On 16/12/13 18:09, Wei Liu wrote:
diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c index e26cdda..f6ed1c8 100644 --- a/drivers/net/xen-netback/netback.c +++ b/drivers/net/xen-netback/netback.c @@ -906,11 +906,15 @@ static struct gnttab_map_grant_ref *xenvif_get_requests(struct xenvif *vif, u16 pending_idx = *((u16 *)skb->data); int start; pending_ring_idx_t index; - unsigned int nr_slots; + unsigned int nr_slots, frag_overflow = 0;/* At this point shinfo->nr_frags is in fact the number of * slots, which can be as large as XEN_NETBK_LEGACY_SLOTS_MAX. */ + if (shinfo->nr_frags > MAX_SKB_FRAGS) { + frag_overflow = shinfo->nr_frags - MAX_SKB_FRAGS; + shinfo->nr_frags = MAX_SKB_FRAGS; + } nr_slots = shinfo->nr_frags;It is also probably better to check whether shinfo->nr_frags is too large which makes frag_overflow > MAX_SKB_FRAGS. I know skb should be already be valid at this point but it wouldn't hurt to be more careful.Ok, I've added this: /* At this point shinfo->nr_frags is in fact the number of * slots, which can be as large as XEN_NETBK_LEGACY_SLOTS_MAX. */ + if (shinfo->nr_frags > MAX_SKB_FRAGS) { + if (shinfo->nr_frags > XEN_NETBK_LEGACY_SLOTS_MAX) return NULL; + frag_overflow = shinfo->nr_frags - MAX_SKB_FRAGS;What I suggested is BUG_ON(frag_overflow > MAX_SKB_FRAGS)
Ok, I've changed it. Zoli -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
