Commit 1ba5d0ff authored by Bjørn Mork's avatar Bjørn Mork Committed by David S. Miller

net: cdc_ncm: always reallocate tx_curr_skb when tx_max increases

We are calling usbnet_start_xmit() to flush any remaining data,
depending on the side effect that tx_curr_skb is set to NULL,
ensuring a new allocation using the updated tx_max.  But this
side effect will only happen if there were any cached data ready
to transmit. If not, then an empty tx_curr_skb is still allocated
using the old tx_max size. Free it to avoid a buffer overrun.

Fixes: 68864abf ("net: cdc_ncm: support rx_max/tx_max updates when running")
Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 1e2c6117
...@@ -268,6 +268,11 @@ static void cdc_ncm_update_rxtx_max(struct usbnet *dev, u32 new_rx, u32 new_tx) ...@@ -268,6 +268,11 @@ static void cdc_ncm_update_rxtx_max(struct usbnet *dev, u32 new_rx, u32 new_tx)
if (netif_running(dev->net) && val > ctx->tx_max) { if (netif_running(dev->net) && val > ctx->tx_max) {
netif_tx_lock_bh(dev->net); netif_tx_lock_bh(dev->net);
usbnet_start_xmit(NULL, dev->net); usbnet_start_xmit(NULL, dev->net);
/* make sure tx_curr_skb is reallocated if it was empty */
if (ctx->tx_curr_skb) {
dev_kfree_skb_any(ctx->tx_curr_skb);
ctx->tx_curr_skb = NULL;
}
ctx->tx_max = val; ctx->tx_max = val;
netif_tx_unlock_bh(dev->net); netif_tx_unlock_bh(dev->net);
} else { } else {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment