diff options
author | Christian Lamparter <chunkeey@web.de> | 2009-03-05 18:53:59 -0500 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2009-03-06 15:54:32 -0500 |
commit | c0350024723b4a69e38655816484d934aca8eb30 (patch) | |
tree | 3c7ab2ba6f97daf654249fb4ed98f3b1922955a9 /drivers/net/wireless/p54 | |
parent | bd05f28e1a15ae62994fe309a524695fe26dd834 (diff) |
p54: fix race condition in memory management
This patch fixes a number of race conditions in the driver.
Up until now, "entry" pointer was initialized before acquiring the right lock.
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/p54')
-rw-r--r-- | drivers/net/wireless/p54/p54common.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/drivers/net/wireless/p54/p54common.c b/drivers/net/wireless/p54/p54common.c index 34561e6e816b..f170106bf0ae 100644 --- a/drivers/net/wireless/p54/p54common.c +++ b/drivers/net/wireless/p54/p54common.c | |||
@@ -710,10 +710,11 @@ static struct sk_buff *p54_find_tx_entry(struct ieee80211_hw *dev, | |||
710 | __le32 req_id) | 710 | __le32 req_id) |
711 | { | 711 | { |
712 | struct p54_common *priv = dev->priv; | 712 | struct p54_common *priv = dev->priv; |
713 | struct sk_buff *entry = priv->tx_queue.next; | 713 | struct sk_buff *entry; |
714 | unsigned long flags; | 714 | unsigned long flags; |
715 | 715 | ||
716 | spin_lock_irqsave(&priv->tx_queue.lock, flags); | 716 | spin_lock_irqsave(&priv->tx_queue.lock, flags); |
717 | entry = priv->tx_queue.next; | ||
717 | while (entry != (struct sk_buff *)&priv->tx_queue) { | 718 | while (entry != (struct sk_buff *)&priv->tx_queue) { |
718 | struct p54_hdr *hdr = (struct p54_hdr *) entry->data; | 719 | struct p54_hdr *hdr = (struct p54_hdr *) entry->data; |
719 | 720 | ||
@@ -732,7 +733,7 @@ static void p54_rx_frame_sent(struct ieee80211_hw *dev, struct sk_buff *skb) | |||
732 | struct p54_common *priv = dev->priv; | 733 | struct p54_common *priv = dev->priv; |
733 | struct p54_hdr *hdr = (struct p54_hdr *) skb->data; | 734 | struct p54_hdr *hdr = (struct p54_hdr *) skb->data; |
734 | struct p54_frame_sent *payload = (struct p54_frame_sent *) hdr->data; | 735 | struct p54_frame_sent *payload = (struct p54_frame_sent *) hdr->data; |
735 | struct sk_buff *entry = (struct sk_buff *) priv->tx_queue.next; | 736 | struct sk_buff *entry; |
736 | u32 addr = le32_to_cpu(hdr->req_id) - priv->headroom; | 737 | u32 addr = le32_to_cpu(hdr->req_id) - priv->headroom; |
737 | struct memrecord *range = NULL; | 738 | struct memrecord *range = NULL; |
738 | u32 freed = 0; | 739 | u32 freed = 0; |
@@ -741,6 +742,7 @@ static void p54_rx_frame_sent(struct ieee80211_hw *dev, struct sk_buff *skb) | |||
741 | int count, idx; | 742 | int count, idx; |
742 | 743 | ||
743 | spin_lock_irqsave(&priv->tx_queue.lock, flags); | 744 | spin_lock_irqsave(&priv->tx_queue.lock, flags); |
745 | entry = (struct sk_buff *) priv->tx_queue.next; | ||
744 | while (entry != (struct sk_buff *)&priv->tx_queue) { | 746 | while (entry != (struct sk_buff *)&priv->tx_queue) { |
745 | struct ieee80211_tx_info *info = IEEE80211_SKB_CB(entry); | 747 | struct ieee80211_tx_info *info = IEEE80211_SKB_CB(entry); |
746 | struct p54_hdr *entry_hdr; | 748 | struct p54_hdr *entry_hdr; |
@@ -976,7 +978,7 @@ static int p54_assign_address(struct ieee80211_hw *dev, struct sk_buff *skb, | |||
976 | struct p54_hdr *data, u32 len) | 978 | struct p54_hdr *data, u32 len) |
977 | { | 979 | { |
978 | struct p54_common *priv = dev->priv; | 980 | struct p54_common *priv = dev->priv; |
979 | struct sk_buff *entry = priv->tx_queue.next; | 981 | struct sk_buff *entry; |
980 | struct sk_buff *target_skb = NULL; | 982 | struct sk_buff *target_skb = NULL; |
981 | struct ieee80211_tx_info *info; | 983 | struct ieee80211_tx_info *info; |
982 | struct memrecord *range; | 984 | struct memrecord *range; |
@@ -1014,6 +1016,7 @@ static int p54_assign_address(struct ieee80211_hw *dev, struct sk_buff *skb, | |||
1014 | } | 1016 | } |
1015 | } | 1017 | } |
1016 | 1018 | ||
1019 | entry = priv->tx_queue.next; | ||
1017 | while (left--) { | 1020 | while (left--) { |
1018 | u32 hole_size; | 1021 | u32 hole_size; |
1019 | info = IEEE80211_SKB_CB(entry); | 1022 | info = IEEE80211_SKB_CB(entry); |