Commit 63a9192b authored by Haiyue Wang's avatar Haiyue Wang Committed by David S. Miller
Browse files

gve: fix the wrong AdminQ buffer overflow check 



The 'tail' pointer is also free-running count, so it needs to be masked
as 'adminq_prod_cnt' does, to become an index value of AdminQ buffer.

Fixes: 5cdad90d ("gve: Batch AQ commands for creating and destroying queues.")
Signed-off-by: default avatarHaiyue Wang <haiyue.wang@intel.com>
Reviewed-by: default avatarCatherine Sullivan <csully@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 82a1ffe5

drivers/net/ethernet/google/gve/gve_adminq.c

+4 −2
Original line number Diff line number Diff line
@@ -322,7 +322,8 @@ static int gve_adminq_issue_cmd(struct gve_priv *priv, 
	tail = ioread32be(&priv->reg_bar0->adminq_event_counter);



	// Check if next command will overflow the buffer.

	if (((priv->adminq_prod_cnt + 1) & priv->adminq_mask) == tail) {

	if (((priv->adminq_prod_cnt + 1) & priv->adminq_mask) ==

	    (tail & priv->adminq_mask)) {

		int err;



		// Flush existing commands to make room.
@@ -332,7 +333,8 @@ static int gve_adminq_issue_cmd(struct gve_priv *priv, 


		// Retry.

		tail = ioread32be(&priv->reg_bar0->adminq_event_counter);

		if (((priv->adminq_prod_cnt + 1) & priv->adminq_mask) == tail) {

		if (((priv->adminq_prod_cnt + 1) & priv->adminq_mask) ==

		    (tail & priv->adminq_mask)) {

			// This should never happen. We just flushed the

			// command queue so there should be enough space.

			return -ENOMEM;