Commit 5826cade authored by David Gibson's avatar David Gibson Committed by Jeff Garzik

[PATCH] ibmveth: Fix index increment calculation

On Thu, Oct 12, 2006 at 06:22:14PM +1000, David Gibson wrote:
> Your recent ibmveth commit, 751ae21c
> ("fix int rollover panic"), causes a rapid oops on my test machine
> (POWER5 LPAR).
>
> I've bisected it down to that commit, but am still investigating the
> cause of the crash itself.

Found the problem, I believe: an object lesson in the need for great
caution using ++.

[...]
@@ -213,6 +213,7 @@ static void ibmveth_replenish_buffer_poo
 		}

 		free_index = pool->consumer_index++ % pool->size;
+		pool->consumer_index = free_index;
 		index = pool->free_map[free_index];

 		ibmveth_assert(index != IBM_VETH_INVALID_MAP);

Since the ++ is used as post-increment, the increment is not included
in free_index, and so the added line effectively reverts the
increment.  The produced_index side has an analagous bug.

The following change corrects this:

The recent commit 751ae21c introduced
a bug in the producer/consumer index calculation in the ibmveth driver
- incautious use of the post-increment ++ operator resulted in an
increment being immediately reverted.  This patch corrects the logic.

Without this patch, the driver oopses almost immediately after
activation on at least some machines.
Signed-off-by: default avatarDavid Gibson <dwg@au1.ibm.com>
Signed-off-by: default avatarJeff Garzik <jeff@garzik.org>
parent cde49b05
...@@ -212,8 +212,8 @@ static void ibmveth_replenish_buffer_pool(struct ibmveth_adapter *adapter, struc ...@@ -212,8 +212,8 @@ static void ibmveth_replenish_buffer_pool(struct ibmveth_adapter *adapter, struc
break; break;
} }
free_index = pool->consumer_index++ % pool->size; free_index = pool->consumer_index;
pool->consumer_index = free_index; pool->consumer_index = (pool->consumer_index + 1) % pool->size;
index = pool->free_map[free_index]; index = pool->free_map[free_index];
ibmveth_assert(index != IBM_VETH_INVALID_MAP); ibmveth_assert(index != IBM_VETH_INVALID_MAP);
...@@ -329,8 +329,10 @@ static void ibmveth_remove_buffer_from_pool(struct ibmveth_adapter *adapter, u64 ...@@ -329,8 +329,10 @@ static void ibmveth_remove_buffer_from_pool(struct ibmveth_adapter *adapter, u64
adapter->rx_buff_pool[pool].buff_size, adapter->rx_buff_pool[pool].buff_size,
DMA_FROM_DEVICE); DMA_FROM_DEVICE);
free_index = adapter->rx_buff_pool[pool].producer_index++ % adapter->rx_buff_pool[pool].size; free_index = adapter->rx_buff_pool[pool].producer_index;
adapter->rx_buff_pool[pool].producer_index = free_index; adapter->rx_buff_pool[pool].producer_index
= (adapter->rx_buff_pool[pool].producer_index + 1)
% adapter->rx_buff_pool[pool].size;
adapter->rx_buff_pool[pool].free_map[free_index] = index; adapter->rx_buff_pool[pool].free_map[free_index] = index;
mb(); mb();
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment