tg3: Prevent rx producer ring overruns
authorMatt Carlson <mcarlson@broadcom.com>
Fri, 12 Feb 2010 14:47:06 +0000 (14:47 +0000)
committerDavid S. Miller <davem@davemloft.net>
Sat, 13 Feb 2010 01:05:51 +0000 (17:05 -0800)
When operating in RSS mode, it is possible for one rx return ring to
submit enough rx buffers back to the hardware such that it inadvertently
overwrites data needed by another rx return ring.  This patch addresses
the problem by looking for non-NULL skb pointers in the
rx_[std|jmb]_buffers rings that parallel the rx producer rings.

Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Reviewed-by: Benjamin Li <benli@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/tg3.c

index 661e9ddd14010ef47003759aeffd2a012b43f907..a46c26764ba76eb779d3a054d0e0cdd7e66ce580 100644 (file)
@@ -4552,6 +4552,12 @@ static void tg3_recycle_rx(struct tg3_napi *tnapi,
                           pci_unmap_addr(src_map, mapping));
        dest_desc->addr_hi = src_desc->addr_hi;
        dest_desc->addr_lo = src_desc->addr_lo;
+
+       /* Ensure that the update to the skb happens after the physical
+        * addresses have been transferred to the new BD location.
+        */
+       smp_wmb();
+
        src_map->skb = NULL;
 }
 
@@ -4816,6 +4822,22 @@ static void tg3_rx_prodring_xfer(struct tg3 *tp,
                si = spr->rx_std_cons_idx;
                di = dpr->rx_std_prod_idx;
 
+               for (i = di; i < di + cpycnt; i++) {
+                       if (dpr->rx_std_buffers[i].skb) {
+                               cpycnt = i - di;
+                               break;
+                       }
+               }
+
+               if (!cpycnt)
+                       break;
+
+               /* Ensure that updates to the rx_std_buffers ring and the
+                * shadowed hardware producer ring from tg3_recycle_skb() are
+                * ordered correctly WRT the skb check above.
+                */
+               smp_rmb();
+
                memcpy(&dpr->rx_std_buffers[di],
                       &spr->rx_std_buffers[si],
                       cpycnt * sizeof(struct ring_info));
@@ -4856,6 +4878,22 @@ static void tg3_rx_prodring_xfer(struct tg3 *tp,
                si = spr->rx_jmb_cons_idx;
                di = dpr->rx_jmb_prod_idx;
 
+               for (i = di; i < di + cpycnt; i++) {
+                       if (dpr->rx_jmb_buffers[i].skb) {
+                               cpycnt = i - di;
+                               break;
+                       }
+               }
+
+               if (!cpycnt)
+                       break;
+
+               /* Ensure that updates to the rx_jmb_buffers ring and the
+                * shadowed hardware producer ring from tg3_recycle_skb() are
+                * ordered correctly WRT the skb check above.
+                */
+               smp_rmb();
+
                memcpy(&dpr->rx_jmb_buffers[di],
                       &spr->rx_jmb_buffers[si],
                       cpycnt * sizeof(struct ring_info));