This is a note to let you know that I've just added the patch titled
netxen: fix off by one bug in netxen_release_tx_buffer()
to the 3.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
netxen-fix-off-by-one-bug-in-netxen_release_tx_buffer.patch
and it can be found in the queue-3.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From e3ed07dccc1825e4458e1bf2c09256315df32229 Mon Sep 17 00:00:00 2001
From: Eric Dumazet <[email protected]>
Date: Tue, 22 Jan 2013 06:33:05 +0000
Subject: netxen: fix off by one bug in netxen_release_tx_buffer()
From: Eric Dumazet <[email protected]>
[ Upstream commit a05948f296ce103989b28a2606e47d2e287c3c89 ]
Christoph Paasch found netxen could trigger a BUG in its dismantle
phase, in netxen_release_tx_buffer(), using full size TSO packets.
cmd_buf->frag_count includes the skb->data part, so the loop must
start at index 1 instead of 0, or else we can make an out
of bound access to cmd_buff->frag_array[MAX_SKB_FRAGS + 2]
Christoph provided the fixes in netxen_map_tx_skb() function.
In case of a dma mapping error, its better to clear the dma fields
so that we don't try to unmap them again in netxen_release_tx_buffer()
Reported-by: Christoph Paasch <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Tested-by: Christoph Paasch <[email protected]>
Cc: Sony Chacko <[email protected]>
Cc: Rajesh Borundia <[email protected]>
Signed-off-by: Christoph Paasch <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c | 2 +-
drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c
+++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c
@@ -144,7 +144,7 @@ void netxen_release_tx_buffers(struct ne
buffrag->length, PCI_DMA_TODEVICE);
buffrag->dma = 0ULL;
}
- for (j = 0; j < cmd_buf->frag_count; j++) {
+ for (j = 1; j < cmd_buf->frag_count; j++) {
buffrag++;
if (buffrag->dma) {
pci_unmap_page(adapter->pdev, buffrag->dma,
--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
+++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
@@ -1956,10 +1956,12 @@ unwind:
while (--i >= 0) {
nf = &pbuf->frag_array[i+1];
pci_unmap_page(pdev, nf->dma, nf->length, PCI_DMA_TODEVICE);
+ nf->dma = 0ULL;
}
nf = &pbuf->frag_array[0];
pci_unmap_single(pdev, nf->dma, skb_headlen(skb), PCI_DMA_TODEVICE);
+ nf->dma = 0ULL;
out_err:
return -ENOMEM;
Patches currently in stable-queue which might be from [email protected] are
queue-3.4/tcp-frto-should-not-set-snd_cwnd-to-0.patch
queue-3.4/tcp-fix-for-zero-packets_in_flight-was-too-broad.patch
queue-3.4/net-prevent-setting-ttl-0-via-ip_ttl.patch
queue-3.4/netxen-fix-off-by-one-bug-in-netxen_release_tx_buffer.patch
queue-3.4/net-loopback-fix-a-dst-refcounting-issue.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
