1. Patchew
  2. linux
  3. View series

[PATCH net v3] net: wwan: t7xx: Fix off-by-one error in t7xx_dpmaif_rx_buf_alloc()

Jinjie Ruan posted 1 patch 1 year, 3 months ago 
drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH net v3] net: wwan: t7xx: Fix off-by-one error in t7xx_dpmaif_rx_buf_alloc()
Posted by Jinjie Ruan 1 year, 3 months ago 
The error path in t7xx_dpmaif_rx_buf_alloc(), free and unmap the already
allocated and mapped skb in a loop, but the loop condition terminates when
the index reaches zero, which fails to free the first allocated skb at
index zero.

Check with i-- so that skb at index 0 is freed as well.

Cc: stable@vger.kernel.org
Fixes: d642b012df70 ("net: wwan: t7xx: Add data path interface")
Acked-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
---
v3:
- Remove suggested-by.
- Use i-- to simplify the fix.
- Add Acked-by.
- Add cc stable.
- Update the commit message.
v2:
- Update the commit title.
- Declare i as signed to avoid the endless loop.
---
 drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
index 210d84c67ef9..7a9c09cd4fdc 100644
--- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
+++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
@@ -226,7 +226,7 @@ int t7xx_dpmaif_rx_buf_alloc(struct dpmaif_ctrl *dpmaif_ctrl,
 	return 0;
 
 err_unmap_skbs:
-	while (--i > 0)
+	while (i--)
 		t7xx_unmap_bat_skb(dpmaif_ctrl->dev, bat_req->bat_skb, i);
 
 	return ret;
-- 
2.34.1
Re: [PATCH net v3] net: wwan: t7xx: Fix off-by-one error in t7xx_dpmaif_rx_buf_alloc()
Posted by Markus Elfring 1 year, 3 months ago 
…
> Check with i-- so that skb at index 0 is freed as well.
…

Is the same source code adjustment needed also for the implementation
of the function “t7xx_dpmaif_rx_frag_alloc”?
https://elixir.bootlin.com/linux/v6.12-rc5/source/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c#L384

Regards,
Markus
Re: [PATCH net v3] net: wwan: t7xx: Fix off-by-one error in t7xx_dpmaif_rx_buf_alloc()
Posted by Ilpo Järvinen 1 year, 3 months ago 
On Fri, 1 Nov 2024, Jinjie Ruan wrote:

> The error path in t7xx_dpmaif_rx_buf_alloc(), free and unmap the already
> allocated and mapped skb in a loop, but the loop condition terminates when
> the index reaches zero, which fails to free the first allocated skb at
> index zero.
> 
> Check with i-- so that skb at index 0 is freed as well.
> 
> Cc: stable@vger.kernel.org
> Fixes: d642b012df70 ("net: wwan: t7xx: Add data path interface")
> Acked-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> ---
> v3:
> - Remove suggested-by.
> - Use i-- to simplify the fix.
> - Add Acked-by.
> - Add cc stable.
> - Update the commit message.
> v2:
> - Update the commit title.
> - Declare i as signed to avoid the endless loop.
> ---
>  drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> index 210d84c67ef9..7a9c09cd4fdc 100644
> --- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> +++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
> @@ -226,7 +226,7 @@ int t7xx_dpmaif_rx_buf_alloc(struct dpmaif_ctrl *dpmaif_ctrl,
>  	return 0;
>  
>  err_unmap_skbs:
> -	while (--i > 0)
> +	while (i--)
>  		t7xx_unmap_bat_skb(dpmaif_ctrl->dev, bat_req->bat_skb, i);
>  
>  	return ret;
> 

Thanks.

Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>

-- 
 i.

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.