From 9156719a74381d1487935e8eeb5880d23f488029 Mon Sep 17 00:00:00 2001 From: Gabor Juhos Date: Thu, 13 Dec 2012 18:39:31 +0000 Subject: [PATCH] kernel: fix solos-pci skb double-free in DMA mode [juhosg: refresh the patches with quilt] Signed-off-by: David Woodhouse Signed-off-by: Gabor Juhos git-svn-id: svn://svn.openwrt.org/openwrt/trunk@34667 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- .../generic/patches-3.3/132-solos-dma.patch | 33 +++++++++++++++++++ .../generic/patches-3.6/132-solos-dma.patch | 33 +++++++++++++++++++ .../generic/patches-3.7/132-solos-dma.patch | 33 +++++++++++++++++++ 3 files changed, 99 insertions(+) create mode 100644 target/linux/generic/patches-3.3/132-solos-dma.patch create mode 100644 target/linux/generic/patches-3.6/132-solos-dma.patch create mode 100644 target/linux/generic/patches-3.7/132-solos-dma.patch diff --git a/target/linux/generic/patches-3.3/132-solos-dma.patch b/target/linux/generic/patches-3.3/132-solos-dma.patch new file mode 100644 index 0000000000..9e7eb821db --- /dev/null +++ b/target/linux/generic/patches-3.3/132-solos-dma.patch @@ -0,0 +1,33 @@ +From cae49ede00ec3d0cda290b03fee55b72b49efc11 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Tue, 11 Dec 2012 14:57:14 +0000 +Subject: [PATCH] solos-pci: fix double-free of TX skb in DMA mode + +We weren't clearing card->tx_skb[port] when processing the TX done interrupt. +If there wasn't another skb ready to transmit immediately, this led to a +double-free because we'd free it *again* next time we did have a packet to +send. + +Signed-off-by: David Woodhouse +Cc: stable@kernel.org +Signed-off-by: David S. Miller +--- + drivers/atm/solos-pci.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/atm/solos-pci.c ++++ b/drivers/atm/solos-pci.c +@@ -945,10 +945,11 @@ static uint32_t fpga_tx(struct solos_car + for (port = 0; tx_pending; tx_pending >>= 1, port++) { + if (tx_pending & 1) { + struct sk_buff *oldskb = card->tx_skb[port]; +- if (oldskb) ++ if (oldskb) { + pci_unmap_single(card->dev, SKB_CB(oldskb)->dma_addr, + oldskb->len, PCI_DMA_TODEVICE); +- ++ card->tx_skb[port] = NULL; ++ } + spin_lock(&card->tx_queue_lock); + skb = skb_dequeue(&card->tx_queue[port]); + if (!skb) diff --git a/target/linux/generic/patches-3.6/132-solos-dma.patch b/target/linux/generic/patches-3.6/132-solos-dma.patch new file mode 100644 index 0000000000..9e7eb821db --- /dev/null +++ b/target/linux/generic/patches-3.6/132-solos-dma.patch @@ -0,0 +1,33 @@ +From cae49ede00ec3d0cda290b03fee55b72b49efc11 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Tue, 11 Dec 2012 14:57:14 +0000 +Subject: [PATCH] solos-pci: fix double-free of TX skb in DMA mode + +We weren't clearing card->tx_skb[port] when processing the TX done interrupt. +If there wasn't another skb ready to transmit immediately, this led to a +double-free because we'd free it *again* next time we did have a packet to +send. + +Signed-off-by: David Woodhouse +Cc: stable@kernel.org +Signed-off-by: David S. Miller +--- + drivers/atm/solos-pci.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/atm/solos-pci.c ++++ b/drivers/atm/solos-pci.c +@@ -945,10 +945,11 @@ static uint32_t fpga_tx(struct solos_car + for (port = 0; tx_pending; tx_pending >>= 1, port++) { + if (tx_pending & 1) { + struct sk_buff *oldskb = card->tx_skb[port]; +- if (oldskb) ++ if (oldskb) { + pci_unmap_single(card->dev, SKB_CB(oldskb)->dma_addr, + oldskb->len, PCI_DMA_TODEVICE); +- ++ card->tx_skb[port] = NULL; ++ } + spin_lock(&card->tx_queue_lock); + skb = skb_dequeue(&card->tx_queue[port]); + if (!skb) diff --git a/target/linux/generic/patches-3.7/132-solos-dma.patch b/target/linux/generic/patches-3.7/132-solos-dma.patch new file mode 100644 index 0000000000..9e7eb821db --- /dev/null +++ b/target/linux/generic/patches-3.7/132-solos-dma.patch @@ -0,0 +1,33 @@ +From cae49ede00ec3d0cda290b03fee55b72b49efc11 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Tue, 11 Dec 2012 14:57:14 +0000 +Subject: [PATCH] solos-pci: fix double-free of TX skb in DMA mode + +We weren't clearing card->tx_skb[port] when processing the TX done interrupt. +If there wasn't another skb ready to transmit immediately, this led to a +double-free because we'd free it *again* next time we did have a packet to +send. + +Signed-off-by: David Woodhouse +Cc: stable@kernel.org +Signed-off-by: David S. Miller +--- + drivers/atm/solos-pci.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/atm/solos-pci.c ++++ b/drivers/atm/solos-pci.c +@@ -945,10 +945,11 @@ static uint32_t fpga_tx(struct solos_car + for (port = 0; tx_pending; tx_pending >>= 1, port++) { + if (tx_pending & 1) { + struct sk_buff *oldskb = card->tx_skb[port]; +- if (oldskb) ++ if (oldskb) { + pci_unmap_single(card->dev, SKB_CB(oldskb)->dma_addr, + oldskb->len, PCI_DMA_TODEVICE); +- ++ card->tx_skb[port] = NULL; ++ } + spin_lock(&card->tx_queue_lock); + skb = skb_dequeue(&card->tx_queue[port]); + if (!skb)