165 lines
7.6 KiB
Diff
165 lines
7.6 KiB
Diff
Return-Path: <linux-wireless-owner@vger.kernel.org>
|
|
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on dual
|
|
X-Spam-Level:
|
|
X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
|
|
KB_DATE_CONTAINS_TAB autolearn=no version=3.3.1
|
|
X-Original-To: maks@dual
|
|
Delivered-To: maks@dual
|
|
Received: from dual (localhost.localdomain [127.0.0.1])
|
|
by dual (Postfix) with ESMTP id 6945624045
|
|
for <maks@dual>; Fri, 23 Apr 2010 04:14:42 +0200 (CEST)
|
|
X-Original-To: max@stro.at
|
|
Delivered-To: max@stro.at
|
|
Received: from baikonur.stro.at [213.239.196.228]
|
|
by dual with POP3 (fetchmail-6.3.16)
|
|
for <maks@dual> (single-drop); Fri, 23 Apr 2010 04:14:42 +0200 (CEST)
|
|
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
|
|
by baikonur.stro.at (Postfix) with ESMTP id 0650F5C00B
|
|
for <max@stro.at>; Thu, 22 Apr 2010 19:45:05 +0200 (CEST)
|
|
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
|
id S1755708Ab0DVRxA (ORCPT <rfc822;max@stro.at>);
|
|
Thu, 22 Apr 2010 13:53:00 -0400
|
|
Received: from mail-pz0-f194.google.com ([209.85.222.194]:37203 "EHLO
|
|
mail-pz0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
|
|
with ESMTP id S1755147Ab0DVRw7 (ORCPT
|
|
<rfc822;linux-wireless@vger.kernel.org>);
|
|
Thu, 22 Apr 2010 13:52:59 -0400
|
|
Received: by pzk32 with SMTP id 32so5663626pzk.21
|
|
for <linux-wireless@vger.kernel.org>; Thu, 22 Apr 2010 10:52:58 -0700 (PDT)
|
|
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
|
d=googlemail.com; s=gamma;
|
|
h=domainkey-signature:received:received:received:received:received
|
|
:from:to:subject:date:user-agent:cc:mime-version:x-length:x-uid
|
|
:content-type:content-transfer-encoding:message-id;
|
|
bh=yJz+c5/JMqOxuMrxk75S5LvVDV5la+16zQVI/xQuosY=;
|
|
b=krjzx1PwXDglH9BKcI+e7WyvVPwy284xIAAxYojJMM3AkNsVpxCyuUXkzqkrDWaN8Z
|
|
VwzlJJFO5mYy9ZmQM+utsqENnmIEpQp2eszSxI2cfx36lKpoE71gDBkK1A+vDnClheMv
|
|
MyFHfI869i03WhBAASw6oe1xhdI1bb4F49zmE=
|
|
DomainKey-Signature: a=rsa-sha1; c=nofws;
|
|
d=googlemail.com; s=gamma;
|
|
h=from:to:subject:date:user-agent:cc:mime-version:x-length:x-uid
|
|
:content-type:content-transfer-encoding:message-id;
|
|
b=kLB1kLIJwVvNYqGmlY3Ql+PqUEXjk7KvsSUZSvES9+eYqzjAQYbiuEpl40DM10BSrl
|
|
Mtdenj+I5Ce2chMF6i1JrzzNFMFz0pUVtqUuAk9iQL9Iuo7eE7DZEOS2X3Vo4xCdRLC1
|
|
S3ygbtj1GOb1JfYn7ge9GL39GsyCNQBRlfVuA=
|
|
Received: by 10.141.188.24 with SMTP id q24mr1593520rvp.0.1271958778042;
|
|
Thu, 22 Apr 2010 10:52:58 -0700 (PDT)
|
|
Received: from blech.mobile ([72.14.240.9])
|
|
by mx.google.com with ESMTPS id 22sm156714pzk.13.2010.04.22.10.52.55
|
|
(version=TLSv1/SSLv3 cipher=RC4-MD5);
|
|
Thu, 22 Apr 2010 10:52:57 -0700 (PDT)
|
|
Received: from blech.mobile ([127.0.0.1])
|
|
by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024)
|
|
with ESMTP id vx9ld1JknfF5; Thu, 22 Apr 2010 19:52:44 +0200 (CEST)
|
|
Received: from blech.mobile (localhost [127.0.0.1])
|
|
by blech.mobile (Postfix) with ESMTP id 80D53342417;
|
|
Thu, 22 Apr 2010 19:52:44 +0200 (CEST)
|
|
From: Christian Lamparter <chunkeey@googlemail.com>
|
|
To: linux-wireless@vger.kernel.org
|
|
Subject: [PATCH 2/2] p54pci: fix regression from prevent stuck rx-ring on slow system
|
|
Date: Thu, 22 Apr 2010 19:52:43 +0200
|
|
User-Agent: KMail/1.12.4 (Linux/2.6.34-rc5-uber-wl; KDE/4.3.4; x86_64; ; )
|
|
Cc: linville@tuxdriver.com, hdegoede@redhat.com
|
|
MIME-Version: 1.0
|
|
X-Length: 4801
|
|
X-UID: 74
|
|
Content-Type: text/plain;
|
|
charset="iso-8859-1"
|
|
Content-Transfer-Encoding: 7bit
|
|
Message-Id: <201004221952.44071.chunkeey@googlemail.com>
|
|
Sender: linux-wireless-owner@vger.kernel.org
|
|
Precedence: bulk
|
|
List-ID: <linux-wireless.vger.kernel.org>
|
|
X-Mailing-List: linux-wireless@vger.kernel.org
|
|
Content-Length: 4096
|
|
|
|
From: Hans de Goede <hdegoede@redhat.com>
|
|
|
|
This patch fixes a recently introduced use-after-free regression
|
|
from "p54pci: prevent stuck rx-ring on slow system".
