Commit 62e0ae0f authored May 09, 2022 by Grant Grundler Committed by David S. Miller May 11, 2022

net: atlantic: fix "frag[0] not initialized"



In aq_ring_rx_clean(), if buff->is_eop is not set AND
buff->len < AQ_CFG_RX_HDR_SIZE, then hdr_len remains equal to
buff->len and skb_add_rx_frag(xxx, *0*, ...) is not called.

The loop following this code starts calling skb_add_rx_frag() starting
with i=1 and thus frag[0] is never initialized. Since i is initialized
to zero at the top of the primary loop, we can just reference and
post-increment i instead of hardcoding the 0 when calling
skb_add_rx_frag() the first time.

Reported-by: Aashay Shringarpure <aashay@google.com>
Reported-by: Yi Chou <yich@google.com>
Reported-by: Shervin Oloumi <enlightened@google.com>
Signed-off-by: Grant Grundler <grundler@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 0807ce0b

drivers/net/ethernet/aquantia/atlantic/aq_ring.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -446,7 +446,7 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
		ALIGN(hdr_len, sizeof(long)));

		if (buff->len - hdr_len > 0) {
		skb_add_rx_frag(skb, 0, buff->rxdata.page,
		skb_add_rx_frag(skb, i++, buff->rxdata.page,
		buff->rxdata.pg_off + hdr_len,
		buff->len - hdr_len,
		AQ_CFG_RX_FRAME_MAX);
		@@ -455,7 +455,6 @@ int aq_ring_rx_clean(struct aq_ring_s *self,

		if (!buff->is_eop) {
		buff_ = buff;
		i = 1U;
		do {
		next_ = buff_->next;
		buff_ = &self->buff_ring[next_];