On Wed, Feb 25, 2009 at 02:01:39PM +0000, Sitsofe Wheeler wrote:
> NAS is the name of a nearby access point. This is really tough to
> reproduce but if there's anything (e.g. ftrace) I can always turn on
> that will help you track this thing down let me know. Unfortunately the
> machine is an EeePC 900 so any logging would have to be cyclic and held
> in RAM...
Hmm, I suppose there could be some error paths under memory pressure that
aren't quite right. Here's one, but I don't think it can cause any problems,
at least without error spew.
Looking over the code, perhaps there's a race with ath5k_rx_start,
namely sc->rxlink is changed out from under the rxbuflock. Still can't
immediately see a use-after-free there.
============
ath5k: don't overwrite bf->skbaddr unless pcu mapping fails.
diff --git a/drivers/net/wireless/ath5k/base.c b/drivers/net/wireless/ath5k/base.c
index 1d77ee9..6d91335 100644
--- a/drivers/net/wireless/ath5k/base.c
+++ b/drivers/net/wireless/ath5k/base.c
@@ -1140,12 +1140,14 @@ ath5k_rxbuf_setup(struct ath5k_softc *sc, struct ath5k_buf *bf)
struct ath5k_hw *ah = sc->ah;
struct sk_buff *skb = bf->skb;
struct ath5k_desc *ds;
+ dma_addr_t dma_addr;
if (!skb) {
- skb = ath5k_rx_skb_alloc(sc, &bf->skbaddr);
+ skb = ath5k_rx_skb_alloc(sc, &dma_addr);
if (!skb)
return -ENOMEM;
bf->skb = skb;
+ bf->skbaddr = dma_addr;
}
/*
--
Bob Copeland %% www.bobcopeland.com
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
