From: Heiner Kallweit <hkallweit1@gmail.com> mainline inclusion from mainline-v5.11-rc1 commit 41294e6a434d4f19e957c55b275ea0324f275009 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SF4 CVE: CVE-2024-38586 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... --------------------------- Improve the following in rtl8169_start_xmit: - tp->cur_tx can be accessed in parallel by rtl_tx(), therefore annotate the race by using WRITE_ONCE - avoid checking stop_queue a second time by moving the doorbell check - netif_stop_queue() uses atomic operation set_bit() that includes a full memory barrier on some platforms, therefore use smp_mb__after_atomic to avoid overhead Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> Link: https://lore.kernel.org/r/80085451-3eaf-507a-c7c0-08d607c46fbc@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Liu Jian <liujian56@huawei.com> --- drivers/net/ethernet/realtek/r8169_main.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c index a396e52a90c6..88a571b3e2e8 100644 --- a/drivers/net/ethernet/realtek/r8169_main.c +++ b/drivers/net/ethernet/realtek/r8169_main.c @@ -4338,7 +4338,7 @@ static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb, /* rtl_tx needs to see descriptor changes before updated tp->cur_tx */ smp_wmb(); - tp->cur_tx += frags + 1; + WRITE_ONCE(tp->cur_tx, tp->cur_tx + frags + 1); stop_queue = !rtl_tx_slots_avail(tp, MAX_SKB_FRAGS); if (unlikely(stop_queue)) { @@ -4347,13 +4347,6 @@ static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb, */ smp_wmb(); netif_stop_queue(dev); - door_bell = true; - } - - if (door_bell) - rtl8169_doorbell(tp); - - if (unlikely(stop_queue)) { /* Sync with rtl_tx: * - publish queue status and cur_tx ring index (write barrier) * - refresh dirty_tx ring index (read barrier). @@ -4361,11 +4354,15 @@ static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb, * status and forget to wake up queue, a racing rtl_tx thread * can't. */ - smp_mb(); + smp_mb__after_atomic(); if (rtl_tx_slots_avail(tp, MAX_SKB_FRAGS)) netif_start_queue(dev); + door_bell = true; } + if (door_bell) + rtl8169_doorbell(tp); + return NETDEV_TX_OK; err_dma_1: -- 2.34.1