aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristian Lamparter <chunkeey@web.de>2009-03-05 18:53:59 -0500
committerJohn W. Linville <linville@tuxdriver.com>2009-03-06 15:54:32 -0500
commitc0350024723b4a69e38655816484d934aca8eb30 (patch)
tree3c7ab2ba6f97daf654249fb4ed98f3b1922955a9
parentbd05f28e1a15ae62994fe309a524695fe26dd834 (diff)
p54: fix race condition in memory management
This patch fixes a number of race conditions in the driver. Up until now, "entry" pointer was initialized before acquiring the right lock. Signed-off-by: Christian Lamparter <chunkeey@web.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/net/wireless/p54/p54common.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/drivers/net/wireless/p54/p54common.c b/drivers/net/wireless/p54/p54common.c
index 34561e6e816b..f170106bf0ae 100644
--- a/drivers/net/wireless/p54/p54common.c
+++ b/drivers/net/wireless/p54/p54common.c
@@ -710,10 +710,11 @@ static struct sk_buff *p54_find_tx_entry(struct ieee80211_hw *dev,
710 __le32 req_id) 710 __le32 req_id)
711{ 711{
712 struct p54_common *priv = dev->priv; 712 struct p54_common *priv = dev->priv;
713 struct sk_buff *entry = priv->tx_queue.next; 713 struct sk_buff *entry;
714 unsigned long flags; 714 unsigned long flags;
715 715
716 spin_lock_irqsave(&priv->tx_queue.lock, flags); 716 spin_lock_irqsave(&priv->tx_queue.lock, flags);
717 entry = priv->tx_queue.next;
717 while (entry != (struct sk_buff *)&priv->tx_queue) { 718 while (entry != (struct sk_buff *)&priv->tx_queue) {
718 struct p54_hdr *hdr = (struct p54_hdr *) entry->data; 719 struct p54_hdr *hdr = (struct p54_hdr *) entry->data;
719 720
@@ -732,7 +733,7 @@ static void p54_rx_frame_sent(struct ieee80211_hw *dev, struct sk_buff *skb)
732 struct p54_common *priv = dev->priv; 733 struct p54_common *priv = dev->priv;
733 struct p54_hdr *hdr = (struct p54_hdr *) skb->data; 734 struct p54_hdr *hdr = (struct p54_hdr *) skb->data;
734 struct p54_frame_sent *payload = (struct p54_frame_sent *) hdr->data; 735 struct p54_frame_sent *payload = (struct p54_frame_sent *) hdr->data;
735 struct sk_buff *entry = (struct sk_buff *) priv->tx_queue.next; 736 struct sk_buff *entry;
736 u32 addr = le32_to_cpu(hdr->req_id) - priv->headroom; 737 u32 addr = le32_to_cpu(hdr->req_id) - priv->headroom;
737 struct memrecord *range = NULL; 738 struct memrecord *range = NULL;
738 u32 freed = 0; 739 u32 freed = 0;
@@ -741,6 +742,7 @@ static void p54_rx_frame_sent(struct ieee80211_hw *dev, struct sk_buff *skb)
741 int count, idx; 742 int count, idx;
742 743
743 spin_lock_irqsave(&priv->tx_queue.lock, flags); 744 spin_lock_irqsave(&priv->tx_queue.lock, flags);
745 entry = (struct sk_buff *) priv->tx_queue.next;
744 while (entry != (struct sk_buff *)&priv->tx_queue) { 746 while (entry != (struct sk_buff *)&priv->tx_queue) {
745 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(entry); 747 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(entry);
746 struct p54_hdr *entry_hdr; 748 struct p54_hdr *entry_hdr;
@@ -976,7 +978,7 @@ static int p54_assign_address(struct ieee80211_hw *dev, struct sk_buff *skb,
976 struct p54_hdr *data, u32 len) 978 struct p54_hdr *data, u32 len)
977{ 979{
978 struct p54_common *priv = dev->priv; 980 struct p54_common *priv = dev->priv;
979 struct sk_buff *entry = priv->tx_queue.next; 981 struct sk_buff *entry;
980 struct sk_buff *target_skb = NULL; 982 struct sk_buff *target_skb = NULL;
981 struct ieee80211_tx_info *info; 983 struct ieee80211_tx_info *info;
982 struct memrecord *range; 984 struct memrecord *range;
@@ -1014,6 +1016,7 @@ static int p54_assign_address(struct ieee80211_hw *dev, struct sk_buff *skb,
1014 } 1016 }
1015 } 1017 }
1016 1018
1019 entry = priv->tx_queue.next;
1017 while (left--) { 1020 while (left--) {
1018 u32 hole_size; 1021 u32 hole_size;
1019 info = IEEE80211_SKB_CB(entry); 1022 info = IEEE80211_SKB_CB(entry);