From: Bjørn Mork Date: Fri, 30 May 2014 07:31:04 +0000 (+0200) Subject: net: cdc_ncm: always reallocate tx_curr_skb when tx_max increases X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=1ba5d0ff36f765a571c83b55b13ec44f4050fb5b;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git net: cdc_ncm: always reallocate tx_curr_skb when tx_max increases We are calling usbnet_start_xmit() to flush any remaining data, depending on the side effect that tx_curr_skb is set to NULL, ensuring a new allocation using the updated tx_max. But this side effect will only happen if there were any cached data ready to transmit. If not, then an empty tx_curr_skb is still allocated using the old tx_max size. Free it to avoid a buffer overrun. Fixes: 68864abf08f0 ("net: cdc_ncm: support rx_max/tx_max updates when running") Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller --- diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c index 2bbbd65591c7..ff5b3a854898 100644 --- a/drivers/net/usb/cdc_ncm.c +++ b/drivers/net/usb/cdc_ncm.c @@ -268,6 +268,11 @@ static void cdc_ncm_update_rxtx_max(struct usbnet *dev, u32 new_rx, u32 new_tx) if (netif_running(dev->net) && val > ctx->tx_max) { netif_tx_lock_bh(dev->net); usbnet_start_xmit(NULL, dev->net); + /* make sure tx_curr_skb is reallocated if it was empty */ + if (ctx->tx_curr_skb) { + dev_kfree_skb_any(ctx->tx_curr_skb); + ctx->tx_curr_skb = NULL; + } ctx->tx_max = val; netif_tx_unlock_bh(dev->net); } else {