From: Heiner Kallweit <hkallweit1@gmail.com> mainline inclusion from mainline-v5.11-rc1 commit 95f3c5458dfa5856bb110e31d156e00d894d0134 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SF4 CVE: CVE-2024-38586 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... --------------------------- tp->dirty_tx and tp->cur_tx may be changed by a racing rtl_tx() or rtl8169_start_xmit(). Use READ_ONCE() to annotate the races and ensure that the compiler doesn't use cached values. Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> Link: https://lore.kernel.org/r/5676fee3-f6b4-84f2-eba5-c64949a371ad@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Liu Jian <liujian56@huawei.com> --- drivers/net/ethernet/realtek/r8169_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c index 1545e5addd2c..1142b4679cc2 100644 --- a/drivers/net/ethernet/realtek/r8169_main.c +++ b/drivers/net/ethernet/realtek/r8169_main.c @@ -4256,7 +4256,8 @@ static bool rtl8169_tso_csum_v2(struct rtl8169_private *tp, static bool rtl_tx_slots_avail(struct rtl8169_private *tp, unsigned int nr_frags) { - unsigned int slots_avail = tp->dirty_tx + NUM_TX_DESC - tp->cur_tx; + unsigned int slots_avail = READ_ONCE(tp->dirty_tx) + NUM_TX_DESC + - READ_ONCE(tp->cur_tx); /* A skbuff with nr_frags needs nr_frags+1 entries in the tx queue */ return slots_avail > nr_frags; -- 2.34.1