Commit 532e0e2b authored by Heiner Kallweit's avatar Heiner Kallweit Committed by Liu Jian
Browse files

r8169: improve rtl_tx 

mainline inclusion
from mainline-v5.11-rc1
commit ca1ab89c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SF4
CVE: CVE-2024-38586

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ca1ab89cd2d654661f559bd83ad9fc7323cb6c86



---------------------------

We can simplify the for() condition and eliminate variable tx_left.
The change also considers that tp->cur_tx may be incremented by a
racing rtl8169_start_xmit().
In addition replace the write to tp->dirty_tx and the following
smp_mb() with an equivalent call to smp_store_mb(). This implicitly
adds a WRITE_ONCE() to the write.

Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
Link: https://lore.kernel.org/r/c2e19e5e-3d3f-d663-af32-13c3374f5def@gmail.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>

Conflicts:
	drivers/net/ethernet/realtek/r8169_main.c
[We did not backport f1d54705.]
Signed-off-by: default avatarLiu Jian <liujian56@huawei.com>
parent dd61df65

drivers/net/ethernet/realtek/r8169_main.c

+3 −4
Original line number Diff line number Diff line
@@ -4467,11 +4467,11 @@ static void rtl8169_pcierr_interrupt(struct net_device *dev) 
static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp,

		   int budget)

{

	unsigned int dirty_tx, tx_left, bytes_compl = 0, pkts_compl = 0;

	unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0;



	dirty_tx = tp->dirty_tx;



	for (tx_left = READ_ONCE(tp->cur_tx) - dirty_tx; tx_left; tx_left--) {

	while (READ_ONCE(tp->cur_tx) != dirty_tx) {

		unsigned int entry = dirty_tx % NUM_TX_DESC;

		struct sk_buff *skb = tp->tx_skb[entry].skb;

		u32 status;
@@ -4495,7 +4495,6 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, 


		rtl_inc_priv_stats(&tp->tx_stats, pkts_compl, bytes_compl);



		tp->dirty_tx = dirty_tx;

		/* Sync with rtl8169_start_xmit:

		 * - publish dirty_tx ring index (write barrier)

		 * - refresh cur_tx ring index and queue status (read barrier)
@@ -4503,7 +4502,7 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, 
		 * a racing xmit thread can only have a right view of the

		 * ring status.

		 */

		smp_mb();

		smp_store_mb(tp->dirty_tx, dirty_tx);

		if (netif_queue_stopped(dev) &&

		    rtl_tx_slots_avail(tp, MAX_SKB_FRAGS)) {

			netif_wake_queue(dev);