Patch "net: atlantic: fix "frag[0] not initialized"" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 22 May 2022 23:12:51 -0400

This is a note to let you know that I've just added the patch titled

    net: atlantic: fix "frag[0] not initialized"

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-atlantic-fix-frag-0-not-initialized.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 99fd549729ff61ecc2d55226077f3943dac32e12
Author: Grant Grundler <grundler@xxxxxxxxxxxx>
Date:   Mon May 9 19:28:23 2022 -0700

    net: atlantic: fix "frag[0] not initialized"
    
    [ Upstream commit 62e0ae0f4020250f961cf8d0103a4621be74e077 ]
    
    In aq_ring_rx_clean(), if buff->is_eop is not set AND
    buff->len < AQ_CFG_RX_HDR_SIZE, then hdr_len remains equal to
    buff->len and skb_add_rx_frag(xxx, *0*, ...) is not called.
    
    The loop following this code starts calling skb_add_rx_frag() starting
    with i=1 and thus frag[0] is never initialized. Since i is initialized
    to zero at the top of the primary loop, we can just reference and
    post-increment i instead of hardcoding the 0 when calling
    skb_add_rx_frag() the first time.
    
    Reported-by: Aashay Shringarpure <aashay@xxxxxxxxxx>
    Reported-by: Yi Chou <yich@xxxxxxxxxx>
    Reported-by: Shervin Oloumi <enlightened@xxxxxxxxxx>
    Signed-off-by: Grant Grundler <grundler@xxxxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
index 72f8751784c3..7cf5a48e9a7d 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
@@ -445,7 +445,7 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
 		       ALIGN(hdr_len, sizeof(long)));
 
 		if (buff->len - hdr_len > 0) {
-			skb_add_rx_frag(skb, 0, buff->rxdata.page,
+			skb_add_rx_frag(skb, i++, buff->rxdata.page,
 					buff->rxdata.pg_off + hdr_len,
 					buff->len - hdr_len,
 					AQ_CFG_RX_FRAME_MAX);
@@ -454,7 +454,6 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
 
 		if (!buff->is_eop) {
 			buff_ = buff;
-			i = 1U;
 			do {
 				next_ = buff_->next;
 				buff_ = &self->buff_ring[next_];






