aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorInaky Perez-Gonzalez <inaky@linux.intel.com>2009-05-20 20:40:35 -0400
committerInaky Perez-Gonzalez <inaky@linux.intel.com>2009-06-11 06:30:21 -0400
commit2971a5bac8cab3cb56f19e9c494ecb3b120c5199 (patch)
treeaa01c08f44f337304984fac35d60cd940c112a45
parentc56affafdd29eb9764b0e35e3434cc06f6bc3781 (diff)
wimax/i2400m: fix panic due to missed corner cases on tail_room calculation
i2400m_tx_skip_tail() needs to handle the special case of being called when the tail room that is left over in the FIFO is zero. This happens when a TX message header was opened at the very end of the FIFO (without payloads). The i2400m_tx_close() code already marked said TX message (header) to be skipped and this function should be doing nothing. It is called anyway because it is part of a common "corner case" path handling which takes care of more cases than only this one. The tail room computation was also improved to take care of the case when tx_in is at the end of the buffer boundary; tail_room has to be modded (%) to the buffer size. To do that in a single well-documented place, __i2400m_tx_tail_room() is introduced and used. Treat i2400m->tx_in == 0 as a corner case and handle it accordingly. Found and diagnosed by Cindy H. Kao. Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
-rw-r--r--drivers/net/wimax/i2400m/tx.c58
1 files changed, 56 insertions, 2 deletions
diff --git a/drivers/net/wimax/i2400m/tx.c b/drivers/net/wimax/i2400m/tx.c
index 7c46c05a5866..4295dcf96ee2 100644
--- a/drivers/net/wimax/i2400m/tx.c
+++ b/drivers/net/wimax/i2400m/tx.c
@@ -278,6 +278,48 @@ enum {
278#define TAIL_FULL ((void *)~(unsigned long)NULL) 278#define TAIL_FULL ((void *)~(unsigned long)NULL)
279 279
280/* 280/*
281 * Calculate how much tail room is available
282 *
283 * Note the trick here. This path is ONLY caleed for Case A (see
284 * i2400m_tx_fifo_push() below), where we have:
285 *
286 * Case A
287 * N ___________
288 * | tail room |
289 * | |
290 * |<- IN ->|
291 * | |
292 * | data |
293 * | |
294 * |<- OUT ->|
295 * | |
296 * | head room |
297 * 0 -----------
298 *
299 * When calculating the tail_room, tx_in might get to be zero if
300 * i2400m->tx_in is right at the end of the buffer (really full
301 * buffer) if there is no head room. In this case, tail_room would be
302 * I2400M_TX_BUF_SIZE, although it is actually zero. Hence the final
303 * mod (%) operation. However, when doing this kind of optimization,
304 * i2400m->tx_in being zero would fail, so we treat is an a special
305 * case.
306 */
307static inline
308size_t __i2400m_tx_tail_room(struct i2400m *i2400m)
309{
310 size_t tail_room;
311 size_t tx_in;
312
313 if (unlikely(i2400m->tx_in) == 0)
314 return I2400M_TX_BUF_SIZE;
315 tx_in = i2400m->tx_in % I2400M_TX_BUF_SIZE;
316 tail_room = I2400M_TX_BUF_SIZE - tx_in;
317 tail_room %= I2400M_TX_BUF_SIZE;
318 return tail_room;
319}
320
321
322/*
281 * Allocate @size bytes in the TX fifo, return a pointer to it 323 * Allocate @size bytes in the TX fifo, return a pointer to it
282 * 324 *
283 * @i2400m: device descriptor 325 * @i2400m: device descriptor
@@ -338,7 +380,7 @@ void *i2400m_tx_fifo_push(struct i2400m *i2400m, size_t size, size_t padding)
338 return NULL; 380 return NULL;
339 } 381 }
340 /* Is there space at the tail? */ 382 /* Is there space at the tail? */
341 tail_room = I2400M_TX_BUF_SIZE - i2400m->tx_in % I2400M_TX_BUF_SIZE; 383 tail_room = __i2400m_tx_tail_room(i2400m);
342 if (tail_room < needed_size) { 384 if (tail_room < needed_size) {
343 if (i2400m->tx_out % I2400M_TX_BUF_SIZE 385 if (i2400m->tx_out % I2400M_TX_BUF_SIZE
344 < i2400m->tx_in % I2400M_TX_BUF_SIZE) { 386 < i2400m->tx_in % I2400M_TX_BUF_SIZE) {
@@ -367,17 +409,29 @@ void *i2400m_tx_fifo_push(struct i2400m *i2400m, size_t size, size_t padding)
367 * (I2400M_PL_PAD for the payloads, I2400M_TX_PLD_SIZE for the 409 * (I2400M_PL_PAD for the payloads, I2400M_TX_PLD_SIZE for the
368 * header). 410 * header).
369 * 411 *
412 * Tail room can get to be zero if a message was opened when there was
413 * space only for a header. _tx_close() will mark it as to-skip (as it
414 * will have no payloads) and there will be no more space to flush, so
415 * nothing has to be done here. This is probably cheaper than ensuring
416 * in _tx_new() that there is some space for payloads...as we could
417 * always possibly hit the same problem if the payload wouldn't fit.
418 *
370 * Note: 419 * Note:
371 * 420 *
372 * Assumes i2400m->tx_lock is taken, and we use that as a barrier 421 * Assumes i2400m->tx_lock is taken, and we use that as a barrier
422 *
423 * This path is only taken for Case A FIFO situations [see
424 * i2400m_tx_fifo_push()]
373 */ 425 */
374static 426static
375void i2400m_tx_skip_tail(struct i2400m *i2400m) 427void i2400m_tx_skip_tail(struct i2400m *i2400m)
376{ 428{
377 struct device *dev = i2400m_dev(i2400m); 429 struct device *dev = i2400m_dev(i2400m);
378 size_t tx_in = i2400m->tx_in % I2400M_TX_BUF_SIZE; 430 size_t tx_in = i2400m->tx_in % I2400M_TX_BUF_SIZE;
379 size_t tail_room = I2400M_TX_BUF_SIZE - tx_in; 431 size_t tail_room = __i2400m_tx_tail_room(i2400m);
380 struct i2400m_msg_hdr *msg = i2400m->tx_buf + tx_in; 432 struct i2400m_msg_hdr *msg = i2400m->tx_buf + tx_in;
433 if (unlikely(tail_room == 0))
434 return;
381 BUG_ON(tail_room < sizeof(*msg)); 435 BUG_ON(tail_room < sizeof(*msg));
382 msg->size = tail_room | I2400M_TX_SKIP; 436 msg->size = tail_room | I2400M_TX_SKIP;
383 d_printf(2, dev, "skip tail: skipping %zu bytes @%zu\n", 437 d_printf(2, dev, "skip tail: skipping %zu bytes @%zu\n",