On Thu, Jun 29, 2017 at 02:58:09PM +0100, Ben Hutchings wrote: > On Thu, 2017-06-15 at 19:52 +0200, Greg Kroah-Hartman wrote: > > 4.4-stable review patch. If anyone has any objections, please let me know. > > > > ------------------ > > > > From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@xxxxxxxxxxx> > > > > > > [ Upstream commit a47b70ea86bdeb3091341f5ae3ef580f1a1ad822 ] > > > > "swiotlb buffer is full" errors occur after repeated initialisation of a > > device - f.e. suspend/resume or ip link set up/down. This is because memory > > mapped using dma_map_single() in ravb_ring_format() and ravb_start_xmit() > > is not released. Resolve this problem by unmapping descriptors when > > freeing rings. > > This should be followed by: > > commit 79514ef670e9e575a1fe36922268c439d0f0ca8a > Author: Eugeniu Rosca <erosca@xxxxxxxxxxxxxx> > Date: Tue Jun 6 00:08:10 2017 +0200 > > ravb: Fix use-after-free on `ifconfig eth0 down` Thanks, now queued up. > But also, this loop looks wrong: > > [...] > > if (priv->rx_ring[q]) { > > + for (i = 0; i < priv->num_rx_ring[q]; i++) { > > + struct ravb_ex_rx_desc *desc = &priv->rx_ring[q][i]; > > + > > + if (!dma_mapping_error(ndev->dev.parent, > > + le32_to_cpu(desc->dptr))) > > + dma_unmap_single(ndev->dev.parent, > > + le32_to_cpu(desc->dptr), > > + PKT_BUF_SZ, > > + DMA_FROM_DEVICE); > > + } > [...] > > It's possible that the driver hasn't filled (or attempted to fill or > refill) every RX descriptor, so this could result in a double-unmap. I > think this needs to use cur_rx and dirty_rx to determine which > descriptors to process. I'll let Kazuya fix that :) thanks, greg k-h