|
|
|
|
Hans de Goede reported a use-after-free regression:
|
|
>BUG: unable to handle kernel paging request at 6b6b6b6b
|
|
>IP: [<e122284a>] p54p_check_tx_ring+0x84/0xb1 [p54pci]
|
|
>*pde = 00000000
|
|
>Oops: 0000 [#1] SMP
|
|
>EIP: 0060:[<e122284a>] EFLAGS: 00010286 CPU: 0
|
|
>EIP is at p54p_check_tx_ring+0x84/0xb1 [p54pci]
|
|
>EAX: 6b6b6b6b EBX: df10b170 ECX: 00000003 EDX: 00000001
|
|
>ESI: dc471500 EDI: d8acaeb0 EBP: c098be9c ESP: c098be84
|
|
> DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
|
|
>Process swapper (pid: 0, ti=c098a000 task=c09ccfe0 task.ti=c098a000)
|
|
>Call Trace:
|
|
> [<e1222b02>] ? p54p_tasklet+0xaa/0xb5 [p54pci]
|
|
> [<c0440568>] ? tasklet_action+0x78/0xcb
|
|
> [<c0440ed3>] ? __do_softirq+0xbc/0x173
|
|
|
|
Quote from comment #17:
|
|
"The problem is the innocent looking moving of the tx processing to
|
|
after the rx processing in the tasklet. Quoting from the changelog:
|
|
This patch does it the same way, except that it also prioritize
|
|
rx data processing, simply because tx routines *can* wait.
|
|
|
|
This is causing an issue with us referencing already freed memory,
|
|
because some skb's we transmit, we immediately receive back, such
|
|
as those for reading the eeprom (*) and getting stats.
|
|
|
|
What can happen because of the moving of the tx processing to after
|
|
the rx processing is that when the tasklet first runs after doing a
|
|
special skb tx (such as eeprom) we've already received the answer
|
|
to it.
|
|
|
|
Then the rx processing ends up calling p54_find_and_unlink_skb to
|
|
find the matching tx skb for the just received special rx skb and
|
|
frees the tx skb.
|
|
|
|
Then after the processing of the rx skb answer, and thus freeing
|
|
the tx skb, we go process the completed tx ring entires, and then
|
|
dereference the free-ed skb, to see if it should free free-ed by
|
|
p54p_check_tx_ring()."
|
|
|
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=583623
|
|
Bug-Identified-by: Hans de Goede <hdegoede@redhat.com>
|
|
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
|
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
|
|
---
|
|
diff --git a/drivers/net/wireless/p54/p54pci.c b/drivers/net/wireless/p54/p54pci.c
|
|
index ca42ccb..07c4528 100644
|
|
--- a/drivers/net/wireless/p54/p54pci.c
|
|
+++ b/drivers/net/wireless/p54/p54pci.c
|
|
@@ -277,6 +277,14 @@ static void p54p_tasklet(unsigned long dev_id)
|
|
struct p54p_priv *priv = dev->priv;
|
|
struct p54p_ring_control *ring_control = priv->ring_control;
|
|
|
|
+ p54p_check_tx_ring(dev, &priv->tx_idx_mgmt, 3, ring_control->tx_mgmt,
|
|
+ ARRAY_SIZE(ring_control->tx_mgmt),
|
|
+ priv->tx_buf_mgmt);
|
|
+
|
|
+ p54p_check_tx_ring(dev, &priv->tx_idx_data, 1, ring_control->tx_data,
|
|
+ ARRAY_SIZE(ring_control->tx_data),
|
|
+ priv->tx_buf_data);
|
|
+
|
|
p54p_check_rx_ring(dev, &priv->rx_idx_mgmt, 2, ring_control->rx_mgmt,
|
|
ARRAY_SIZE(ring_control->rx_mgmt), priv->rx_buf_mgmt);
|
|
|
|
@@ -285,14 +293,6 @@ static void p54p_tasklet(unsigned long dev_id)
|
|
|
|
wmb();
|
|
P54P_WRITE(dev_int, cpu_to_le32(ISL38XX_DEV_INT_UPDATE));
|
|
-
|
|
- p54p_check_tx_ring(dev, &priv->tx_idx_mgmt, 3, ring_control->tx_mgmt,
|
|
- ARRAY_SIZE(ring_control->tx_mgmt),
|
|
- priv->tx_buf_mgmt);
|
|
-
|
|
- p54p_check_tx_ring(dev, &priv->tx_idx_data, 1, ring_control->tx_data,
|
|
- ARRAY_SIZE(ring_control->tx_data),
|
|
- priv->tx_buf_data);
|
|
}
|
|
|
|
static irqreturn_t p54p_interrupt(int irq, void *dev_id)
|
|
--
|
|
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
|
|
the body of a message to majordomo@vger.kernel.org
|
|
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
|
|