aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net/tg3.c
diff options
context:
space:
mode:
authorMatt Carlson <mcarlson@broadcom.com>2010-09-30 06:34:30 -0400
committerDavid S. Miller <davem@davemloft.net>2010-10-01 03:24:41 -0400
commit66cfd1bd05a7a1c31c9cdbb2ddf5c57d1cddc5f6 (patch)
treedb289b3d2e73bc3a9f6dcb480911210046c0de07 /drivers/net/tg3.c
parent0197aa38df2ce550c0bfc96194b07ce6b68af814 (diff)
tg3: Fix potential netpoll crash
Up until now the tg3 driver would call netif_napi_add() for the maximum number of NAPI instances the driver could use. The problem is that netpoll could call tg3_poll() on instances that are not active. The net effect is that the driver will crash attempting to dereference uninitialized pointers. The fix is to only allocate as many NAPI instances as the driver would use in tg3_open() and deleted them in tg3_close(). Signed-off-by: Matt Carlson <mcarlson@broadcom.com> Reviewed-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/tg3.c')
-rw-r--r--drivers/net/tg3.c111
1 files changed, 65 insertions, 46 deletions
diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c
index 54fff5bb6f98..982ed44f0752 100644
--- a/drivers/net/tg3.c
+++ b/drivers/net/tg3.c
@@ -752,42 +752,6 @@ static void tg3_int_reenable(struct tg3_napi *tnapi)
752 HOSTCC_MODE_ENABLE | tnapi->coal_now); 752 HOSTCC_MODE_ENABLE | tnapi->coal_now);
753} 753}
754 754
755static void tg3_napi_disable(struct tg3 *tp)
756{
757 int i;
758
759 for (i = tp->irq_cnt - 1; i >= 0; i--)
760 napi_disable(&tp->napi[i].napi);
761}
762
763static void tg3_napi_enable(struct tg3 *tp)
764{
765 int i;
766
767 for (i = 0; i < tp->irq_cnt; i++)
768 napi_enable(&tp->napi[i].napi);
769}
770
771static inline void tg3_netif_stop(struct tg3 *tp)
772{
773 tp->dev->trans_start = jiffies; /* prevent tx timeout */
774 tg3_napi_disable(tp);
775 netif_tx_disable(tp->dev);
776}
777
778static inline void tg3_netif_start(struct tg3 *tp)
779{
780 /* NOTE: unconditional netif_tx_wake_all_queues is only
781 * appropriate so long as all callers are assured to
782 * have free tx slots (such as after tg3_init_hw)
783 */
784 netif_tx_wake_all_queues(tp->dev);
785
786 tg3_napi_enable(tp);
787 tp->napi[0].hw_status->status |= SD_STATUS_UPDATED;
788 tg3_enable_ints(tp);
789}
790
791static void tg3_switch_clocks(struct tg3 *tp) 755static void tg3_switch_clocks(struct tg3 *tp)
792{ 756{
793 u32 clock_ctrl; 757 u32 clock_ctrl;
@@ -4338,6 +4302,11 @@ static int tg3_setup_phy(struct tg3 *tp, int force_reset)
4338 return err; 4302 return err;
4339} 4303}
4340 4304
4305static inline int tg3_irq_sync(struct tg3 *tp)
4306{
4307 return tp->irq_sync;
4308}
4309
4341/* This is called whenever we suspect that the system chipset is re- 4310/* This is called whenever we suspect that the system chipset is re-
4342 * ordering the sequence of MMIO to the tx send mailbox. The symptom 4311 * ordering the sequence of MMIO to the tx send mailbox. The symptom
4343 * is bogus tx completions. We try to recover by setting the 4312 * is bogus tx completions. We try to recover by setting the
@@ -5083,6 +5052,59 @@ tx_recovery:
5083 return work_done; 5052 return work_done;
5084} 5053}
5085 5054
5055static void tg3_napi_disable(struct tg3 *tp)
5056{
5057 int i;
5058
5059 for (i = tp->irq_cnt - 1; i >= 0; i--)
5060 napi_disable(&tp->napi[i].napi);
5061}
5062
5063static void tg3_napi_enable(struct tg3 *tp)
5064{
5065 int i;
5066
5067 for (i = 0; i < tp->irq_cnt; i++)
5068 napi_enable(&tp->napi[i].napi);
5069}
5070
5071static void tg3_napi_init(struct tg3 *tp)
