Re: VIA velocity skb leak.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dave Jones <davej@redhat.com>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org
Subject: Re: VIA velocity skb leak.
Date: Thu, 12 Mar 2009 00:39:54 -0400	[thread overview]
Message-ID: <20090312043954.GA7132@redhat.com> (raw)
In-Reply-To: <20090311.212009.51140677.davem@davemloft.net>

On Wed, Mar 11, 2009 at 09:20:09PM -0700, David Miller wrote:
 > From: David Miller <davem@davemloft.net>
 > Date: Wed, 11 Mar 2009 21:17:06 -0700 (PDT)
 > 
 > > 
 > > velocity_xmit() needs to set 'pktlen = skb->len;' after,
 > > not before, the skb_padto() call.
 > 
 > Actually that won't work since, as you suggest, skb->len
 > isn't updated by skb_padto().
 > 
 > So the transmit needs something like:
 > 
 > 	pktlen = (skb->len > ETH_ZLEN ? : ETH_ZLEN);
 > 
 > velocity_free_tx_buf() needs to make the same calculation
 > instead of just plain skb->len

Something like this ?
(It looks like the ZERO_COPY_SUPPORT is never enabled anywhere,
 so I didn't dig into how that works).

diff --git a/drivers/net/via-velocity.c b/drivers/net/via-velocity.c
index c5691fd..cd34dda 100644
--- a/drivers/net/via-velocity.c
+++ b/drivers/net/via-velocity.c
@@ -1838,6 +1838,7 @@ static void velocity_free_tx_buf(struct velocity_info *vptr, struct velocity_td_
 {
 	struct sk_buff *skb = tdinfo->skb;
 	int i;
+	int pktlen;
 
 	/*
 	 *	Don't unmap the pre-allocated tx_bufs
@@ -1845,10 +1846,11 @@ static void velocity_free_tx_buf(struct velocity_info *vptr, struct velocity_td_
 	if (tdinfo->skb_dma) {
 
+		pktlen = (skb->len > ETH_ZLEN ? : ETH_ZLEN);
 		for (i = 0; i < tdinfo->nskb_dma; i++) {
 #ifdef VELOCITY_ZERO_COPY_SUPPORT
 			pci_unmap_single(vptr->pdev, tdinfo->skb_dma[i], le16_to_cpu(td->tdesc1.len), PCI_DMA_TODEVICE);
 #else
-			pci_unmap_single(vptr->pdev, tdinfo->skb_dma[i], skb->len, PCI_DMA_TODEVICE);
+			pci_unmap_single(vptr->pdev, tdinfo->skb_dma[i], pktlen, PCI_DMA_TODEVICE);
 #endif
 			tdinfo->skb_dma[i] = 0;
 		}
@@ -2080,17 +2083,14 @@ static int velocity_xmit(struct sk_buff *skb, struct net_device *dev)
 	struct tx_desc *td_ptr;
 	struct velocity_td_info *tdinfo;
 	unsigned long flags;
-	int pktlen = skb->len;
+	int pktlen;
 	__le16 len;
 	int index;
 
 
-
-	if (skb->len < ETH_ZLEN) {
-		if (skb_padto(skb, ETH_ZLEN))
-			goto out;
-		pktlen = ETH_ZLEN;
-	}
+	if (skb_padto(skb, ETH_ZLEN))
+		goto out;
+	pktlen = (skb->len > ETH_ZLEN ? : ETH_ZLEN);
 
 	len = cpu_to_le16(pktlen);
 
 

 > This bug probably exists in every other driver using
 > skb_padto() :-)

Once I've tested this (tomorrow), I'll do a sweep through some of the others.
I expect the dma-debug stuff will pick them up eventually when that hits mainline,
so it'd be good to fix up the lower hanging fruit.

The dma-debug patches are kinda neat, this is just one type of bug class
it picks up. I forwarded another type to the e1000 list earlier today.

	Dave

-- 
http://www.codemonkey.org.uk

next prev parent reply	other threads:[~2009-03-12  4:39 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-03-12  4:13 VIA velocity skb leak Dave Jones
2009-03-12  4:17 ` David Miller
2009-03-12  4:20   ` David Miller
2009-03-12  4:39     ` Dave Jones [this message]
2009-03-12  4:45       ` Eric Dumazet
2009-03-12  4:56         ` Dave Jones
2009-03-12  5:14           ` Eric Dumazet
2009-03-13 20:36             ` David Miller
2009-03-13 20:52               ` a2065 skb_padto cleanups Dave Jones
2009-03-19  1:18                 ` David Miller
2009-03-13 21:10               ` r8169 skb leak Dave Jones
2009-03-13 22:26                 ` Francois Romieu
2009-03-13 22:33                   ` David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c5691fd dfblob:cd34dda )
 OR (
bs:"Re: VIA velocity skb leak." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090312043954.GA7132@redhat.com \
    --to=davej@redhat.com \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.