!9657 v2 CVE-2024-38586

	return true;

}

static bool rtl_tx_slots_avail(struct rtl8169_private *tp,

			       unsigned int nr_frags)

static bool rtl_tx_slots_avail(struct rtl8169_private *tp)

{

	unsigned int slots_avail = tp->dirty_tx + NUM_TX_DESC - tp->cur_tx;

	unsigned int slots_avail = READ_ONCE(tp->dirty_tx) + NUM_TX_DESC

					- READ_ONCE(tp->cur_tx);

	/* A skbuff with nr_frags needs nr_frags+1 entries in the tx queue */

	return slots_avail > nr_frags;

	return slots_avail > MAX_SKB_FRAGS;

}

/* Versions RTL8102e and from RTL8168c onwards support csum_v2 */

static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb,

				      struct net_device *dev)

{

	unsigned int frags = skb_shinfo(skb)->nr_frags;

	struct rtl8169_private *tp = netdev_priv(dev);

	unsigned int entry = tp->cur_tx % NUM_TX_DESC;

	struct TxDesc *txd_first, *txd_last;

	bool stop_queue, door_bell;

	unsigned int frags;

	u32 opts[2];

	txd_first = tp->TxDescArray + entry;

	if (unlikely(!rtl_tx_slots_avail(tp, frags))) {

	if (unlikely(!rtl_tx_slots_avail(tp))) {

		if (net_ratelimit())

			netdev_err(dev, "BUG! Tx Ring full when queue awake!\n");

		goto err_stop_0;

				    entry, false)))

		goto err_dma_0;

	frags = skb_shinfo(skb)->nr_frags;

	if (frags) {

		if (rtl8169_xmit_frags(tp, skb, opts, entry))

			goto err_dma_1;

	/* rtl_tx needs to see descriptor changes before updated tp->cur_tx */

	smp_wmb();

	tp->cur_tx += frags + 1;

	WRITE_ONCE(tp->cur_tx, tp->cur_tx + frags + 1);

	stop_queue = !rtl_tx_slots_avail(tp, MAX_SKB_FRAGS);

	stop_queue = !rtl_tx_slots_avail(tp);

	if (unlikely(stop_queue)) {

		/* Avoid wrongly optimistic queue wake-up: rtl_tx thread must

		 * not miss a ring update when it notices a stopped queue.

		 */

		smp_wmb();

		netif_stop_queue(dev);

		door_bell = true;

	}

	if (door_bell)

		rtl8169_doorbell(tp);

	if (unlikely(stop_queue)) {

		/* Sync with rtl_tx:

		 * - publish queue status and cur_tx ring index (write barrier)

		 * - refresh dirty_tx ring index (read barrier).

		 * status and forget to wake up queue, a racing rtl_tx thread

		 * can't.

		 */

		smp_mb();

		if (rtl_tx_slots_avail(tp, MAX_SKB_FRAGS))

		smp_mb__after_atomic();

		if (rtl_tx_slots_avail(tp))

			netif_start_queue(dev);

		door_bell = true;

	}

	if (door_bell)

		rtl8169_doorbell(tp);

	return NETDEV_TX_OK;

err_dma_1:

static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp,

		   int budget)

{

	unsigned int dirty_tx, tx_left, bytes_compl = 0, pkts_compl = 0;

	unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0;

	dirty_tx = tp->dirty_tx;

	smp_rmb();

	for (tx_left = tp->cur_tx - dirty_tx; tx_left > 0; tx_left--) {

	while (READ_ONCE(tp->cur_tx) != dirty_tx) {

		unsigned int entry = dirty_tx % NUM_TX_DESC;

		struct sk_buff *skb = tp->tx_skb[entry].skb;

		u32 status;

		rtl_inc_priv_stats(&tp->tx_stats, pkts_compl, bytes_compl);

		tp->dirty_tx = dirty_tx;

		/* Sync with rtl8169_start_xmit:

		 * - publish dirty_tx ring index (write barrier)

		 * - refresh cur_tx ring index and queue status (read barrier)

		 * a racing xmit thread can only have a right view of the

		 * ring status.

		 */

		smp_mb();

		if (netif_queue_stopped(dev) &&

		    rtl_tx_slots_avail(tp, MAX_SKB_FRAGS)) {

		smp_store_mb(tp->dirty_tx, dirty_tx);

		if (netif_queue_stopped(dev) && rtl_tx_slots_avail(tp))

			netif_wake_queue(dev);

		}

		/*

		 * 8168 hack: TxPoll requests are lost when the Tx packets are

		 * too close. Let's kick an extra TxPoll request when a burst