Patch "net/mlx5e: Fix operation precedence bug in port timestamping napi_poll context" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 27 Jan 2024 07:52:23 -0500

This is a note to let you know that I've just added the patch titled

    net/mlx5e: Fix operation precedence bug in port timestamping napi_poll context

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-mlx5e-fix-operation-precedence-bug-in-port-times.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 7393f91797c248e3fd72d418ad4692e02bba7058
Author: Rahul Rameshbabu <rrameshbabu@xxxxxxxxxx>
Date:   Wed Nov 22 18:32:11 2023 -0800

    net/mlx5e: Fix operation precedence bug in port timestamping napi_poll context
    
    [ Upstream commit 3876638b2c7ebb2c9d181de1191db0de8cac143a ]
    
    Indirection (*) is of lower precedence than postfix increment (++). Logic
    in napi_poll context would cause an out-of-bound read by first increment
    the pointer address by byte address space and then dereference the value.
    Rather, the intended logic was to dereference first and then increment the
    underlying value.
    
    Fixes: 92214be5979c ("net/mlx5e: Update doorbell for port timestamping CQ before the software counter")
    Signed-off-by: Rahul Rameshbabu <rrameshbabu@xxxxxxxxxx>
    Reviewed-by: Tariq Toukan <tariqt@xxxxxxxxxx>
    Signed-off-by: Saeed Mahameed <saeedm@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c
index af3928eddafd..803035d4e597 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c
@@ -213,7 +213,7 @@ static void mlx5e_ptp_handle_ts_cqe(struct mlx5e_ptpsq *ptpsq,
 	mlx5e_ptpsq_mark_ts_cqes_undelivered(ptpsq, hwtstamp);
 out:
 	napi_consume_skb(skb, budget);
-	md_buff[*md_buff_sz++] = metadata_id;
+	md_buff[(*md_buff_sz)++] = metadata_id;
 	if (unlikely(mlx5e_ptp_metadata_map_unhealthy(&ptpsq->metadata_map)) &&
 	    !test_and_set_bit(MLX5E_SQ_STATE_RECOVERING, &sq->state))
 		queue_work(ptpsq->txqsq.priv->wq, &ptpsq->report_unhealthy_work);







