hinic: fix bug of wq out of bound access
commit52b2abef45
upstream. If wq has only one page, we need to check wqe rolling over page by compare end_idx and curr_idx, and then copy wqe to shadow wqe to avoid out of bound access. This work has been done in hinic_get_wqe, but missed for hinic_read_wqe. This patch fixes it, and removes unnecessary MASKED_WQE_IDX(). Fixes:7dd29ee128
("hinic: add sriov feature support") Signed-off-by: Qiao Ma <mqaio@linux.alibaba.com> Reviewed-by: Xunlei Pang <xlpang@linux.alibaba.com> Link: https://lore.kernel.org/r/282817b0e1ae2e28fdf3ed8271a04e77f57bf42e.1651148587.git.mqaio@linux.alibaba.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
0a65740339
commit
4fd6c1d43f
|
@ -771,7 +771,7 @@ struct hinic_hw_wqe *hinic_get_wqe(struct hinic_wq *wq, unsigned int wqe_size,
|
|||
/* If we only have one page, still need to get shadown wqe when
|
||||
* wqe rolling-over page
|
||||
*/
|
||||
if (curr_pg != end_pg || MASKED_WQE_IDX(wq, end_prod_idx) < *prod_idx) {
|
||||
if (curr_pg != end_pg || end_prod_idx < *prod_idx) {
|
||||
void *shadow_addr = &wq->shadow_wqe[curr_pg * wq->max_wqe_size];
|
||||
|
||||
copy_wqe_to_shadow(wq, shadow_addr, num_wqebbs, *prod_idx);
|
||||
|
@ -841,7 +841,10 @@ struct hinic_hw_wqe *hinic_read_wqe(struct hinic_wq *wq, unsigned int wqe_size,
|
|||
|
||||
*cons_idx = curr_cons_idx;
|
||||
|
||||
if (curr_pg != end_pg) {
|
||||
/* If we only have one page, still need to get shadown wqe when
|
||||
* wqe rolling-over page
|
||||
*/
|
||||
if (curr_pg != end_pg || end_cons_idx < curr_cons_idx) {
|
||||
void *shadow_addr = &wq->shadow_wqe[curr_pg * wq->max_wqe_size];
|
||||
|
||||
copy_wqe_to_shadow(wq, shadow_addr, num_wqebbs, *cons_idx);
|
||||
|
|
Loading…
Reference in New Issue