Re: drivers/net/chelsio/sge.c: two array overflows
From: Scott Bardone
Date: Mon Mar 13 2006 - 14:30:07 EST
Adrian,
This is a bug. The array should contain 2 elements.
Attached is a patch which fixes it.
Thanks.
Signed-off-by: Scott Bardone <sbardone@xxxxxxxxxxx>
Adrian Bunk wrote:
The Coverity checker spotted the following two array overflows in
drivers/net/chelsio/sge.c (in both cases, the arrays contain 3 elements):
<-- snip -->
...
static void restart_tx_queues(struct sge *sge)
{
...
sge->stats.cmdQ_restarted[3]++;
...
static int t1_sge_tx(struct sk_buff *skb, struct adapter *adapter,
unsigned int qid, struct net_device *dev)
{
...
sge->stats.cmdQ_full[3]++;
...
<-- snip -->
cu
Adrian
--- sge.c 2006-02-17 14:23:45.000000000 -0800
+++ sge.fix.c 2006-03-13 10:51:24.000000000 -0800
@@ -1021,7 +1021,7 @@
if (test_and_clear_bit(nd->if_port,
&sge->stopped_tx_queues) &&
netif_running(nd)) {
- sge->stats.cmdQ_restarted[3]++;
+ sge->stats.cmdQ_restarted[2]++;
netif_wake_queue(nd);
}
}
@@ -1350,7 +1350,7 @@
if (unlikely(credits < count)) {
netif_stop_queue(dev);
set_bit(dev->if_port, &sge->stopped_tx_queues);
- sge->stats.cmdQ_full[3]++;
+ sge->stats.cmdQ_full[2]++;
spin_unlock(&q->lock);
if (!netif_queue_stopped(dev))
CH_ERR("%s: Tx ring full while queue awake!\n",
@@ -1358,7 +1358,7 @@
return NETDEV_TX_BUSY;
}
if (unlikely(credits - count < q->stop_thres)) {
- sge->stats.cmdQ_full[3]++;
+ sge->stats.cmdQ_full[2]++;
netif_stop_queue(dev);
set_bit(dev->if_port, &sge->stopped_tx_queues);
}