aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorNicolas Pitre <nico@cam.org>2005-06-19 23:56:21 -0400
committerJeff Garzik <jgarzik@pobox.com>2005-06-27 00:40:33 -0400
commitbe83668a253149d99085ca4afe6cd8dc8a43fcd0 (patch)
tree8a70198e809a6f0abd70031d3f2d6d7460e76d4f /drivers
parented4030d114efff53e2605ea4d07d39835b68b605 (diff)
[PATCH] smc91x: plug race between TX tasklet and driver reset
The race causes a kernel oops when smc_hardware_send_pkt() tries to dereference pending_tx_skb which would have been freed from one of the driver reset paths just after the tx_task tasklet has been scheduled. This race is possible on SMP but was uncovered by the kernel RT work. Signed-off-by: Nicolas Pitre <nico@cam.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/smc91x.c43
1 files changed, 24 insertions, 19 deletions
diff --git a/drivers/net/smc91x.c b/drivers/net/smc91x.c
index fd80048f7f7a..cfb9d3cdb04a 100644
--- a/drivers/net/smc91x.c
+++ b/drivers/net/smc91x.c
@@ -315,15 +315,25 @@ static void smc_reset(struct net_device *dev)
315 struct smc_local *lp = netdev_priv(dev); 315 struct smc_local *lp = netdev_priv(dev);
316 void __iomem *ioaddr = lp->base; 316 void __iomem *ioaddr = lp->base;
317 unsigned int ctl, cfg; 317 unsigned int ctl, cfg;
318 struct sk_buff *pending_skb;
318 319
319 DBG(2, "%s: %s\n", dev->name, __FUNCTION__); 320 DBG(2, "%s: %s\n", dev->name, __FUNCTION__);
320 321
321 /* Disable all interrupts */ 322 /* Disable all interrupts, block TX tasklet */
322 spin_lock(&lp->lock); 323 spin_lock(&lp->lock);
323 SMC_SELECT_BANK(2); 324 SMC_SELECT_BANK(2);
324 SMC_SET_INT_MASK(0); 325 SMC_SET_INT_MASK(0);
326 pending_skb = lp->pending_tx_skb;
327 lp->pending_tx_skb = NULL;
325 spin_unlock(&lp->lock); 328 spin_unlock(&lp->lock);
326 329
330 /* free any pending tx skb */
331 if (pending_skb) {
332 dev_kfree_skb(pending_skb);
333 lp->stats.tx_errors++;
334 lp->stats.tx_aborted_errors++;
335 }
336
327 /* 337 /*
328 * This resets the registers mostly to defaults, but doesn't 338 * This resets the registers mostly to defaults, but doesn't
329 * affect EEPROM. That seems unnecessary 339 * affect EEPROM. That seems unnecessary
@@ -389,14 +399,6 @@ static void smc_reset(struct net_device *dev)
389 SMC_SELECT_BANK(2); 399 SMC_SELECT_BANK(2);
390 SMC_SET_MMU_CMD(MC_RESET); 400 SMC_SET_MMU_CMD(MC_RESET);
391 SMC_WAIT_MMU_BUSY(); 401 SMC_WAIT_MMU_BUSY();
392
393 /* clear anything saved */
394 if (lp->pending_tx_skb != NULL) {
395 dev_kfree_skb (lp->pending_tx_skb);
396 lp->pending_tx_skb = NULL;
397 lp->stats.tx_errors++;
398 lp->stats.tx_aborted_errors++;
399 }
400} 402}
401 403
402/* 404/*
@@ -440,6 +442,7 @@ static void smc_shutdown(struct net_device *dev)
440{ 442{
441 struct smc_local *lp = netdev_priv(dev); 443 struct smc_local *lp = netdev_priv(dev);
442 void __iomem *ioaddr = lp->base; 444 void __iomem *ioaddr = lp->base;
445 struct sk_buff *pending_skb;
443 446
444 DBG(2, "%s: %s\n", CARDNAME, __FUNCTION__); 447 DBG(2, "%s: %s\n", CARDNAME, __FUNCTION__);
445 448
@@ -447,7 +450,11 @@ static void smc_shutdown(struct net_device *dev)
447 spin_lock(&lp->lock); 450 spin_lock(&lp->lock);
448 SMC_SELECT_BANK(2); 451 SMC_SELECT_BANK(2);
449 SMC_SET_INT_MASK(0); 452 SMC_SET_INT_MASK(0);
453 pending_skb = lp->pending_tx_skb;
454 lp->pending_tx_skb = NULL;
