linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, Aurelien Jacobs <aurel@gnuage.org>,
	Jussi Kivilinna <jussi.kivilinna@mbnet.fi>,
	"David S. Miller" <davem@davemloft.net>
Subject: [36/42] asix: fix infinite loop in rx_fixup()
Date: Tue, 10 Jan 2012 13:48:46 -0800	[thread overview]
Message-ID: <20120110215024.020546888@clark.kroah.org> (raw)
In-Reply-To: <20120110215031.GA19398@kroah.com>

3.1-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aurelien Jacobs <aurel@gnuage.org>

commit 6c15d74defd38e7e7f8805392578b7a1d508097e upstream.

At this point if skb->len happens to be 2, the subsequant skb_pull(skb, 4)
call won't work and the skb->len won't be decreased and won't ever reach 0,
resulting in an infinite loop.

With an ASIX 88772 under heavy load, without this patch, rx_fixup() reaches
an infinite loop in less than a minute. With this patch applied,
no infinite loop even after hours of heavy load.

Signed-off-by: Aurelien Jacobs <aurel@gnuage.org>
Cc: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>

---
 drivers/net/usb/asix.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/usb/asix.c
+++ b/drivers/net/usb/asix.c
@@ -371,7 +371,7 @@ static int asix_rx_fixup(struct usbnet *
 
 		skb_pull(skb, (size + 1) & 0xfffe);
 
-		if (skb->len == 0)
+		if (skb->len < sizeof(header))
 			break;
 
 		head = (u8 *) skb->data;



  parent reply	other threads:[~2012-01-10 23:00 UTC|newest]

Thread overview: 54+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-01-10 21:50 [00/42] 3.1.9-stable review Greg KH
2012-01-10 21:48 ` [01/42] MAINTAINERS: stable: Update address Greg KH
2012-01-10 21:48 ` [02/42] Documentation: Update stable address Greg KH
2012-01-10 21:48 ` [03/42] firmware: Fix an oops on reading fw_priv->fw in sysfs loading file Greg KH
2012-01-10 21:48 ` [04/42] rt2800usb: Move ID out of unknown Greg KH
2012-01-10 21:48 ` [05/42] offb: Fix setting of the pseudo-palette for >8bpp Greg KH
2012-01-10 21:48 ` [06/42] offb: Fix bug in calculating requested vram size Greg KH
2012-01-10 21:48 ` [07/42] wl12xx: Validate FEM index from ini file and FW Greg KH
2012-01-10 21:48 ` [08/42] wl12xx: Check buffer bound when processing nvs data Greg KH
2012-01-10 21:48 ` [09/42] wl12xx: Restore testmode ABI Greg KH
2012-01-10 21:48 ` [10/42] powerpc/time: Handle wrapping of decrementer Greg KH
2012-01-10 21:48 ` [11/42] powerpc: Fix unpaired probe_hcall_entry and probe_hcall_exit Greg KH
2012-01-10 21:48 ` [12/42] asix: new device id Greg KH
2012-01-10 21:48 ` [13/42] IB/qib: Fix a possible data corruption when receiving packets Greg KH
2012-01-10 21:48 ` [14/42] perf: Fix parsing of __print_flags() in TP_printk() Greg KH
2012-01-10 21:48 ` [15/42] reiserfs: Fix quota mount option parsing Greg KH
2012-01-10 21:48 ` [16/42] reiserfs: Force inode evictions before umount to avoid crash Greg KH
2012-01-10 21:48 ` [17/42] ext3: Dont warn from writepage when readonly inode is spotted after error Greg KH
2012-01-10 21:48 ` [18/42] USB: update documentation for usbmon Greg KH
2012-01-10 21:48 ` [19/42] atmel_serial: fix spinlock lockup in RS485 code Greg KH
2012-01-10 21:48 ` [20/42] cgroup: fix to allow mounting a hierarchy by name Greg KH
2012-01-10 21:48 ` [21/42] udf: Fix deadlock when converting file from in-ICB one to normal one Greg KH
2012-01-10 21:48 ` [22/42] drivers/usb/class/cdc-acm.c: clear dangling pointer Greg KH
2012-01-10 21:48 ` [23/42] USB: isight: fix kernel bug when loading firmware Greg KH
2012-01-10 21:48 ` [24/42] usb: usb-storage doesnt support dynamic id currently, the patch disables the feature to fix an oops Greg KH
2012-01-10 21:48 ` [25/42] USB: add quirk for another camera Greg KH
2012-01-10 21:48 ` [26/42] usb: musb: fix pm_runtime mismatch Greg KH
2012-01-10 21:48 ` [27/42] USB: omninet: fix write_room Greg KH
2012-01-10 21:48 ` [28/42] USB: Add USB-ID for Multiplex RC serial adapter to cp210x.c Greg KH
2012-01-10 21:48 ` [29/42] usb: fix number of mapped SG DMA entries Greg KH
2012-01-10 21:48 ` [30/42] xhci: Properly handle COMP_2ND_BW_ERR Greg KH
2012-01-10 21:48 ` [31/42] USB: option: add id for 3G dongle Model VT1000 of Viettel Greg KH
2012-01-10 21:48 ` [32/42] usb: option: add ZD Incorporated HSPA modem Greg KH
2012-01-10 21:48 ` [33/42] usb: ch9: fix up MaxStreams helper Greg KH
2012-01-10 21:48 ` [34/42] OHCI: final fix for NVIDIA problems (I hope) Greg KH
2012-01-10 21:48 ` [35/42] igmp: Avoid zero delay when receiving odd mixture of IGMP queries Greg KH
2012-01-10 21:48 ` Greg KH [this message]
2012-01-10 21:48 ` [37/42] bonding: fix error handling if slave is busy (v2) Greg KH
2012-01-10 21:48 ` [38/42] PM / Sleep: Fix race between CPU hotplug and freezer Greg KH
2012-01-10 21:48 ` [39/42] SCSI: mpt2sas: Added missing mpt2sas_base_detach call from scsih_remove context Greg KH
2012-01-10 21:48 ` [40/42] usb: cdc-acm: Fix acm_tty_hangup() vs. acm_tty_close() race Greg KH
2012-01-10 21:48 ` [41/42] xfs: validate acl count Greg KH
2012-01-11  7:41   ` Christoph Hellwig
2012-01-11 15:00     ` Greg KH
2012-01-11 15:05       ` Ben Myers
2012-01-13 16:17         ` Ben Myers
2012-01-13 18:19           ` Greg KH
2012-01-13 19:42             ` Ben Myers
2012-01-13 19:52               ` Greg KH
2012-01-16 15:53                 ` Ben Myers
2012-01-16 16:48                   ` Greg KH
2012-01-24 16:33                 ` Christoph Hellwig
2012-01-24 17:43                   ` Ben Myers
2012-01-10 21:48 ` [42/42] xfs: fix acl count validation in xfs_acl_from_disk() Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120110215024.020546888@clark.kroah.org \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=aurel@gnuage.org \
    --cc=davem@davemloft.net \
    --cc=jussi.kivilinna@mbnet.fi \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).