diff options
author | Inaky Perez-Gonzalez <inaky@linux.intel.com> | 2009-05-20 20:40:35 -0400 |
---|---|---|
committer | Inaky Perez-Gonzalez <inaky@linux.intel.com> | 2009-06-11 06:30:21 -0400 |
commit | 2971a5bac8cab3cb56f19e9c494ecb3b120c5199 (patch) | |
tree | aa01c08f44f337304984fac35d60cd940c112a45 /drivers/net/wimax/i2400m/tx.c | |
parent | c56affafdd29eb9764b0e35e3434cc06f6bc3781 (diff) |
wimax/i2400m: fix panic due to missed corner cases on tail_room calculation
i2400m_tx_skip_tail() needs to handle the special case of being called
when the tail room that is left over in the FIFO is zero.
This happens when a TX message header was opened at the very end of
the FIFO (without payloads). The i2400m_tx_close() code already marked
said TX message (header) to be skipped and this function should be
doing nothing.
It is called anyway because it is part of a common "corner case" path
handling which takes care of more cases than only this one.
The tail room computation was also improved to take care of the case
when tx_in is at the end of the buffer boundary; tail_room has to be
modded (%) to the buffer size. To do that in a single well-documented
place, __i2400m_tx_tail_room() is introduced and used.
Treat i2400m->tx_in == 0 as a corner case and handle it accordingly.
Found and diagnosed by Cindy H. Kao.
Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
Diffstat (limited to 'drivers/net/wimax/i2400m/tx.c')
-rw-r--r-- | drivers/net/wimax/i2400m/tx.c | 58 |
1 files changed, 56 insertions, 2 deletions
diff --git a/drivers/net/wimax/i2400m/tx.c b/drivers/net/wimax/i2400m/tx.c index 7c46c05a5866..4295dcf96ee2 100644 --- a/drivers/net/wimax/i2400m/tx.c +++ b/drivers/net/wimax/i2400m/tx.c | |||
@@ -278,6 +278,48 @@ enum { | |||
278 | #define TAIL_FULL ((void *)~(unsigned long)NULL) | 278 | #define TAIL_FULL ((void *)~(unsigned long)NULL) |
279 | 279 | ||
280 | /* | 280 | /* |
281 | * Calculate how much tail room is available | ||
282 | * | ||
283 | * Note the trick here. This path is ONLY caleed for Case A (see | ||
284 | * i2400m_tx_fifo_push() below), where we have: | ||
285 | * | ||
286 | * Case A | ||
287 | * N ___________ | ||
288 | * | tail room | | ||
289 | * | | | ||
290 | * |<- IN ->| | ||
291 | * | | | ||
292 | * | data | | ||
293 | * | | | ||
294 | * |<- OUT ->| | ||
295 | * | | | ||
296 | * | head room | | ||
297 | * 0 ----------- | ||
298 | * | ||
299 | * When calculating the tail_room, tx_in might get to be zero if | ||
300 | * i2400m->tx_in is right at the end of the buffer (really full | ||
301 | * buffer) if there is no head room. In this case, tail_room would be | ||
302 | * I2400M_TX_BUF_SIZE, although it is actually zero. Hence the final | ||
303 | * mod (%) operation. However, when doing this kind of optimization, | ||
304 | * i2400m->tx_in being zero would fail, so we treat is an a special | ||
305 | * case. | ||
306 | */ | ||
307 | static inline | ||
308 | size_t __i2400m_tx_tail_room(struct i2400m *i2400m) | ||
309 | { | ||
310 | size_t tail_room; | ||
311 | size_t tx_in; | ||
312 | |||
313 | if (unlikely(i2400m->tx_in) == 0) | ||
314 | return I2400M_TX_BUF_SIZE; | ||
315 | tx_in = i2400m->tx_in % I2400M_TX_BUF_SIZE; | ||
