diff mbox series

[net] net: wwan: t7xx: off-by-one error in t7xx_dpmaif_rx_buf_alloc()

Message ID 20241028080618.3540907-1-ruanjinjie@huawei.com (mailing list archive)
State Changes Requested
Delegated to: Netdev Maintainers
Headers show
Series [net] net: wwan: t7xx: off-by-one error in t7xx_dpmaif_rx_buf_alloc() | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 5 this patch: 5
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 4 maintainers not CCed: linux-arm-kernel@lists.infradead.org linux-mediatek@lists.infradead.org angelogioacchino.delregno@collabora.com matthias.bgg@gmail.com
netdev/build_clang success Errors and warnings before: 3 this patch: 3
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 4 this patch: 4
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-10-28--12-00 (tests: 777)

Commit Message

Jinjie Ruan Oct. 28, 2024, 8:06 a.m. UTC 
The error path in t7xx_dpmaif_rx_buf_alloc(), free and unmap the already
allocated and mapped skb in a loop, but the loop condition terminates when
the index reaches zero, which fails to free the first allocated skb at
index zero.

Check for >= 0 so that skb at index 0 is freed as well.

Fixes: d642b012df70 ("net: wwan: t7xx: Add data path interface")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
---
 drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Sergey Ryazanov Oct. 28, 2024, 11:55 p.m. UTC | #1 
Hello Jinjie,

On 28.10.2024 10:06, Jinjie Ruan wrote:
> The error path in t7xx_dpmaif_rx_buf_alloc(), free and unmap the already
> allocated and mapped skb in a loop, but the loop condition terminates when
> the index reaches zero, which fails to free the first allocated skb at
> index zero.
> 
> Check for >= 0 so that skb at index 0 is freed as well.

Nice catch! Still implementation needs some improvements, see below.

> 
> Fixes: d642b012df70 ("net: wwan: t7xx: Add data path interface")
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> ---
>   drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> index 210d84c67ef9..f2298330e05b 100644
> --- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> +++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> @@ -226,7 +226,7 @@ int t7xx_dpmaif_rx_buf_alloc(struct dpmaif_ctrl *dpmaif_ctrl,
>   	return 0;
>   
>   err_unmap_skbs:
> -	while (--i > 0)
> +	while (--i >= 0)
>   		t7xx_unmap_bat_skb(dpmaif_ctrl->dev, bat_req->bat_skb, i);

The index variable declared as unsigned so changing the condition alone 
will cause the endless loop. Can you change the variable type to signed 
as well?

--
Sergey
Ilpo Järvinen Oct. 29, 2024, 10:52 a.m. UTC | #2 
On Tue, 29 Oct 2024, Sergey Ryazanov wrote:

> Hello Jinjie,
> 
> On 28.10.2024 10:06, Jinjie Ruan wrote:
> > The error path in t7xx_dpmaif_rx_buf_alloc(), free and unmap the already
> > allocated and mapped skb in a loop, but the loop condition terminates when
> > the index reaches zero, which fails to free the first allocated skb at
> > index zero.
> > 
> > Check for >= 0 so that skb at index 0 is freed as well.
> 
> Nice catch! Still implementation needs some improvements, see below.
> 
> > 
> > Fixes: d642b012df70 ("net: wwan: t7xx: Add data path interface")
> > Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> > ---
> >   drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> > b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> > index 210d84c67ef9..f2298330e05b 100644
> > --- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> > +++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> > @@ -226,7 +226,7 @@ int t7xx_dpmaif_rx_buf_alloc(struct dpmaif_ctrl
> > *dpmaif_ctrl,
> >   	return 0;
> >     err_unmap_skbs:
> > -	while (--i > 0)
> > +	while (--i >= 0)
> >   		t7xx_unmap_bat_skb(dpmaif_ctrl->dev, bat_req->bat_skb, i);
> 
> The index variable declared as unsigned so changing the condition alone will
> cause the endless loop. Can you change the variable type to signed as well?

Isn't the usual pattern:

	while (i--)
		t7xx_unmap_bat_skb(dpmaif_ctrl->dev, bat_req->bat_skb, i);

?
Sergey Ryazanov Oct. 30, 2024, 6:45 a.m. UTC | #3 
On October 29, 2024 12:52:39 PM, "Ilpo Järvinen" <ilpo.jarvinen@linux.intel.com> wrote:
>On Tue, 29 Oct 2024, Sergey Ryazanov wrote:
>
>> Hello Jinjie,
>> 
>> On 28.10.2024 10:06, Jinjie Ruan wrote:
>>> The error path in t7xx_dpmaif_rx_buf_alloc(), free and unmap the already
>>> allocated and mapped skb in a loop, but the loop condition terminates when
>>> the index reaches zero, which fails to free the first allocated skb at
>>> index zero.
>>> 
>>> Check for >= 0 so that skb at index 0 is freed as well.
>> 
>> Nice catch! Still implementation needs some improvements, see below.
>> 
>>> 
>>> Fixes: d642b012df70 ("net: wwan: t7xx: Add data path interface")
>>> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
>>> ---
>>>   drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>> 
>>> diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
>>> b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
>>> index 210d84c67ef9..f2298330e05b 100644
>>> --- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
>>> +++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
>>> @@ -226,7 +226,7 @@ int t7xx_dpmaif_rx_buf_alloc(struct dpmaif_ctrl
>>> *dpmaif_ctrl,
>>>   	return 0;
>>>     err_unmap_skbs:
>>> -	while (--i > 0)
>>> +	while (--i >= 0)
>>>   		t7xx_unmap_bat_skb(dpmaif_ctrl->dev, bat_req->bat_skb, i);
>> 
>> The index variable declared as unsigned so changing the condition alone will
>> cause the endless loop. Can you change the variable type to signed as well?
>
>Isn't the usual pattern:
>
>	while (i--)
>		t7xx_unmap_bat_skb(dpmaif_ctrl->dev, bat_req->bat_skb, i);
>
>?

I can't say it's a usual pattern, but yes, you are right and your solution will work even without signedness change.

Jinjie have sent a V2 with int I. And since I assume that loop format a matter of taste, I am going to Ack it. If you think that it is not only matter of taste or Jinjie wants to follow the suggested approach then I will be happy to Ack a new patch with the different loop implementation.

--
Sergey

Hello Ilpo,
diff mbox series

Patch

diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
index 210d84c67ef9..f2298330e05b 100644
--- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
+++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
@@ -226,7 +226,7 @@  int t7xx_dpmaif_rx_buf_alloc(struct dpmaif_ctrl *dpmaif_ctrl,
 	return 0;
 
 err_unmap_skbs:
-	while (--i > 0)
+	while (--i >= 0)
 		t7xx_unmap_bat_skb(dpmaif_ctrl->dev, bat_req->bat_skb, i);
 
 	return ret;