5072{
5073 int i;
5074
5075 netif_napi_add(tp->dev, &tp->napi[0].napi, tg3_poll, 64);
5076 for (i = 1; i < tp->irq_cnt; i++)
5077 netif_napi_add(tp->dev, &tp->napi[i].napi, tg3_poll_msix, 64);
5078}
5079
5080static void tg3_napi_fini(struct tg3 *tp)
5081{
5082 int i;
5083
5084 for (i = 0; i < tp->irq_cnt; i++)
5085 netif_napi_del(&tp->napi[i].napi);
5086}
5087
5088static inline void tg3_netif_stop(struct tg3 *tp)
5089{
5090 tp->dev->trans_start = jiffies; /* prevent tx timeout */
5091 tg3_napi_disable(tp);
5092 netif_tx_disable(tp->dev);
5093}
5094
5095static inline void tg3_netif_start(struct tg3 *tp)
5096{
5097 /* NOTE: unconditional netif_tx_wake_all_queues is only
5098 * appropriate so long as all callers are assured to
5099 * have free tx slots (such as after tg3_init_hw)
5100 */
5101 netif_tx_wake_all_queues(tp->dev);
5102
5103 tg3_napi_enable(tp);
5104 tp->napi[0].hw_status->status |= SD_STATUS_UPDATED;
5105 tg3_enable_ints(tp);
5106}
5107
5086static void tg3_irq_quiesce(struct tg3 *tp) 5108static void tg3_irq_quiesce(struct tg3 *tp)
5087{ 5109{
5088 int i; 5110 int i;
@@ -5096,11 +5118,6 @@ static void tg3_irq_quiesce(struct tg3 *tp)
5096 synchronize_irq(tp->napi[i].irq_vec); 5118 synchronize_irq(tp->napi[i].irq_vec);
5097} 5119}
5098 5120
5099static inline int tg3_irq_sync(struct tg3 *tp)
5100{
5101 return tp->irq_sync;
5102}
5103
5104/* Fully shutdown all tg3 driver activity elsewhere in the system. 5121/* Fully shutdown all tg3 driver activity elsewhere in the system.
5105 * If irq_sync is non-zero, then the IRQ handler must be synchronized 5122 * If irq_sync is non-zero, then the IRQ handler must be synchronized
5106 * with as well. Most of the time, this is not necessary except when 5123 * with as well. Most of the time, this is not necessary except when
@@ -8920,6 +8937,8 @@ static int tg3_open(struct net_device *dev)
8920 if (err) 8937 if (err)
8921 goto err_out1; 8938 goto err_out1;
8922 8939
8940 tg3_napi_init(tp);
8941
8923 tg3_napi_enable(tp); 8942 tg3_napi_enable(tp);
8924 8943
8925 for (i = 0; i < tp->irq_cnt; i++) { 8944 for (i = 0; i < tp->irq_cnt; i++) {
@@ -9007,6 +9026,7 @@ err_out3:
9007 9026
9008err_out2: 9027err_out2:
9009 tg3_napi_disable(tp); 9028 tg3_napi_disable(tp);
9029 tg3_napi_fini(tp);
9010 tg3_free_consistent(tp); 9030 tg3_free_consistent(tp);
9011 9031
9012err_out1: 9032err_out1:
@@ -9054,6 +9074,8 @@ static int tg3_close(struct net_device *dev)
9054 memcpy(&tp->estats_prev, tg3_get_estats(tp), 9074 memcpy(&tp->estats_prev, tg3_get_estats(tp),
9055 sizeof(tp->estats_prev)); 9075 sizeof(tp->estats_prev));
9056 9076
9077 tg3_napi_fini(tp);
9078
9057 tg3_free_consistent(tp); 9079 tg3_free_consistent(tp);
9058 9080
9059 tg3_set_power_state(tp, PCI_D3hot); 9081 tg3_set_power_state(tp, PCI_D3hot);
@@ -14604,13 +14626,10 @@ static int __devinit tg3_init_one(struct pci_dev *pdev,
14604 tnapi->consmbox = rcvmbx; 14626 tnapi->consmbox = rcvmbx;
14605 tnapi->prodmbox = sndmbx; 14627 tnapi->prodmbox = sndmbx;
14606 14628
14607 if (i) { 14629 if (i)
14608 tnapi->coal_now = HOSTCC_MODE_COAL_VEC1_NOW << (i - 1); 14630 tnapi->coal_now = HOSTCC_MODE_COAL_VEC1_NOW << (i - 1);
14609 netif_napi_add(dev, &tnapi->napi, tg3_poll_msix, 64); 14631 else
14610 } else {
14611 tnapi->coal_now = HOSTCC_MODE_NOW; 14632 tnapi->coal_now = HOSTCC_MODE_NOW;
14612 netif_napi_add(dev, &tnapi->napi, tg3_poll, 64);
14613 }
14614 14633
14615 if (!(tp->tg3_flags & TG3_FLAG_SUPPORT_MSIX)) 14634 if (!(tp->tg3_flags & TG3_FLAG_SUPPORT_MSIX))
14616 break; 14635 break;