Author: dannf
Date: Sat Mar 24 00:35:10 2007
New Revision: 8388
Added:
dists/etch/linux-2.6/debian/patches/bugfix/bnx2_tx_avail-off-by-1-fix.patch
Modified:
dists/etch/linux-2.6/debian/changelog
dists/etch/linux-2.6/debian/patches/series/12
Log:
* bugfix/bnx2_tx_avail-off-by-1-fix.patch
Fix a panic in the bnx2 driver caused by an off-by-one error
(closes: #410010)
Modified: dists/etch/linux-2.6/debian/changelog
==============================================================================
--- dists/etch/linux-2.6/debian/changelog (original)
+++ dists/etch/linux-2.6/debian/changelog Sat Mar 24 00:35:10 2007
@@ -41,8 +41,11 @@
ipv6_getsockopt_sticky() which can be triggered by passing a len < 0.
See CVE-2007-1000
* Enable CONFIG_TULIP_MMIO on hppa. (closes: #332962)
+ * bugfix/bnx2_tx_avail-off-by-1-fix.patch
+ Fix a panic in the bnx2 driver caused by an off-by-one error
+ (closes: #410010)
- -- dann frazier <[EMAIL PROTECTED]> Thu, 22 Mar 2007 13:03:16 -0600
+ -- dann frazier <[EMAIL PROTECTED]> Fri, 23 Mar 2007 18:19:09 -0600
linux-2.6 (2.6.18.dfsg.1-11) unstable; urgency=low
Added:
dists/etch/linux-2.6/debian/patches/bugfix/bnx2_tx_avail-off-by-1-fix.patch
==============================================================================
--- (empty file)
+++ dists/etch/linux-2.6/debian/patches/bugfix/bnx2_tx_avail-off-by-1-fix.patch
Sat Mar 24 00:35:10 2007
@@ -0,0 +1,52 @@
+From: Michael Chan <[EMAIL PROTECTED]>
+Date: Thu, 14 Dec 2006 23:56:32 +0000 (-0800)
+Subject: [BNX2]: Fix panic in bnx2_tx_int().
+X-Git-Tag: v2.6.20-rc2~101
+X-Git-Url:
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=faac9c4b753f420c02bdce0785d2657087830a12
+
+[BNX2]: Fix panic in bnx2_tx_int().
+
+There was an off-by-one bug in bnx2_tx_avail(). If the tx ring is
+completely full, the producer and consumer indices may be apart by
+256 even though the ring size is only 255. One entry in the ring is
+unused and must be properly accounted for when calculating the number
+of available entries. The bug caused the tx ring entries to be
+reused by mistake, overwriting active entries, and ultimately causing
+it to crash.
+
+This bug rarely occurs because the tx ring is rarely completely full.
+We always stop when there is less than MAX_SKB_FRAGS entries available
+in the ring.
+
+Thanks to Corey Kovacs <[EMAIL PROTECTED]> and Andy Gospodarek
+<[EMAIL PROTECTED]> for reporting the problem and helping to collect
+debug information.
+
+Signed-off-by: Michael Chan <[EMAIL PROTECTED]>
+Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
+---
+
+diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c
+index 7d824cf..f296c37 100644
+--- a/drivers/net/bnx2.c
++++ b/drivers/net/bnx2.c
+@@ -217,9 +217,16 @@ static inline u32 bnx2_tx_avail(struct bnx2 *bp)
+ u32 diff;
+
+ smp_mb();
+- diff = TX_RING_IDX(bp->tx_prod) - TX_RING_IDX(bp->tx_cons);
+- if (diff > MAX_TX_DESC_CNT)
+- diff = (diff & MAX_TX_DESC_CNT) - 1;
++
++ /* The ring uses 256 indices for 255 entries, one of them
++ * needs to be skipped.
++ */
++ diff = bp->tx_prod - bp->tx_cons;
++ if (unlikely(diff >= TX_DESC_CNT)) {
++ diff &= 0xffff;
++ if (diff == TX_DESC_CNT)
++ diff = MAX_TX_DESC_CNT;
++ }
+ return (bp->tx_ring_size - diff);
+ }
+
Modified: dists/etch/linux-2.6/debian/patches/series/12
==============================================================================
--- dists/etch/linux-2.6/debian/patches/series/12 (original)
+++ dists/etch/linux-2.6/debian/patches/series/12 Sat Mar 24 00:35:10 2007
@@ -6,3 +6,4 @@
+ bugfix/ipv6_setsockopt-NULL-deref.patch
+ bugfix/ipv6_getsockopt_sticky-null-opt.patch
+ bugfix/sparc/tcp-sendmsg-t12k-oops-fix.patch
++ bugfix/bnx2_tx_avail-off-by-1-fix.patch
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
