net: stmmac: descs: fix buffer 1 off-by-one error

norm_set_tx_desc_len_on_ring() incorrectly tests the buffer length,
leading to a length of 2048 being squeezed into a bitfield covering
bits 10:0 - which results in the buffer 1 size being zero.

If this field is zero, buffer 1 is ignored, and thus is equivalent to
transmitting a zero length buffer.

The path to norm_set_tx_desc_len_on_ring() is only possible when the
hardware does not support enhanced descriptors (plat->enh_desc clear)
which is dependent on the hardware.

Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://patch.msgid.link/E1vdtvs-00000002Gtb-2U9G@rmk-PC.armlinux.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/ethernet/stmicro/stmmac/descs_com.h b/drivers/net/ethernet/stmicro/stmmac/descs_com.h
index 40f7f2da9c5e62cdd84a33066557501efb82e209..cb3bfc1571f91131145dee1e8b9d2008d5922d12 100644 (file)
--- a/drivers/net/ethernet/stmicro/stmmac/descs_com.h
+++ b/drivers/net/ethernet/stmicro/stmmac/descs_com.h
@@ -39,15 +39,19 @@ static inline void enh_desc_end_tx_desc_on_ring(struct dma_desc *p, int end)
                p->des0 &= cpu_to_le32(~ETDES0_END_RING);
 }
 
+/* The maximum buffer 1 size is 8KiB - 1. However, we limit to 4KiB. */
 static inline void enh_set_tx_desc_len_on_ring(struct dma_desc *p, int len)
 {
-       if (unlikely(len > BUF_SIZE_4KiB)) {
-               p->des1 |= cpu_to_le32((((len - BUF_SIZE_4KiB)
+       unsigned int buffer1_max_length = BUF_SIZE_4KiB;
+
+       if (unlikely(len > buffer1_max_length)) {
+               p->des1 |= cpu_to_le32((((len - buffer1_max_length)
                                        << ETDES1_BUFFER2_SIZE_SHIFT)
-                           & ETDES1_BUFFER2_SIZE_MASK) | (BUF_SIZE_4KiB
+                           & ETDES1_BUFFER2_SIZE_MASK) | (buffer1_max_length
                            & ETDES1_BUFFER1_SIZE_MASK));
-       } else
+       } else {
                p->des1 |= cpu_to_le32((len & ETDES1_BUFFER1_SIZE_MASK));
+       }
 }
 
 /* Normal descriptors */
@@ -73,16 +77,20 @@ static inline void ndesc_end_tx_desc_on_ring(struct dma_desc *p, int end)
                p->des1 &= cpu_to_le32(~TDES1_END_RING);
 }
 
+/* The maximum buffer 1 size is 2KiB - 1, limited by the mask width */
 static inline void norm_set_tx_desc_len_on_ring(struct dma_desc *p, int len)
 {
-       if (unlikely(len > BUF_SIZE_2KiB)) {
-               unsigned int buffer1 = (BUF_SIZE_2KiB - 1)
-                                       & TDES1_BUFFER1_SIZE_MASK;
-               p->des1 |= cpu_to_le32((((len - buffer1)
+       unsigned int buffer1_max_length = BUF_SIZE_2KiB - 1;
+
+       if (unlikely(len > buffer1_max_length)) {
+               unsigned int buffer1 = buffer1_max_length &
+                                      TDES1_BUFFER1_SIZE_MASK;
+               p->des1 |= cpu_to_le32((((len - buffer1_max_length)
                                        << TDES1_BUFFER2_SIZE_SHIFT)
                                & TDES1_BUFFER2_SIZE_MASK) | buffer1);
-       } else
+       } else {
                p->des1 |= cpu_to_le32((len & TDES1_BUFFER1_SIZE_MASK));
+       }
 }
 
 /* Specific functions used for Chain mode */