netxen: fix off by one bug in netxen_release_tx_buffer()
Christoph Paasch found netxen could trigger a BUG in its dismantle phase, in netxen_release_tx_buffer(), using full size TSO packets. cmd_buf->frag_count includes the skb->data part, so the loop must start at index 1 instead of 0, or else we can make an out of bound access to cmd_buff->frag_array[MAX_SKB_FRAGS + 2] Christoph provided the fixes in netxen_map_tx_skb() function. In case of a dma mapping error, its better to clear the dma fields so that we don't try to unmap them again in netxen_release_tx_buffer() Reported-by: Christoph Paasch <christoph.paasch@uclouvain.be> Signed-off-by: Eric Dumazet <edumazet@google.com> Tested-by: Christoph Paasch <christoph.paasch@uclouvain.be> Cc: Sony Chacko <sony.chacko@qlogic.com> Cc: Rajesh Borundia <rajesh.borundia@qlogic.com> Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
d721a1752b
commit
a05948f296
|
@ -144,7 +144,7 @@ void netxen_release_tx_buffers(struct netxen_adapter *adapter)
|
|||
buffrag->length, PCI_DMA_TODEVICE);
|
||||
buffrag->dma = 0ULL;
|
||||
}
|
||||
for (j = 0; j < cmd_buf->frag_count; j++) {
|
||||
for (j = 1; j < cmd_buf->frag_count; j++) {
|
||||
buffrag++;
|
||||
if (buffrag->dma) {
|
||||
pci_unmap_page(adapter->pdev, buffrag->dma,
|
||||
|
|
|
@ -1963,10 +1963,12 @@ unwind:
|
|||
while (--i >= 0) {
|
||||
nf = &pbuf->frag_array[i+1];
|
||||
pci_unmap_page(pdev, nf->dma, nf->length, PCI_DMA_TODEVICE);
|
||||
nf->dma = 0ULL;
|
||||
}
|
||||
|
||||
nf = &pbuf->frag_array[0];
|
||||
pci_unmap_single(pdev, nf->dma, skb_headlen(skb), PCI_DMA_TODEVICE);
|
||||
nf->dma = 0ULL;
|
||||
|
||||
out_err:
|
||||
return -ENOMEM;
|
||||
|
|
Loading…
Reference in New Issue