net: libwx: fix the using of Rx buffer DMA

The wx_rx_buffer structure contained two DMA address fields: 'dma' and
'page_dma'. However, only 'page_dma' was actually initialized and used
to program the Rx descriptor. But 'dma' was uninitialized and used in
some paths.

This could lead to undefined behavior, including DMA errors or
use-after-free, if the uninitialized 'dma' was used. Althrough such
error has not yet occurred, it is worth fixing in the code.

Fixes: 3c47e8ae113a ("net: libwx: Support to receive packets in NAPI")
Cc: stable@vger.kernel.org
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250714024755.17512-3-jiawenwu@trustnetic.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c
index 7e3d7fb61a52db513f1069984e5e1859288f3784..c914879098114b7d267c3ade2fedd29ca6f79560 100644 (file)
--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c
+++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c
@@ -307,7 +307,7 @@ static bool wx_alloc_mapped_page(struct wx_ring *rx_ring,
                return false;
        dma = page_pool_get_dma_addr(page);
 
-       bi->page_dma = dma;
+       bi->dma = dma;
        bi->page = page;
        bi->page_offset = 0;
 
@@ -344,7 +344,7 @@ void wx_alloc_rx_buffers(struct wx_ring *rx_ring, u16 cleaned_count)
                                                 DMA_FROM_DEVICE);
 
                rx_desc->read.pkt_addr =
-                       cpu_to_le64(bi->page_dma + bi->page_offset);
+                       cpu_to_le64(bi->dma + bi->page_offset);
 
                rx_desc++;
                bi++;

diff --git a/drivers/net/ethernet/wangxun/libwx/wx_type.h b/drivers/net/ethernet/wangxun/libwx/wx_type.h
index 622f2bfe6cde5dc4b1b2c8c9548075271b0fdb31..1a90fcede86b0f5314042d6994bbcfd18956a581 100644 (file)
--- a/drivers/net/ethernet/wangxun/libwx/wx_type.h
+++ b/drivers/net/ethernet/wangxun/libwx/wx_type.h
@@ -997,7 +997,6 @@ struct wx_tx_buffer {
 struct wx_rx_buffer {
        struct sk_buff *skb;
        dma_addr_t dma;
-       dma_addr_t page_dma;
        struct page *page;
        unsigned int page_offset;
 };