27 lines
1.1 KiB
Diff
27 lines
1.1 KiB
Diff
|
When it get to free_page(queue->grant_tx_page[i]), the use counter on this page
|
||
|
|
is already 0, which cause a crash. Not sure if this is the proper fix
|
||
|
|
(according to git log this may introduce some memory leak), but at least it
|
||
|
|
prevent the crash.
|
||
|
|
|
||
|
|
Details in this thread:
|
||
|
|
http://xen.markmail.org/thread/pw5edbtqienjx4q5
|
||
|
|
|
||
|
|
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
|
||
|
|
index f821a97..a5efbb0 100644
|
||
|
|
--- a/drivers/net/xen-netfront.c
|
||
|
|
+++ b/drivers/net/xen-netfront.c
|
||
|
|
@@ -1065,9 +1069,10 @@ static void xennet_release_tx_bufs(struct netfront_queue *queue)
|
||
|
|
|
||
|
|
skb = queue->tx_skbs[i].skb;
|
||
|
|
get_page(queue->grant_tx_page[i]);
|
||
|
|
- gnttab_end_foreign_access(queue->grant_tx_ref[i],
|
||
|
|
- GNTMAP_readonly,
|
||
|
|
- (unsigned long)page_address(queue->grant_tx_page[i]));
|
||
|
|
+ gnttab_end_foreign_access_ref(
|
||
|
|
+ queue->grant_tx_ref[i], GNTMAP_readonly);
|
||
|
|
+ gnttab_release_grant_reference(
|
||
|
|
+ &queue->gref_tx_head, queue->grant_tx_ref[i]);
|
||
|
|
queue->grant_tx_page[i] = NULL;
|
||
|
|
queue->grant_tx_ref[i] = GRANT_INVALID_REF;
|
||
|
|
add_id_to_freelist(&queue->tx_skb_freelist, queue->tx_skbs, i);
|