diff options
author | Nicolas Pitre <nico@cam.org> | 2005-06-19 23:56:21 -0400 |
---|---|---|
committer | Jeff Garzik <jgarzik@pobox.com> | 2005-06-27 00:40:33 -0400 |
commit | be83668a253149d99085ca4afe6cd8dc8a43fcd0 (patch) | |
tree | 8a70198e809a6f0abd70031d3f2d6d7460e76d4f | |
parent | ed4030d114efff53e2605ea4d07d39835b68b605 (diff) |
[PATCH] smc91x: plug race between TX tasklet and driver reset
The race causes a kernel oops when smc_hardware_send_pkt() tries to
dereference pending_tx_skb which would have been freed from one of the
driver reset paths just after the tx_task tasklet has been scheduled.
This race is possible on SMP but was uncovered by the kernel RT work.
Signed-off-by: Nicolas Pitre <nico@cam.org>
-rw-r--r-- | drivers/net/smc91x.c | 43 |
1 files changed, 24 insertions, 19 deletions
diff --git a/drivers/net/smc91x.c b/drivers/net/smc91x.c index fd80048f7f7a..cfb9d3cdb04a 100644 --- a/drivers/net/smc91x.c +++ b/drivers/net/smc91x.c | |||
@@ -315,15 +315,25 @@ static void smc_reset(struct net_device *dev) | |||
315 | struct smc_local *lp = netdev_priv(dev); | 315 | struct smc_local *lp = netdev_priv(dev); |
316 | void __iomem *ioaddr = lp->base; | 316 | void __iomem *ioaddr = lp->base; |
317 | unsigned int ctl, cfg; | 317 | unsigned int ctl, cfg; |
318 | struct sk_buff *pending_skb; | ||
318 | 319 | ||
319 | DBG(2, "%s: %s\n", dev->name, __FUNCTION__); | 320 | DBG(2, "%s: %s\n", dev->name, __FUNCTION__); |
320 | 321 | ||
321 | /* Disable all interrupts */ | 322 | /* Disable all interrupts, block TX tasklet */ |
322 | spin_lock(&lp->lock); | 323 | spin_lock(&lp->lock); |
323 | SMC_SELECT_BANK(2); | 324 | SMC_SELECT_BANK(2); |
324 | SMC_SET_INT_MASK(0); | 325 | SMC_SET_INT_MASK(0); |
326 | pending_skb = lp->pending_tx_skb; | ||
327 | lp->pending_tx_skb = NULL; | ||
325 | spin_unlock(&lp->lock); | 328 | spin_unlock(&lp->lock); |
326 | 329 | ||
330 | /* free any pending tx skb */ | ||
331 | if (pending_skb) { | ||
332 | dev_kfree_skb(pending_skb); | ||
333 | lp->stats.tx_errors++; | ||
334 | lp->stats.tx_aborted_errors++; | ||
335 | } | ||
336 | |||
327 | /* | 337 | /* |
328 | * This resets the registers mostly to defaults, but doesn't | 338 | * This resets the registers mostly to defaults, but doesn't |
329 | * affect EEPROM. That seems unnecessary | 339 | * affect EEPROM. That seems unnecessary |
@@ -389,14 +399,6 @@ static void smc_reset(struct net_device *dev) | |||
389 | SMC_SELECT_BANK(2); | 399 | SMC_SELECT_BANK(2); |
390 | SMC_SET_MMU_CMD(MC_RESET); | 400 | SMC_SET_MMU_CMD(MC_RESET); |
391 | SMC_WAIT_MMU_BUSY(); | 401 | SMC_WAIT_MMU_BUSY(); |
392 | |||
393 | /* clear anything saved */ | ||
394 | if (lp->pending_tx_skb != NULL) { | ||
395 | dev_kfree_skb (lp->pending_tx_skb); | ||
396 | lp->pending_tx_skb = NULL; | ||
397 | lp->stats.tx_errors++; | ||
398 | lp->stats.tx_aborted_errors++; | ||
399 | } | ||
400 | } | 402 | } |
401 | 403 | ||
402 | /* | 404 | /* |
@@ -440,6 +442,7 @@ static void smc_shutdown(struct net_device *dev) | |||
440 | { | 442 | { |
441 | struct smc_local *lp = netdev_priv(dev); | 443 | struct smc_local *lp = netdev_priv(dev); |
442 | void __iomem *ioaddr = lp->base; | 444 | void __iomem *ioaddr = lp->base; |
445 | struct sk_buff *pending_skb; | ||
443 | 446 | ||
444 | DBG(2, "%s: %s\n", CARDNAME, __FUNCTION__); | 447 | DBG(2, "%s: %s\n", CARDNAME, __FUNCTION__); |
445 | 448 | ||
@@ -447,7 +450,11 @@ static void smc_shutdown(struct net_device *dev) | |||
447 | spin_lock(&lp->lock); | 450 | spin_lock(&lp->lock); |
448 | SMC_SELECT_BANK(2); | 451 | SMC_SELECT_BANK(2); |
449 | SMC_SET_INT_MASK(0); | 452 | SMC_SET_INT_MASK(0); |
453 | pending_skb = lp->pending_tx_skb; | ||
454 | lp->pending_tx_skb = NULL; | ||
450 | spin_unlock(&lp->lock); | 455 | spin_unlock(&lp->lock); |
