net: mvneta: fix refilling for Rx DMA buffers
With the actual code, if a memory allocation error happens while
refilling a Rx descriptor, then the original Rx buffer is both passed
to the networking stack (in a SKB) and let in the Rx ring. This leads
to various kernel oops and crashes.
As a fix, this patch moves Rx descriptor refilling ahead of building
SKB with the associated Rx buffer. In case of a memory allocation
failure, data is dropped and the original DMA buffer is put back into
the Rx ring.
Signed-off-by: Simon Guinot <simon.guinot@sequanux.org>
Fixes: c5aff18204
("net: mvneta: driver for Marvell Armada 370/XP network unit")
Cc: <stable@vger.kernel.org> # v3.8+
Tested-by: Yoann Sculo <yoann@sculo.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
hifive-unleashed-5.1
parent
a7a6268590
commit
a84e328941
|
@ -1462,7 +1462,7 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo,
|
||||||
struct mvneta_rx_queue *rxq)
|
struct mvneta_rx_queue *rxq)
|
||||||
{
|
{
|
||||||
struct net_device *dev = pp->dev;
|
struct net_device *dev = pp->dev;
|
||||||
int rx_done, rx_filled;
|
int rx_done;
|
||||||
u32 rcvd_pkts = 0;
|
u32 rcvd_pkts = 0;
|
||||||
u32 rcvd_bytes = 0;
|
u32 rcvd_bytes = 0;
|
||||||
|
|
||||||
|
@ -1473,7 +1473,6 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo,
|
||||||
rx_todo = rx_done;
|
rx_todo = rx_done;
|
||||||
|
|
||||||
rx_done = 0;
|
rx_done = 0;
|
||||||
rx_filled = 0;
|
|
||||||
|
|
||||||
/* Fairness NAPI loop */
|
/* Fairness NAPI loop */
|
||||||
while (rx_done < rx_todo) {
|
while (rx_done < rx_todo) {
|
||||||
|
@ -1484,7 +1483,6 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo,
|
||||||
int rx_bytes, err;
|
int rx_bytes, err;
|
||||||
|
|
||||||
rx_done++;
|
rx_done++;
|
||||||
rx_filled++;
|
|
||||||
rx_status = rx_desc->status;
|
rx_status = rx_desc->status;
|
||||||
rx_bytes = rx_desc->data_size - (ETH_FCS_LEN + MVNETA_MH_SIZE);
|
rx_bytes = rx_desc->data_size - (ETH_FCS_LEN + MVNETA_MH_SIZE);
|
||||||
data = (unsigned char *)rx_desc->buf_cookie;
|
data = (unsigned char *)rx_desc->buf_cookie;
|
||||||
|
@ -1524,6 +1522,14 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo,
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Refill processing */
|
||||||
|
err = mvneta_rx_refill(pp, rx_desc);
|
||||||
|
if (err) {
|
||||||
|
netdev_err(dev, "Linux processing - Can't refill\n");
|
||||||
|
rxq->missed++;
|
||||||
|
goto err_drop_frame;
|
||||||
|
}
|
||||||
|
|
||||||
skb = build_skb(data, pp->frag_size > PAGE_SIZE ? 0 : pp->frag_size);
|
skb = build_skb(data, pp->frag_size > PAGE_SIZE ? 0 : pp->frag_size);
|
||||||
if (!skb)
|
if (!skb)
|
||||||
goto err_drop_frame;
|
goto err_drop_frame;
|
||||||
|
@ -1543,14 +1549,6 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo,
|
||||||
mvneta_rx_csum(pp, rx_status, skb);
|
mvneta_rx_csum(pp, rx_status, skb);
|
||||||
|
|
||||||
napi_gro_receive(&pp->napi, skb);
|
napi_gro_receive(&pp->napi, skb);
|
||||||
|
|
||||||
/* Refill processing */
|
|
||||||
err = mvneta_rx_refill(pp, rx_desc);
|
|
||||||
if (err) {
|
|
||||||
netdev_err(dev, "Linux processing - Can't refill\n");
|
|
||||||
rxq->missed++;
|
|
||||||
rx_filled--;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (rcvd_pkts) {
|
if (rcvd_pkts) {
|
||||||
|
@ -1563,7 +1561,7 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Update rxq management counters */
|
/* Update rxq management counters */
|
||||||
mvneta_rxq_desc_num_update(pp, rxq, rx_done, rx_filled);
|
mvneta_rxq_desc_num_update(pp, rxq, rx_done, rx_done);
|
||||||
|
|
||||||
return rx_done;
|
return rx_done;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue