Message ID | 1358872385.3464.3940.camel@edumazet-glaptop |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On Tuesday 22 January 2013 08:33:05 Eric Dumazet wrote: > [PATCH] netxen: fix off by one bug in netxen_release_tx_buffer() > > Christoph Paasch found netxen could trigger a BUG in its dismantle > phase, in netxen_release_tx_buffer(), using full size TSO packets. > > cmd_buf->frag_count includes the skb->data part, so the loop must > start at index 1 instead of 0, or else we can make an out > of bound access to cmd_buff->frag_array[MAX_SKB_FRAGS + 2] > > Christoph provided the fixes in netxen_map_tx_skb() function. > In case of a dma mapping error, its better to clear the dma fields > so that we don't try to unmap them again in netxen_release_tx_buffer() > > Reported-by: Christoph Paasch <christoph.paasch@uclouvain.be> > Signed-off-by: Eric Dumazet <edumazet@google.com> > Tested-by: Christoph Paasch <christoph.paasch@uclouvain.be> > Cc: Sony Chacko <sony.chacko@qlogic.com> > Cc: Rajesh Borundia <rajesh.borundia@qlogic.com> > --- > drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c | 2 +- > drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c | 2 ++ > 2 files changed, 3 insertions(+), 1 deletion(-) Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
From: Eric Dumazet <eric.dumazet@gmail.com> Date: Tue, 22 Jan 2013 08:33:05 -0800 > From: Eric Dumazet <edumazet@google.com> ... > [PATCH] netxen: fix off by one bug in netxen_release_tx_buffer() > > Christoph Paasch found netxen could trigger a BUG in its dismantle > phase, in netxen_release_tx_buffer(), using full size TSO packets. > > cmd_buf->frag_count includes the skb->data part, so the loop must > start at index 1 instead of 0, or else we can make an out > of bound access to cmd_buff->frag_array[MAX_SKB_FRAGS + 2] > > Christoph provided the fixes in netxen_map_tx_skb() function. > In case of a dma mapping error, its better to clear the dma fields > so that we don't try to unmap them again in netxen_release_tx_buffer() > > Reported-by: Christoph Paasch <christoph.paasch@uclouvain.be> > Signed-off-by: Eric Dumazet <edumazet@google.com> > Tested-by: Christoph Paasch <christoph.paasch@uclouvain.be> Applied and queued up for -stable, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c index bc165f4..695667d 100644 --- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c +++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c @@ -144,7 +144,7 @@ void netxen_release_tx_buffers(struct netxen_adapter *adapter) buffrag->length, PCI_DMA_TODEVICE); buffrag->dma = 0ULL; } - for (j = 0; j < cmd_buf->frag_count; j++) { + for (j = 1; j < cmd_buf->frag_count; j++) { buffrag++; if (buffrag->dma) { pci_unmap_page(adapter->pdev, buffrag->dma, diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c index 6098fd4a..69e321a 100644 --- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c @@ -1963,10 +1963,12 @@ unwind: while (--i >= 0) { nf = &pbuf->frag_array[i+1]; pci_unmap_page(pdev, nf->dma, nf->length, PCI_DMA_TODEVICE); + nf->dma = 0ULL; } nf = &pbuf->frag_array[0]; pci_unmap_single(pdev, nf->dma, skb_headlen(skb), PCI_DMA_TODEVICE); + nf->dma = 0ULL; out_err: return -ENOMEM;