1 From 70abc8cb90e679d8519721e2761d8366a18212a6 Mon Sep 17 00:00:00 2001
2 From: Roger Oksanen <roger.oksanen@cs.helsinki.fi>
3 Date: Fri, 18 Dec 2009 20:18:21 -0800
4 Subject: e100: Fix broken cbs accounting due to missing memset.
6 From: Roger Oksanen <roger.oksanen@cs.helsinki.fi>
8 commit 70abc8cb90e679d8519721e2761d8366a18212a6 upstream.
10 Alan Stern noticed that e100 caused slab corruption.
11 commit 98468efddb101f8a29af974101c17ba513b07be1 changed
12 the allocation of cbs to use dma pools that don't return zeroed memory,
13 especially the cb->status field used to track which cb to clean, causing
14 (the visible) double freeing of skbs and a wrong free cbs count.
16 Now the cbs are explicitly zeroed at allocation time.
18 Reported-by: Alan Stern <stern@rowland.harvard.edu>
19 Tested-by: Alan Stern <stern@rowland.harvard.edu>
20 Signed-off-by: Roger Oksanen <roger.oksanen@cs.helsinki.fi>
21 Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
22 Signed-off-by: David S. Miller <davem@davemloft.net>
23 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
26 drivers/net/e100.c | 2 +-
27 1 file changed, 1 insertion(+), 1 deletion(-)
29 --- a/drivers/net/e100.c
30 +++ b/drivers/net/e100.c
31 @@ -1817,6 +1817,7 @@ static int e100_alloc_cbs(struct nic *ni
35 + memset(nic->cbs, 0, count * sizeof(struct cb));
37 for (cb = nic->cbs, i = 0; i < count; cb++, i++) {
38 cb->next = (i + 1 < count) ? cb + 1 : nic->cbs;
39 @@ -1825,7 +1826,6 @@ static int e100_alloc_cbs(struct nic *ni
40 cb->dma_addr = nic->cbs_dma_addr + i * sizeof(struct cb);
41 cb->link = cpu_to_le32(nic->cbs_dma_addr +
42 ((i+1) % count) * sizeof(struct cb));
46 nic->cb_to_use = nic->cb_to_send = nic->cb_to_clean = nic->cbs;
projects / thirdparty / kernel / stable-queue.git / blob