[patch 03/83] cxgb3: Fix kernel crash caused by uninitializedl2t_entry.arpq

[Greg KH]

2.6.27-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Roland Dreier <rdreier@xxxxxxxxx>

[ Upstream commit 6d329af9967e7ab3f4a3d7f1e8ef87539c3a069f ]

Commit 147e70e6 ("cxgb3: Use SKB list interfaces instead of home-grown
implementation.") causes a crash in t3_l2t_send_slow() when an iWARP
connection request is received.  This is because the new l2t_entry.arpq
skb queue is never initialized, and therefore trying to add an skb to
it causes a NULL dereference.  With the old code there was no need to
initialize the queues because the l2t_entry structures were zeroed,
and the code used NULL to mean empty.

Fix this by adding __skb_queue_head_init() when all the l2t_entry
structures get allocated.

Signed-off-by: Roland Dreier <rolandd@xxxxxxxxx>
Signed-off-by: Jeff Garzik <jgarzik@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
 drivers/net/cxgb3/l2t.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/cxgb3/l2t.c
+++ b/drivers/net/cxgb3/l2t.c
@@ -436,6 +436,7 @@ struct l2t_data *t3_init_l2t(unsigned in
 	for (i = 0; i < l2t_capacity; ++i) {
 		d->l2tab[i].idx = i;
 		d->l2tab[i].state = L2T_STATE_UNUSED;
+		__skb_queue_head_init(&d->l2tab[i].arpq);
 		spin_lock_init(&d->l2tab[i].lock);
 		atomic_set(&d->l2tab[i].refcnt, 0);
 	}

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/