Hans de Goede d4cde88c1c p54pci: fix regression from prevent stuck rx-ring on slow system ... This patch fixes a recently introduced use-after-free regression from "p54pci: prevent stuck rx-ring on slow system". Hans de Goede reported a use-after-free regression: >BUG: unable to handle kernel paging request at 6b6b6b6b >IP: [<e122284a>] p54p_check_tx_ring+0x84/0xb1 [p54pci] >*pde = 00000000 >Oops: 0000 [#1] SMP >EIP: 0060:[<e122284a>] EFLAGS: 00010286 CPU: 0 >EIP is at p54p_check_tx_ring+0x84/0xb1 [p54pci] >EAX: 6b6b6b6b EBX: df10b170 ECX: 00000003 EDX: 00000001 >ESI: dc471500 EDI: d8acaeb0 EBP: c098be9c ESP: c098be84 > DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 >Process swapper (pid: 0, ti=c098a000 task=c09ccfe0 task.ti=c098a000) >Call Trace: > [<e1222b02>] ? p54p_tasklet+0xaa/0xb5 [p54pci] > [<c0440568>] ? tasklet_action+0x78/0xcb > [<c0440ed3>] ? __do_softirq+0xbc/0x173 Quote from comment #17: "The problem is the innocent looking moving of the tx processing to after the rx processing in the tasklet. Quoting from the changelog: This patch does it the same way, except that it also prioritize rx data processing, simply because tx routines *can* wait. This is causing an issue with us referencing already freed memory, because some skb's we transmit, we immediately receive back, such as those for reading the eeprom (*) and getting stats. What can happen because of the moving of the tx processing to after the rx processing is that when the tasklet first runs after doing a special skb tx (such as eeprom) we've already received the answer to it. Then the rx processing ends up calling p54_find_and_unlink_skb to find the matching tx skb for the just received special rx skb and frees the tx skb. Then after the processing of the rx skb answer, and thus freeing the tx skb, we go process the completed tx ring entires, and then dereference the free-ed skb, to see if it should free free-ed by p54p_check_tx_ring()." Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=583623 Bug-Identified-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Christian Lamparter <chunkeey@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>		2010-04-26 14:21:15 -04:00
..
ath	ath9k_hw: make all AR9002 initvals use u32	2010-04-21 14:15:18 -04:00
b43	b43: N-PHY: fix copy&paste typo	2010-04-06 16:55:15 -04:00
b43legacy
hostap
ipw2x00	Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 into merge	2010-04-08 13:34:54 -04:00
iwlwifi	Merge branch 'wireless-next-2.6' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-2.6	2010-04-19 16:37:59 -04:00
iwmc3200wifi	iwmc3200wifi: check sparse endianness annotations	2010-04-16 15:47:02 -04:00
libertas	libertas: Davinci platforms need more time loading helper firmware	2010-04-16 15:32:01 -04:00
libertas_tf
orinoco	orinoco: have sparse check endian issues	2010-04-19 16:41:42 -04:00
p54	p54pci: fix regression from prevent stuck rx-ring on slow system	2010-04-26 14:21:15 -04:00
prism54
rt2x00	wireless: rt2x00: rt2800usb: identify Allwin devices	2010-04-19 16:45:20 -04:00
rtl818x	rtl818x: Move configuration details to the rtl818x directory	2010-04-16 15:32:01 -04:00
wl12xx	wl1251: add support for dedicated IRQ line	2010-04-16 15:47:14 -04:00
zd1211rw
adm8211.c
adm8211.h
airo.c
airo.h
airo_cs.c
at76c50x-usb.c
at76c50x-usb.h
atmel.c
atmel.h
atmel_cs.c
atmel_pci.c
Kconfig	rtl818x: Move configuration details to the rtl818x directory	2010-04-16 15:32:01 -04:00
mac80211_hwsim.c	mac80211: sample survey implementation for mac80211 & hwsim	2010-04-20 11:50:52 -04:00
Makefile
mwl8k.c
ray_cs.c
ray_cs.h
rayctl.h
rndis_wlan.c	Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 into merge	2010-04-08 13:34:54 -04:00
wl3501.h
wl3501_cs.c
zd1201.c
zd1201.h