From: Heiner Kallweit <hkallweit1@gmail.com> mainline inclusion from mainline-v5.11-rc1 commit 3a689e34973e8717cd57991c6fcf527dc56062b5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SF4 CVE: CVE-2024-38586 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... --------------------------- tp->dirty_tx isn't changed outside rtl_tx(). Therefore I see no need to guarantee a specific order of reading tp->dirty_tx and tp->cur_tx. Having said that we can remove the memory barrier. In addition use READ_ONCE() when reading tp->cur_tx because it can change in parallel to rtl_tx(). Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> Link: https://lore.kernel.org/r/2264563a-fa9e-11b0-2c42-31bc6b8e2790@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Liu Jian <liujian56@huawei.com> --- drivers/net/ethernet/realtek/r8169_main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c index d3fd77fa64ea..50325a8251e1 100644 --- a/drivers/net/ethernet/realtek/r8169_main.c +++ b/drivers/net/ethernet/realtek/r8169_main.c @@ -4469,9 +4469,8 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, unsigned int dirty_tx, tx_left, bytes_compl = 0, pkts_compl = 0; dirty_tx = tp->dirty_tx; - smp_rmb(); - for (tx_left = tp->cur_tx - dirty_tx; tx_left > 0; tx_left--) { + for (tx_left = READ_ONCE(tp->cur_tx) - dirty_tx; tx_left; tx_left--) { unsigned int entry = dirty_tx % NUM_TX_DESC; struct sk_buff *skb = tp->tx_skb[entry].skb; u32 status; -- 2.34.1