projects / linux-2.6-microblaze.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8a4d4c8)
bnxt_en: Fix crash in bnxt_free_tx_skbs() during tx timeout.
authorMichael Chan <mchan@broadcom.com>
Thu, 28 Jan 2016 08:11:22 +0000 (03:11 -0500)
committerDavid S. Miller <davem@davemloft.net>
Sat, 30 Jan 2016 01:28:39 +0000 (17:28 -0800)
The ring index j is not wrapped properly at the end of the ring, causing
it to reference pointers past the end of the ring.  For proper loop
termination and to access the ring properly, we need to increment j and
mask it before referencing the ring entry.

Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/broadcom/bnxt/bnxt.c patch | blob | history

diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index ebc5413..5dc89e5 100644 (file)
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -1490,10 +1490,11 @@ static void bnxt_free_tx_skbs(struct bnxt *bp)
 
                        last = tx_buf->nr_frags;
                        j += 2;
-                       for (k = 0; k < last; k++, j = NEXT_TX(j)) {
+                       for (k = 0; k < last; k++, j++) {
+                               int ring_idx = j & bp->tx_ring_mask;
                                skb_frag_t *frag = &skb_shinfo(skb)->frags[k];
 
-                               tx_buf = &txr->tx_buf_ring[j];
+                               tx_buf = &txr->tx_buf_ring[ring_idx];
                                dma_unmap_page(
                                        &pdev->dev,
                                        dma_unmap_addr(tx_buf, mapping),
MicroBlaze GIT Repository