tg3: fix tigon3_dma_hwbug_workaround()
authorEric Dumazet <eric.dumazet@gmail.com>
Sat, 22 Oct 2011 07:29:53 +0000 (03:29 -0400)
committerDavid S. Miller <davem@davemloft.net>
Sat, 22 Oct 2011 07:29:53 +0000 (03:29 -0400)
Ari got kernel panics using tg3 NIC, and bisected to 2669069aacc9 "tg3:
enable transmit time stamping."

This is because tigon3_dma_hwbug_workaround() might alloc a new skb and
free the original. We panic when skb_tx_timestamp() is called on freed
skb.

Reported-by: Ari Savolainen <ari.m.savolainen@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/tg3.c

index c11a2b8327f301410145f9281bd1ff221d3c6aaf..d469004704ad77ec1617bb53400e9aaebedb6ce7 100644 (file)
@@ -6029,12 +6029,12 @@ static void tg3_tx_skb_unmap(struct tg3_napi *tnapi, u32 entry, int last)
 
 /* Workaround 4GB and 40-bit hardware DMA bugs. */
 static int tigon3_dma_hwbug_workaround(struct tg3_napi *tnapi,
-                                      struct sk_buff *skb,
+                                      struct sk_buff **pskb,
                                       u32 *entry, u32 *budget,
                                       u32 base_flags, u32 mss, u32 vlan)
 {
        struct tg3 *tp = tnapi->tp;
-       struct sk_buff *new_skb;
+       struct sk_buff *new_skb, *skb = *pskb;
        dma_addr_t new_addr = 0;
        int ret = 0;
 
@@ -6076,7 +6076,7 @@ static int tigon3_dma_hwbug_workaround(struct tg3_napi *tnapi,
        }
 
        dev_kfree_skb(skb);
-
+       *pskb = new_skb;
        return ret;
 }
 
@@ -6305,7 +6305,7 @@ static netdev_tx_t tg3_start_xmit(struct sk_buff *skb, struct net_device *dev)
                 */
                entry = tnapi->tx_prod;
                budget = tg3_tx_avail(tnapi);
-               if (tigon3_dma_hwbug_workaround(tnapi, skb, &entry, &budget,
+               if (tigon3_dma_hwbug_workaround(tnapi, &skb, &entry, &budget,
                                                base_flags, mss, vlan))
                        goto out_unlock;
        }