316 | tail_room = I2400M_TX_BUF_SIZE - tx_in; | ||
317 | tail_room %= I2400M_TX_BUF_SIZE; | ||
318 | return tail_room; | ||
319 | } | ||
320 | |||
321 | |||
322 | /* | ||
281 | * Allocate @size bytes in the TX fifo, return a pointer to it | 323 | * Allocate @size bytes in the TX fifo, return a pointer to it |
282 | * | 324 | * |
283 | * @i2400m: device descriptor | 325 | * @i2400m: device descriptor |
@@ -338,7 +380,7 @@ void *i2400m_tx_fifo_push(struct i2400m *i2400m, size_t size, size_t padding) | |||
338 | return NULL; | 380 | return NULL; |
339 | } | 381 | } |
340 | /* Is there space at the tail? */ | 382 | /* Is there space at the tail? */ |
341 | tail_room = I2400M_TX_BUF_SIZE - i2400m->tx_in % I2400M_TX_BUF_SIZE; | 383 | tail_room = __i2400m_tx_tail_room(i2400m); |
342 | if (tail_room < needed_size) { | 384 | if (tail_room < needed_size) { |
343 | if (i2400m->tx_out % I2400M_TX_BUF_SIZE | 385 | if (i2400m->tx_out % I2400M_TX_BUF_SIZE |
344 | < i2400m->tx_in % I2400M_TX_BUF_SIZE) { | 386 | < i2400m->tx_in % I2400M_TX_BUF_SIZE) { |
@@ -367,17 +409,29 @@ void *i2400m_tx_fifo_push(struct i2400m *i2400m, size_t size, size_t padding) | |||
367 | * (I2400M_PL_PAD for the payloads, I2400M_TX_PLD_SIZE for the | 409 | * (I2400M_PL_PAD for the payloads, I2400M_TX_PLD_SIZE for the |
368 | * header). | 410 | * header). |
369 | * | 411 | * |
412 | * Tail room can get to be zero if a message was opened when there was | ||
413 | * space only for a header. _tx_close() will mark it as to-skip (as it | ||
414 | * will have no payloads) and there will be no more space to flush, so | ||
415 | * nothing has to be done here. This is probably cheaper than ensuring | ||
416 | * in _tx_new() that there is some space for payloads...as we could | ||
417 | * always possibly hit the same problem if the payload wouldn't fit. | ||
418 | * | ||
370 | * Note: | 419 | * Note: |
371 | * | 420 | * |
372 | * Assumes i2400m->tx_lock is taken, and we use that as a barrier | 421 | * Assumes i2400m->tx_lock is taken, and we use that as a barrier |
422 | * | ||
423 | * This path is only taken for Case A FIFO situations [see | ||
424 | * i2400m_tx_fifo_push()] | ||
373 | */ | 425 | */ |
374 | static | 426 | static |
375 | void i2400m_tx_skip_tail(struct i2400m *i2400m) | 427 | void i2400m_tx_skip_tail(struct i2400m *i2400m) |
376 | { | 428 | { |
377 | struct device *dev = i2400m_dev(i2400m); | 429 | struct device *dev = i2400m_dev(i2400m); |
378 | size_t tx_in = i2400m->tx_in % I2400M_TX_BUF_SIZE; | 430 | size_t tx_in = i2400m->tx_in % I2400M_TX_BUF_SIZE; |
379 | size_t tail_room = I2400M_TX_BUF_SIZE - tx_in; | 431 | size_t tail_room = __i2400m_tx_tail_room(i2400m); |
380 | struct i2400m_msg_hdr *msg = i2400m->tx_buf + tx_in; | 432 | struct i2400m_msg_hdr *msg = i2400m->tx_buf + tx_in; |
433 | if (unlikely(tail_room == 0)) | ||
434 | return; | ||
381 | BUG_ON(tail_room < sizeof(*msg)); | 435 | BUG_ON(tail_room < sizeof(*msg)); |
382 | msg->size = tail_room | I2400M_TX_SKIP; | 436 | msg->size = tail_room | I2400M_TX_SKIP; |
383 | d_printf(2, dev, "skip tail: skipping %zu bytes @%zu\n", | 437 | d_printf(2, dev, "skip tail: skipping %zu bytes @%zu\n", |