentions smsc95xx 2013-03-15 09:06:57 -04:00
lg-vl600.c USB: Disable hub-initiated LPM for comms devices. 2012-05-18 15:42:55 -07:00
Makefile ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver 2013-03-03 01:43:47 -05:00
mcs7830.c usbnet: mcs7830: apply usbnet_link_change 2013-04-11 15:57:16 -04:00
net1080.c usbnet: net1080: apply introduced usb command APIs 2012-10-26 03:36:51 -04:00
pegasus.c usbnet: pegasus: endian bug in write_mii_word() 2013-05-03 16:10:23 -04:00
pegasus.h drivers: net: usb: pegasus: fix control urb submission 2013-04-29 13:57:50 -04:00
plusb.c usbnet: plusb: apply introduced usb command APIs 2012-10-26 03:36:51 -04:00
qmi_wwan.c net: qmi_wwan: Add Telewell TW-LTE 4G 2013-05-03 16:10:33 -04:00
rndis_host.c remove init of dev->perm_addr in drivers 2013-01-08 18:00:48 -08:00
rtl8150.c ethtool: fix drvinfo strings set in drivers 2013-01-06 21:06:31 -08:00
sierra_net.c usbnet: sierra: apply usbnet_link_change 2013-04-11 15:57:17 -04:00
smsc75xx.c Merge 3.9-rc6 into usb-next 2013-04-08 08:36:40 -07:00
smsc75xx.h smsc75xx: replace 0xffff with PHY_INT_SRC_CLEAR_ALL 2012-05-07 23:43:56 -04:00
smsc95xx.c usbnet: smsc95xx: don't recover device if suspend fails in system sleep 2013-03-25 10:55:46 -07:00
smsc95xx.h smsc95xx: support PHY wakeup source 2012-11-23 14:15:18 -05:00
usbnet.c usbnet: handle link change 2013-04-11 15:57:32 -04:00
zaurus.c USB: Disable hub-initiated LPM for comms devices. 2012-05-18 15:42:55 -07:00