Hi Alan,
There was a bug in the lance driver where skb->len would be referenced
after the skb was freed if the packet had to be bounced below 16MB.
The fix made it into 2.2 but has not been forwarded on to 2.4 (yet).
Thanks,
Paul.
--- 2400/linux/drivers/net/lance.c~ Mon Jan 1 04:37:32 2001
+++ 2400/linux/drivers/net/lance.c Sat Jan 6 07:58:29 2001
@@ -874,6 +874,8 @@
lp->tx_ring[entry].misc = 0x0000;
+ lp->stats.tx_bytes += skb->len;
+
/* If any part of this buffer is >16M we must copy it to a low-memory
buffer. */
if ((u32)virt_to_bus(skb->data) + skb->len > 0x01000000) {
@@ -889,7 +891,6 @@
lp->tx_ring[entry].base = ((u32)virt_to_bus(skb->data) & 0xffffff) | 0x83000000;
}
lp->cur_tx++;
- lp->stats.tx_bytes += skb->len;
/* Trigger an immediate send poll. */
outw(0x0000, ioaddr+LANCE_ADDR);
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