456 | if (pending_skb) | ||
457 | dev_kfree_skb(pending_skb); | ||
451 | 458 | ||
452 | /* and tell the card to stay away from that nasty outside world */ | 459 | /* and tell the card to stay away from that nasty outside world */ |
453 | SMC_SELECT_BANK(0); | 460 | SMC_SELECT_BANK(0); |
@@ -627,7 +634,12 @@ static void smc_hardware_send_pkt(unsigned long data) | |||
627 | } | 634 | } |
628 | 635 | ||
629 | skb = lp->pending_tx_skb; | 636 | skb = lp->pending_tx_skb; |
637 | if (unlikely(!skb)) { | ||
638 | smc_special_unlock(&lp->lock); | ||
639 | return; | ||
640 | } | ||
630 | lp->pending_tx_skb = NULL; | 641 | lp->pending_tx_skb = NULL; |
642 | |||
631 | packet_no = SMC_GET_AR(); | 643 | packet_no = SMC_GET_AR(); |
632 | if (unlikely(packet_no & AR_FAILED)) { | 644 | if (unlikely(packet_no & AR_FAILED)) { |
633 | printk("%s: Memory allocation failed.\n", dev->name); | 645 | printk("%s: Memory allocation failed.\n", dev->name); |
@@ -702,7 +714,6 @@ static int smc_hard_start_xmit(struct sk_buff *skb, struct net_device *dev) | |||
702 | DBG(3, "%s: %s\n", dev->name, __FUNCTION__); | 714 | DBG(3, "%s: %s\n", dev->name, __FUNCTION__); |
703 | 715 | ||
704 | BUG_ON(lp->pending_tx_skb != NULL); | 716 | BUG_ON(lp->pending_tx_skb != NULL); |
705 | lp->pending_tx_skb = skb; | ||
706 | 717 | ||
707 | /* | 718 | /* |
708 | * The MMU wants the number of pages to be the number of 256 bytes | 719 | * The MMU wants the number of pages to be the number of 256 bytes |
@@ -718,7 +729,6 @@ static int smc_hard_start_xmit(struct sk_buff *skb, struct net_device *dev) | |||
718 | numPages = ((skb->len & ~1) + (6 - 1)) >> 8; | 729 | numPages = ((skb->len & ~1) + (6 - 1)) >> 8; |
719 | if (unlikely(numPages > 7)) { | 730 | if (unlikely(numPages > 7)) { |
720 | printk("%s: Far too big packet error.\n", dev->name); | 731 | printk("%s: Far too big packet error.\n", dev->name); |
721 | lp->pending_tx_skb = NULL; | ||
722 | lp->stats.tx_errors++; | 732 | lp->stats.tx_errors++; |
723 | lp->stats.tx_dropped++; | 733 | lp->stats.tx_dropped++; |
724 | dev_kfree_skb(skb); | 734 | dev_kfree_skb(skb); |
@@ -745,6 +755,7 @@ static int smc_hard_start_xmit(struct sk_buff *skb, struct net_device *dev) | |||
745 | 755 | ||
746 | smc_special_unlock(&lp->lock); | 756 | smc_special_unlock(&lp->lock); |
747 | 757 | ||
758 | lp->pending_tx_skb = skb; | ||
748 | if (!poll_count) { | 759 | if (!poll_count) { |
749 | /* oh well, wait until the chip finds memory later */ | 760 | /* oh well, wait until the chip finds memory later */ |
750 | netif_stop_queue(dev); | 761 | netif_stop_queue(dev); |
@@ -1062,7 +1073,7 @@ static void smc_phy_powerdown(struct net_device *dev) | |||
1062 | above). linkwatch_event() also wants the netlink semaphore. | 1073 | above). linkwatch_event() also wants the netlink semaphore. |
1063 | */ | 1074 | */ |
1064 | while(lp->work_pending) | 1075 | while(lp->work_pending) |
1065 | schedule(); | 1076 | yield(); |
1066 | 1077 | ||
1067 | bmcr = smc_phy_read(dev, phy, MII_BMCR); | 1078 | bmcr = smc_phy_read(dev, phy, MII_BMCR); |
1068 | smc_phy_write(dev, phy, MII_BMCR, bmcr | BMCR_PDOWN); | 1079 | smc_phy_write(dev, phy, MII_BMCR, bmcr | BMCR_PDOWN); |
@@ -1606,14 +1617,8 @@ static int smc_close(struct net_device *dev) | |||
1606 | 1617 | ||
1607 | /* clear everything */ | 1618 | /* clear everything */ |
1608 | smc_shutdown(dev); | 1619 | smc_shutdown(dev); |
1609 | 1620 | tasklet_kill(&lp->tx_task); | |
1610 | smc_phy_powerdown(dev); | 1621 | smc_phy_powerdown(dev); |
1611 | |||
1612 | if (lp->pending_tx_skb) { | ||
1613 | dev_kfree_skb(lp->pending_tx_skb); | ||
1614 | lp->pending_tx_skb = NULL; | ||
1615 | } | ||
1616 | |||
1617 | return 0; | 1622 | return 0; |
1618 | } | 1623 | } |
1619 | 1624 | ||