[kernel] r8388 - in dists/etch/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Sat Mar 24 01:35:12 UTC 2007


Author: dannf
Date: Sat Mar 24 00:35:10 2007
New Revision: 8388

Added:
   dists/etch/linux-2.6/debian/patches/bugfix/bnx2_tx_avail-off-by-1-fix.patch
Modified:
   dists/etch/linux-2.6/debian/changelog
   dists/etch/linux-2.6/debian/patches/series/12
Log:
* bugfix/bnx2_tx_avail-off-by-1-fix.patch
  Fix a panic in the bnx2 driver caused by an off-by-one error
  (closes: #410010)

Modified: dists/etch/linux-2.6/debian/changelog
==============================================================================
--- dists/etch/linux-2.6/debian/changelog	(original)
+++ dists/etch/linux-2.6/debian/changelog	Sat Mar 24 00:35:10 2007
@@ -41,8 +41,11 @@
     ipv6_getsockopt_sticky() which can be triggered by passing a len < 0.
     See CVE-2007-1000
   * Enable CONFIG_TULIP_MMIO on hppa. (closes: #332962)
+  * bugfix/bnx2_tx_avail-off-by-1-fix.patch
+    Fix a panic in the bnx2 driver caused by an off-by-one error
+    (closes: #410010)
 
- -- dann frazier <dannf at debian.org>  Thu, 22 Mar 2007 13:03:16 -0600
+ -- dann frazier <dannf at debian.org>  Fri, 23 Mar 2007 18:19:09 -0600
 
 linux-2.6 (2.6.18.dfsg.1-11) unstable; urgency=low
 

Added: dists/etch/linux-2.6/debian/patches/bugfix/bnx2_tx_avail-off-by-1-fix.patch
==============================================================================
--- (empty file)
+++ dists/etch/linux-2.6/debian/patches/bugfix/bnx2_tx_avail-off-by-1-fix.patch	Sat Mar 24 00:35:10 2007
@@ -0,0 +1,52 @@
+From: Michael Chan <mchan at broadcom.com>
+Date: Thu, 14 Dec 2006 23:56:32 +0000 (-0800)
+Subject: [BNX2]: Fix panic in bnx2_tx_int().
+X-Git-Tag: v2.6.20-rc2~101
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=faac9c4b753f420c02bdce0785d2657087830a12
+
+[BNX2]: Fix panic in bnx2_tx_int().
+
+There was an off-by-one bug in bnx2_tx_avail().  If the tx ring is
+completely full, the producer and consumer indices may be apart by
+256 even though the ring size is only 255.  One entry in the ring is
+unused and must be properly accounted for when calculating the number
+of available entries.  The bug caused the tx ring entries to be
+reused by mistake, overwriting active entries, and ultimately causing
+it to crash.
+
+This bug rarely occurs because the tx ring is rarely completely full.
+We always stop when there is less than MAX_SKB_FRAGS entries available
+in the ring.
+
+Thanks to Corey Kovacs <cjk at techma.com> and Andy Gospodarek
+<agospoda at redhat.com> for reporting the problem and helping to collect
+debug information.
+
+Signed-off-by: Michael Chan <mchan at broadcom.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c
+index 7d824cf..f296c37 100644
+--- a/drivers/net/bnx2.c
++++ b/drivers/net/bnx2.c
+@@ -217,9 +217,16 @@ static inline u32 bnx2_tx_avail(struct bnx2 *bp)
+ 	u32 diff;
+ 
+ 	smp_mb();
+-	diff = TX_RING_IDX(bp->tx_prod) - TX_RING_IDX(bp->tx_cons);
+-	if (diff > MAX_TX_DESC_CNT)
+-		diff = (diff & MAX_TX_DESC_CNT) - 1;
++
++	/* The ring uses 256 indices for 255 entries, one of them
++	 * needs to be skipped.
++	 */
++	diff = bp->tx_prod - bp->tx_cons;
++	if (unlikely(diff >= TX_DESC_CNT)) {
++		diff &= 0xffff;
++		if (diff == TX_DESC_CNT)
++			diff = MAX_TX_DESC_CNT;
++	}
+ 	return (bp->tx_ring_size - diff);
+ }
+ 

Modified: dists/etch/linux-2.6/debian/patches/series/12
==============================================================================
--- dists/etch/linux-2.6/debian/patches/series/12	(original)
+++ dists/etch/linux-2.6/debian/patches/series/12	Sat Mar 24 00:35:10 2007
@@ -6,3 +6,4 @@
 + bugfix/ipv6_setsockopt-NULL-deref.patch
 + bugfix/ipv6_getsockopt_sticky-null-opt.patch
 + bugfix/sparc/tcp-sendmsg-t12k-oops-fix.patch
++ bugfix/bnx2_tx_avail-off-by-1-fix.patch



More information about the Kernel-svn-changes mailing list