450 spin_unlock(&lp->lock); 455 spin_unlock(&lp->lock);
456 if (pending_skb)
457 dev_kfree_skb(pending_skb);
451 458
452 /* and tell the card to stay away from that nasty outside world */ 459 /* and tell the card to stay away from that nasty outside world */
453 SMC_SELECT_BANK(0); 460 SMC_SELECT_BANK(0);
@@ -627,7 +634,12 @@ static void smc_hardware_send_pkt(unsigned long data)
627 } 634 }
628 635
629 skb = lp->pending_tx_skb; 636 skb = lp->pending_tx_skb;
637 if (unlikely(!skb)) {
638 smc_special_unlock(&lp->lock);
639 return;
640 }
630 lp->pending_tx_skb = NULL; 641 lp->pending_tx_skb = NULL;
642
631 packet_no = SMC_GET_AR(); 643 packet_no = SMC_GET_AR();
632 if (unlikely(packet_no & AR_FAILED)) { 644 if (unlikely(packet_no & AR_FAILED)) {
633 printk("%s: Memory allocation failed.\n", dev->name); 645 printk("%s: Memory allocation failed.\n", dev->name);
@@ -702,7 +714,6 @@ static int smc_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
702 DBG(3, "%s: %s\n", dev->name, __FUNCTION__); 714 DBG(3, "%s: %s\n", dev->name, __FUNCTION__);
703 715
704 BUG_ON(lp->pending_tx_skb != NULL); 716 BUG_ON(lp->pending_tx_skb != NULL);
705 lp->pending_tx_skb = skb;
706 717
707 /* 718 /*
708 * The MMU wants the number of pages to be the number of 256 bytes 719 * The MMU wants the number of pages to be the number of 256 bytes
@@ -718,7 +729,6 @@ static int smc_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
718 numPages = ((skb->len & ~1) + (6 - 1)) >> 8; 729 numPages = ((skb->len & ~1) + (6 - 1)) >> 8;
719 if (unlikely(numPages > 7)) { 730 if (unlikely(numPages > 7)) {
720 printk("%s: Far too big packet error.\n", dev->name); 731 printk("%s: Far too big packet error.\n", dev->name);
721 lp->pending_tx_skb = NULL;
722 lp->stats.tx_errors++; 732 lp->stats.tx_errors++;
723 lp->stats.tx_dropped++; 733 lp->stats.tx_dropped++;
724 dev_kfree_skb(skb); 734 dev_kfree_skb(skb);
@@ -745,6 +755,7 @@ static int smc_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
745 755
746 smc_special_unlock(&lp->lock); 756 smc_special_unlock(&lp->lock);
747 757
758 lp->pending_tx_skb = skb;
748 if (!poll_count) { 759 if (!poll_count) {
749 /* oh well, wait until the chip finds memory later */ 760 /* oh well, wait until the chip finds memory later */
750 netif_stop_queue(dev); 761 netif_stop_queue(dev);
@@ -1062,7 +1073,7 @@ static void smc_phy_powerdown(struct net_device *dev)
1062 above). linkwatch_event() also wants the netlink semaphore. 1073 above). linkwatch_event() also wants the netlink semaphore.
1063 */ 1074 */
1064 while(lp->work_pending) 1075 while(lp->work_pending)
1065 schedule(); 1076 yield();
1066 1077
1067 bmcr = smc_phy_read(dev, phy, MII_BMCR); 1078 bmcr = smc_phy_read(dev, phy, MII_BMCR);
1068 smc_phy_write(dev, phy, MII_BMCR, bmcr | BMCR_PDOWN); 1079 smc_phy_write(dev, phy, MII_BMCR, bmcr | BMCR_PDOWN);
@@ -1606,14 +1617,8 @@ static int smc_close(struct net_device *dev)
1606 1617
1607 /* clear everything */ 1618 /* clear everything */
1608 smc_shutdown(dev); 1619 smc_shutdown(dev);
1609 1620 tasklet_kill(&lp->tx_task);
1610 smc_phy_powerdown(dev); 1621 smc_phy_powerdown(dev);
1611
1612 if (lp->pending_tx_skb) {
1613 dev_kfree_skb(lp->pending_tx_skb);
1614 lp->pending_tx_skb = NULL;
1615 }
1616
1617 return 0; 1622 return 0;
1618} 1623}
1619 1624