* [PATCH resend] bcm43xx-d80211: Fix DMA TX skb doublefree
@ 2007-01-23 16:40 Michael Buesch
0 siblings, 0 replies; only message in thread
From: Michael Buesch @ 2007-01-23 16:40 UTC (permalink / raw)
To: John Linville; +Cc: netdev, bcm43xx-dev
This fixes a possible double-free of the TX skb buffers.
Always NULL the pointer after freeing.
Signed-off-by: Michael Buesch <mb@bu3sch.de>
--
I already sent this patch to you on 21 Dec 2006.
This is a pretty critical patch, so I'd like to make sure
it's in your merge queue and is not lost.
Index: wireless-dev/drivers/net/wireless/d80211/bcm43xx/bcm43xx_dma.c
===================================================================
--- wireless-dev.orig/drivers/net/wireless/d80211/bcm43xx/bcm43xx_dma.c 2006-12-07 17:25:19.000000000 +0100
+++ wireless-dev/drivers/net/wireless/d80211/bcm43xx/bcm43xx_dma.c 2006-12-21 19:05:28.000000000 +0100
@@ -388,6 +388,7 @@ void free_descriptor_buffer(struct bcm43
dev_kfree_skb_irq(meta->skb);
else
dev_kfree_skb(meta->skb);
+ meta->skb = NULL;
}
}
@@ -1131,6 +1132,7 @@ void bcm43xx_dma_handle_txstatus(struct
meta->txstat.retry_count = status->frame_count - 1;
ieee80211_tx_status_irqsafe(bcm->ieee, meta->skb, &(meta->txstat));
/* skb is freed by ieee80211_tx_status_irqsafe() */
+ meta->skb = NULL;
} else {
/* No need to call free_descriptor_buffer here, as
* this is only the txhdr, which is not allocated.
--
Greetings Michael.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2007-01-23 16:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-01-23 16:40 [PATCH resend] bcm43xx-d80211: Fix DMA TX skb doublefree Michael Buesch
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.