net: usbnet: fix SG initialisation
authorBjørn Mork <bjorn@mork.no>
Fri, 10 Jan 2014 22:10:17 +0000 (23:10 +0100)
committerDavid S. Miller <davem@davemloft.net>
Tue, 14 Jan 2014 07:32:04 +0000 (23:32 -0800)
Commit 60e453a940ac ("USBNET: fix handling padding packet")
added an extra SG entry in case padding is necessary, but
failed to update the initialisation of the list. This can
cause list traversal to fall off the end of the list,
resulting in an oops.

Fixes: 60e453a940ac ("USBNET: fix handling padding packet")
Reported-by: Thomas Kear <thomas@kear.co.nz>
Cc: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Tested-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/usb/usbnet.c

index 8494bb53ebdc9f33abee1d8e5a27f7d0dea3cc17..aba04f56176008aa12d0eaf72590d239f0affce8 100644 (file)
@@ -1245,7 +1245,7 @@ static int build_dma_sg(const struct sk_buff *skb, struct urb *urb)
                return -ENOMEM;
 
        urb->num_sgs = num_sgs;
-       sg_init_table(urb->sg, urb->num_sgs);
+       sg_init_table(urb->sg, urb->num_sgs + 1);
 
        sg_set_buf(&urb->sg[s++], skb->data, skb_headlen(skb));
        total_len += skb_headlen(skb);