eth: fbnic: Fix counter roll-over issue

Fix a potential counter roll-over issue in fbnic_mbx_alloc_rx_msgs()
when calculating descriptor slots. The issue occurs when head - tail
results in a large positive value (unsigned) and the compiler interprets
head - tail - 1 as a signed value.

Since FBNIC_IPC_MBX_DESC_LEN is a power of two, use a masking operation,
which is a common way of avoiding this problem when dealing with these
sort of ring space calculations.

Fixes: da3cde08209e ("eth: fbnic: Add FW communication mechanism")
Signed-off-by: Mohsin Bashir <mohsin.bashr@gmail.com>
Link: https://patch.msgid.link/20251125211704.3222413-1-mohsin.bashr@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/ethernet/meta/fbnic/fbnic_fw.c b/drivers/net/ethernet/meta/fbnic/fbnic_fw.c
index c87cb9ed09e7e2407c0418a1cdc1f01b4b832544..fcd9912e7ad3bd1de831c75f3ca25bd86f85e956 100644 (file)
--- a/drivers/net/ethernet/meta/fbnic/fbnic_fw.c
+++ b/drivers/net/ethernet/meta/fbnic/fbnic_fw.c
@@ -201,7 +201,7 @@ static int fbnic_mbx_alloc_rx_msgs(struct fbnic_dev *fbd)
                return -ENODEV;
 
        /* Fill all but 1 unused descriptors in the Rx queue. */
-       count = (head - tail - 1) % FBNIC_IPC_MBX_DESC_LEN;
+       count = (head - tail - 1) & (FBNIC_IPC_MBX_DESC_LEN - 1);
        while (!err && count--) {
                struct fbnic_tlv_msg *msg;