From e5ccd96110d5ac0f73b695ba606feb6d69472f26 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Tue, 26 Oct 2010 19:21:07 +0000 Subject: ehea: fix use after free ehea_start_xmit() dereferences skb after its freeing in ehea_xmit3() to get vlan tags. Move the offending block before the potential ehea_xmit3() call. Signed-off-by: Eric Dumazet Signed-off-by: Breno Leitao Signed-off-by: David S. Miller --- drivers/net/ehea/ehea_main.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'drivers/net/ehea') diff --git a/drivers/net/ehea/ehea_main.c b/drivers/net/ehea/ehea_main.c index bb7d306..e59d386 100644 --- a/drivers/net/ehea/ehea_main.c +++ b/drivers/net/ehea/ehea_main.c @@ -2249,6 +2249,11 @@ static int ehea_start_xmit(struct sk_buff *skb, struct net_device *dev) memset(swqe, 0, SWQE_HEADER_SIZE); atomic_dec(&pr->swqe_avail); + if (vlan_tx_tag_present(skb)) { + swqe->tx_control |= EHEA_SWQE_VLAN_INSERT; + swqe->vlan_tag = vlan_tx_tag_get(skb); + } + if (skb->len <= SWQE3_MAX_IMM) { u32 sig_iv = port->sig_comp_iv; u32 swqe_num = pr->swqe_id_counter; @@ -2279,11 +2284,6 @@ static int ehea_start_xmit(struct sk_buff *skb, struct net_device *dev) } pr->swqe_id_counter += 1; - if (vlan_tx_tag_present(skb)) { - swqe->tx_control |= EHEA_SWQE_VLAN_INSERT; - swqe->vlan_tag = vlan_tx_tag_get(skb); - } - if (netif_msg_tx_queued(port)) { ehea_info("post swqe on QP %d", pr->qp->init_attr.qp_nr); ehea_dump(swqe, 512, "swqe"); -- cgit v1.1 From ce45b873028fdf94a24f0850cd554e6fda593e16 Mon Sep 17 00:00:00 2001 From: Breno Leitao Date: Wed, 27 Oct 2010 08:45:14 +0000 Subject: ehea: Fixing statistics (Applied over Eric's "ehea: fix use after free" patch) Currently ehea stats are broken. The bytes counters are got from the hardware, while the packets counters are got from the device driver. Also, the device driver counters are resetted during the the down process, and the hardware aren't, causing some weird numbers. This patch just consolidates the packets and bytes on the device driver. Signed-off-by: Breno Leitao Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller --- drivers/net/ehea/ehea.h | 2 ++ drivers/net/ehea/ehea_main.c | 32 ++++++++++++++++++++++++++------ 2 files changed, 28 insertions(+), 6 deletions(-) (limited to 'drivers/net/ehea') diff --git a/drivers/net/ehea/ehea.h b/drivers/net/ehea/ehea.h index 1321cb6..8e745e7 100644 --- a/drivers/net/ehea/ehea.h +++ b/drivers/net/ehea/ehea.h @@ -396,7 +396,9 @@ struct ehea_port_res { int swqe_ll_count; u32 swqe_id_counter; u64 tx_packets; + u64 tx_bytes; u64 rx_packets; + u64 rx_bytes; u32 poll_counter; struct net_lro_mgr lro_mgr; struct net_lro_desc lro_desc[MAX_LRO_DESCRIPTORS]; diff --git a/drivers/net/ehea/ehea_main.c b/drivers/net/ehea/ehea_main.c index e59d386..182b2a7 100644 --- a/drivers/net/ehea/ehea_main.c +++ b/drivers/net/ehea/ehea_main.c @@ -330,7 +330,7 @@ static struct net_device_stats *ehea_get_stats(struct net_device *dev) struct ehea_port *port = netdev_priv(dev); struct net_device_stats *stats = &port->stats; struct hcp_ehea_port_cb2 *cb2; - u64 hret, rx_packets, tx_packets; + u64 hret, rx_packets, tx_packets, rx_bytes = 0, tx_bytes = 0; int i; memset(stats, 0, sizeof(*stats)); @@ -353,18 +353,22 @@ static struct net_device_stats *ehea_get_stats(struct net_device *dev) ehea_dump(cb2, sizeof(*cb2), "net_device_stats"); rx_packets = 0; - for (i = 0; i < port->num_def_qps; i++) + for (i = 0; i < port->num_def_qps; i++) { rx_packets += port->port_res[i].rx_packets; + rx_bytes += port->port_res[i].rx_bytes; + } tx_packets = 0; - for (i = 0; i < port->num_def_qps + port->num_add_tx_qps; i++) + for (i = 0; i < port->num_def_qps + port->num_add_tx_qps; i++) { tx_packets += port->port_res[i].tx_packets; + tx_bytes += port->port_res[i].tx_bytes; + } stats->tx_packets = tx_packets; stats->multicast = cb2->rxmcp; stats->rx_errors = cb2->rxuerr; - stats->rx_bytes = cb2->rxo; - stats->tx_bytes = cb2->txo; + stats->rx_bytes = rx_bytes; + stats->tx_bytes = tx_bytes; stats->rx_packets = rx_packets; out_herr: @@ -703,6 +707,7 @@ static int ehea_proc_rwqes(struct net_device *dev, int skb_arr_rq2_len = pr->rq2_skba.len; int skb_arr_rq3_len = pr->rq3_skba.len; int processed, processed_rq1, processed_rq2, processed_rq3; + u64 processed_bytes = 0; int wqe_index, last_wqe_index, rq, port_reset; processed = processed_rq1 = processed_rq2 = processed_rq3 = 0; @@ -760,6 +765,7 @@ static int ehea_proc_rwqes(struct net_device *dev, processed_rq3++; } + processed_bytes += skb->len; ehea_proc_skb(pr, cqe, skb); } else { pr->p_stats.poll_receive_errors++; @@ -775,6 +781,7 @@ static int ehea_proc_rwqes(struct net_device *dev, lro_flush_all(&pr->lro_mgr); pr->rx_packets += processed; + pr->rx_bytes += processed_bytes; ehea_refill_rq1(pr, last_wqe_index, processed_rq1); ehea_refill_rq2(pr, processed_rq2); @@ -1509,9 +1516,20 @@ static int ehea_init_port_res(struct ehea_port *port, struct ehea_port_res *pr, enum ehea_eq_type eq_type = EHEA_EQ; struct ehea_qp_init_attr *init_attr = NULL; int ret = -EIO; + u64 tx_bytes, rx_bytes, tx_packets, rx_packets; + + tx_bytes = pr->tx_bytes; + tx_packets = pr->tx_packets; + rx_bytes = pr->rx_bytes; + rx_packets = pr->rx_packets; memset(pr, 0, sizeof(struct ehea_port_res)); + pr->tx_bytes = rx_bytes; + pr->tx_packets = tx_packets; + pr->rx_bytes = rx_bytes; + pr->rx_packets = rx_packets; + pr->port = port; spin_lock_init(&pr->xmit_lock); spin_lock_init(&pr->netif_queue); @@ -2254,6 +2272,9 @@ static int ehea_start_xmit(struct sk_buff *skb, struct net_device *dev) swqe->vlan_tag = vlan_tx_tag_get(skb); } + pr->tx_packets++; + pr->tx_bytes += skb->len; + if (skb->len <= SWQE3_MAX_IMM) { u32 sig_iv = port->sig_comp_iv; u32 swqe_num = pr->swqe_id_counter; @@ -2295,7 +2316,6 @@ static int ehea_start_xmit(struct sk_buff *skb, struct net_device *dev) } ehea_post_swqe(pr->qp, swqe); - pr->tx_packets++; if (unlikely(atomic_read(&pr->swqe_avail) <= 1)) { spin_lock_irqsave(&pr->netif_queue, flags); -- cgit v1.1 From 5c7e57f7cddb83d81d83fefa5822dfe80891130e Mon Sep 17 00:00:00 2001 From: Breno Leitao Date: Fri, 26 Nov 2010 07:26:27 +0000 Subject: ehea: Add some info messages and fix an issue This patch adds some debug information about ehea not being able to allocate enough spaces. Also it correctly updates the amount of available skb. Signed-off-by: Breno Leitao Signed-off-by: David S. Miller --- drivers/net/ehea/ehea_main.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'drivers/net/ehea') diff --git a/drivers/net/ehea/ehea_main.c b/drivers/net/ehea/ehea_main.c index 182b2a7..3d0af08 100644 --- a/drivers/net/ehea/ehea_main.c +++ b/drivers/net/ehea/ehea_main.c @@ -400,6 +400,7 @@ static void ehea_refill_rq1(struct ehea_port_res *pr, int index, int nr_of_wqes) skb_arr_rq1[index] = netdev_alloc_skb(dev, EHEA_L_PKT_SIZE); if (!skb_arr_rq1[index]) { + ehea_info("Unable to allocate enough skb in the array\n"); pr->rq1_skba.os_skbs = fill_wqes - i; break; } @@ -422,13 +423,20 @@ static void ehea_init_fill_rq1(struct ehea_port_res *pr, int nr_rq1a) struct net_device *dev = pr->port->netdev; int i; - for (i = 0; i < pr->rq1_skba.len; i++) { + if (nr_rq1a > pr->rq1_skba.len) { + ehea_error("NR_RQ1A bigger than skb array len\n"); + return; + } + + for (i = 0; i < nr_rq1a; i++) { skb_arr_rq1[i] = netdev_alloc_skb(dev, EHEA_L_PKT_SIZE); - if (!skb_arr_rq1[i]) + if (!skb_arr_rq1[i]) { + ehea_info("No enough memory to allocate skb array\n"); break; + } } /* Ring doorbell */ - ehea_update_rq1a(pr->qp, nr_rq1a); + ehea_update_rq1a(pr->qp, i); } static int ehea_refill_rq_def(struct ehea_port_res *pr, @@ -735,8 +743,10 @@ static int ehea_proc_rwqes(struct net_device *dev, skb = netdev_alloc_skb(dev, EHEA_L_PKT_SIZE); - if (!skb) + if (!skb) { + ehea_info("Not enough memory to allocate skb\n"); break; + } } skb_copy_to_linear_data(skb, ((char *)cqe) + 64, cqe->num_bytes_transfered - 4); -- cgit v1.1