On 16/12/13 18:09, Wei Liu wrote:

quoted

quoted

quoted

diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
index e26cdda..f6ed1c8 100644
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c

@@ -906,11 +906,15 @@ static struct gnttab_map_grant_ref *xenvif_get_requests(struct xenvif *vif,
  	u16 pending_idx = *((u16 *)skb->data);
  	int start;
  	pending_ring_idx_t index;
-	unsigned int nr_slots;
+	unsigned int nr_slots, frag_overflow = 0;

  	/* At this point shinfo->nr_frags is in fact the number of
  	 * slots, which can be as large as XEN_NETBK_LEGACY_SLOTS_MAX.
  	 */
+	if (shinfo->nr_frags > MAX_SKB_FRAGS) {
+		frag_overflow = shinfo->nr_frags - MAX_SKB_FRAGS;
+		shinfo->nr_frags = MAX_SKB_FRAGS;
+	}
  	nr_slots = shinfo->nr_frags;

It is also probably better to check whether shinfo->nr_frags is too
large which makes frag_overflow > MAX_SKB_FRAGS. I know skb should be
already be valid at this point but it wouldn't hurt to be more careful.

Ok, I've added this:
	/* At this point shinfo->nr_frags is in fact the number of
	 * slots, which can be as large as XEN_NETBK_LEGACY_SLOTS_MAX.
	 */
+	if (shinfo->nr_frags > MAX_SKB_FRAGS) {
+		if (shinfo->nr_frags > XEN_NETBK_LEGACY_SLOTS_MAX) return NULL;
+		frag_overflow = shinfo->nr_frags - MAX_SKB_FRAGS;

What I suggested is

    BUG_ON(frag_overflow > MAX_SKB_FRAGS)

Ok, I've changed it.

Zoli