2018-11-29 00:40:12

by Pan Bian

[permalink] [raw]
Subject: [PATCH net] liquidio: read sc->iq_no before release sc

The function lio_vf_rep_packet_sent_callback releases the occupation of
sc via octeon_free_soft_command. sc should not be used after that.
Unfortunately, sc->iq_no is read. To fix this, the patch stores sc->iq_no
into a local variable before releasing sc and then uses the local variable
instead of sc->iq_no.

Signed-off-by: Pan Bian <[email protected]>
---
drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c b/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c
index ea9859e..de61060 100644
--- a/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c
+++ b/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c
@@ -349,13 +349,15 @@ lio_vf_rep_packet_sent_callback(struct octeon_device *oct,
struct octeon_soft_command *sc = (struct octeon_soft_command *)buf;
struct sk_buff *skb = sc->ctxptr;
struct net_device *ndev = skb->dev;
+ u32 iq_no;

dma_unmap_single(&oct->pci_dev->dev, sc->dmadptr,
sc->datasize, DMA_TO_DEVICE);
dev_kfree_skb_any(skb);
+ iq_no = sc->iq_no;
octeon_free_soft_command(oct, sc);

- if (octnet_iq_is_full(oct, sc->iq_no))
+ if (octnet_iq_is_full(oct, iq_no))
return;

if (netif_queue_stopped(ndev))
--
2.7.4




2018-12-01 01:22:09

by David Miller

[permalink] [raw]
Subject: Re: [PATCH net] liquidio: read sc->iq_no before release sc

From: Pan Bian <[email protected]>
Date: Thu, 29 Nov 2018 07:54:22 +0800

> The function lio_vf_rep_packet_sent_callback releases the occupation of
> sc via octeon_free_soft_command. sc should not be used after that.
> Unfortunately, sc->iq_no is read. To fix this, the patch stores sc->iq_no
> into a local variable before releasing sc and then uses the local variable
> instead of sc->iq_no.
>
> Signed-off-by: Pan Bian <[email protected]>

Applied.