Kenneth D. Merry 49dfe4a2d4 Fix an event handling bug with the mps(4) driver.
This bug manifested itself after repeated device arrivals and
departures.  The root of the problem was that the last entry in the
reply array wasn't initialized/allocated.  So every time we got
around to that event, we had a bogus address.

There were a couple more problems with the code that are also fixed:

 - The reply mechanism was being treated as sequential (indexed by
   sc->replycurindex) even though the spec says that the driver
   should use the ReplyFrameAddress field of the post queue
   descriptor to figure out where the reply is.  There is no
   guarantee that the reply descriptors will be used in sequential
   order.

 - The second word of the reply post queue descriptor wasn't being
   checked in mps_intr_locked() to make sure that it wasn't
   0xffffffff.  So the driver could potentially come across a
   partially DMAed descriptor.

 - The number of replies allocated was one less than the actual
   size of the queue.  Instead, it was the size of the number of
   replies that can be used at one time.  (Which is one less than
   the size of the queue.)

mps.c:		When initializing the entries in the reply free
		queue, make sure we initialize the full number that
		we tell the chip we have (sc->fqdepth), not the
		number that can be used at any one time (sc->num_replies).

		When allocating replies, make sure we allocate the
		number of replies that we've told the chip exist,
		not just the number that can be used simultaneously.

		Use the ReplyFrameAddress field of the post queue
		descriptor to figure out which reply is being
		referenced.  This is what the spec says to do, and
		the spec doesn't guarantee that the replies will be
		used in order.

		Put a check in to verify that the reply address passed
		back from the card is valid.  (Panic if it isn't, we'll
		panic when we try to deference the reply pointer in any
		case.)

		In mps_intr_locked(), verify that the second word of the
		post queue descriptor is not 0xffffffff in addition to
		verifying that the unused flag is not set, so we can
		make sure we didn't get a partially DMAed descriptor.

		Remove references to sc->replycurindex, it isn't needed
		now.

mpsvar.h:	Remove replycurindex from the softc, it isn't needed now.

Reviewed by:	scottl
2010-12-10 21:45:10 +00:00
..