When the TX FIFO filled up and i2400m_tx_new() failed to allocate a
new TX message header, a missing check for said condition was causing a
kernel oops when trying to dereference a NULL i2400m->tx_msg pointer.
Found and diagnosed by Cindy H. Kao.
Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
i2400m_tx_skip_tail() needs to handle the special case of being called
when the tail room that is left over in the FIFO is zero.
This happens when a TX message header was opened at the very end of
the FIFO (without payloads). The i2400m_tx_close() code already marked
said TX message (header) to be skipped and this function should be
doing nothing.
It is called anyway because it is part of a common "corner case" path
handling which takes care of more cases than only this one.
The tail room computation was also improved to take care of the case
when tx_in is at the end of the buffer boundary; tail_room has to be
modded (%) to the buffer size. To do that in a single well-documented
place, __i2400m_tx_tail_room() is introduced and used.
Treat i2400m->tx_in == 0 as a corner case and handle it accordingly.
Found and diagnosed by Cindy H. Kao.
Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
In some situations, when a new TX message header is started, there
might be no space for data payloads. In this case the message is left
with zero payloads and the i2400m_tx_close() function has just to mark
it as "to skip". If it tries to go ahead it will overwrite things
because there is no space to add padding as defined by the
bus-specific layer. This can cause buffer overruns and in some stress
cases, panics.
Found and diagnosed by Cindy H. Kao.
Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
The constant is being use as an alignment factor, not as a padding
factor; made reading/reviewing the code quite confusing.
Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
Reported and fixed by Cindy H Kao.
When the device is stopped __i2400m_dev_stop() stops the network
queue.
However, when this is done in the middle of heavy network operation,
when the bus-specific subdriver is still wrapping up and it reports a
sent TX transaction with _tx_msg_sent() right after the device was
stopped, the queue was being started again, which was causing a stream
of oopsen and finally a panic.
In any case, said call has no place there. It's a left over from an
early implementation that was discarded later on.
Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
Handling of TX/RX data to/from the i2400m device (IP packets, control
and diagnostics). On RX, this parses the received read transaction
from the device, breaks it in chunks and passes it to the
corresponding subsystems (network and control).
Transmission to the device is done through a software FIFO, as
data/control frames can be coalesced (while the device is reading the
previous tx transaction, others accumulate). A FIFO is used because at
the end it is resource-cheaper that scatter/gather over USB. As well,
most traffic is going to be download (vs upload).
Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Inaky Perez-Gonzalez