The error path in t7xx_dpmaif_rx_buf_alloc(), free and unmap the already
allocated and mapped skb in a loop, but the loop condition terminates when
the index reaches zero, which fails to free the first allocated skb at
index zero.

Check for >= 0 so that skb at index 0 is freed as well.

Fixes: d642b012df70 ("net: wwan: t7xx: Add data path interface")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
---
 drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
index 210d84c67ef9..f2298330e05b 100644
--- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
+++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
@@ -226,7 +226,7 @@ int t7xx_dpmaif_rx_buf_alloc(struct dpmaif_ctrl *dpmaif_ctrl,
 	return 0;
 
 err_unmap_skbs:
-	while (--i > 0)
+	while (--i >= 0)
 		t7xx_unmap_bat_skb(dpmaif_ctrl->dev, bat_req->bat_skb, i);
 
 	return ret;
-- 
2.34.1

Hello Jinjie,

On 28.10.2024 10:06, Jinjie Ruan wrote:
> The error path in t7xx_dpmaif_rx_buf_alloc(), free and unmap the already
> allocated and mapped skb in a loop, but the loop condition terminates when
> the index reaches zero, which fails to free the first allocated skb at
> index zero.
> 
> Check for >= 0 so that skb at index 0 is freed as well.

Nice catch! Still implementation needs some improvements, see below.

> 
> Fixes: d642b012df70 ("net: wwan: t7xx: Add data path interface")
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> ---
>   drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> index 210d84c67ef9..f2298330e05b 100644
> --- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> +++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> @@ -226,7 +226,7 @@ int t7xx_dpmaif_rx_buf_alloc(struct dpmaif_ctrl *dpmaif_ctrl,
>   	return 0;
>   
>   err_unmap_skbs:
> -	while (--i > 0)
> +	while (--i >= 0)
>   		t7xx_unmap_bat_skb(dpmaif_ctrl->dev, bat_req->bat_skb, i);

The index variable declared as unsigned so changing the condition alone 
will cause the endless loop. Can you change the variable type to signed 
as well?

--
Sergey

On Tue, 29 Oct 2024, Sergey Ryazanov wrote:

> Hello Jinjie,
> 
> On 28.10.2024 10:06, Jinjie Ruan wrote:
> > The error path in t7xx_dpmaif_rx_buf_alloc(), free and unmap the already
> > allocated and mapped skb in a loop, but the loop condition terminates when
> > the index reaches zero, which fails to free the first allocated skb at
> > index zero.
> > 
> > Check for >= 0 so that skb at index 0 is freed as well.
> 
> Nice catch! Still implementation needs some improvements, see below.
> 
> > 
> > Fixes: d642b012df70 ("net: wwan: t7xx: Add data path interface")
> > Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> > ---
> >   drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> > b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> > index 210d84c67ef9..f2298330e05b 100644
> > --- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> > +++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> > @@ -226,7 +226,7 @@ int t7xx_dpmaif_rx_buf_alloc(struct dpmaif_ctrl
> > *dpmaif_ctrl,
> >   	return 0;
> >     err_unmap_skbs:
> > -	while (--i > 0)
> > +	while (--i >= 0)
> >   		t7xx_unmap_bat_skb(dpmaif_ctrl->dev, bat_req->bat_skb, i);
> 
> The index variable declared as unsigned so changing the condition alone will
> cause the endless loop. Can you change the variable type to signed as well?

Isn't the usual pattern:

	while (i--)
		t7xx_unmap_bat_skb(dpmaif_ctrl->dev, bat_req->bat_skb, i);

?

-- 
 i.

On October 29, 2024 12:52:39 PM, "Ilpo Järvinen" <ilpo.jarvinen@linux.intel.com> wrote:
>On Tue, 29 Oct 2024, Sergey Ryazanov wrote:
>
>> Hello Jinjie,
>> 
>> On 28.10.2024 10:06, Jinjie Ruan wrote:
>>> The error path in t7xx_dpmaif_rx_buf_alloc(), free and unmap the already
>>> allocated and mapped skb in a loop, but the loop condition terminates when
>>> the index reaches zero, which fails to free the first allocated skb at
>>> index zero.
>>> 
>>> Check for >= 0 so that skb at index 0 is freed as well.
>> 
>> Nice catch! Still implementation needs some improvements, see below.
>> 
>>> 
>>> Fixes: d642b012df70 ("net: wwan: t7xx: Add data path interface")
>>> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
>>> ---
>>>   drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>> 
>>> diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
>>> b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
>>> index 210d84c67ef9..f2298330e05b 100644
>>> --- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
>>> +++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
>>> @@ -226,7 +226,7 @@ int t7xx_dpmaif_rx_buf_alloc(struct dpmaif_ctrl
>>> *dpmaif_ctrl,
>>>   	return 0;
>>>     err_unmap_skbs:
>>> -	while (--i > 0)
>>> +	while (--i >= 0)
>>>   		t7xx_unmap_bat_skb(dpmaif_ctrl->dev, bat_req->bat_skb, i);
>> 
>> The index variable declared as unsigned so changing the condition alone will
>> cause the endless loop. Can you change the variable type to signed as well?
>
>Isn't the usual pattern:
>
>	while (i--)
>		t7xx_unmap_bat_skb(dpmaif_ctrl->dev, bat_req->bat_skb, i);
>
>?

I can't say it's a usual pattern, but yes, you are right and your solution will work even without signedness change.

Jinjie have sent a V2 with int I. And since I assume that loop format a matter of taste, I am going to Ack it. If you think that it is not only matter of taste or Jinjie wants to follow the suggested approach then I will be happy to Ack a new patch with the different loop implementation.

--
Sergey

Hello Ilpo,