From: Simon Horman <horms@kernel.org>
To: alejandro.lucero-palau@amd.com
Cc: linux-cxl@vger.kernel.org, netdev@vger.kernel.org,
dan.j.williams@intel.com, martin.habets@xilinx.com,
edward.cree@amd.com, davem@davemloft.net, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com, dave.jiang@intel.com,
Alejandro Lucero <alucerop@amd.com>
Subject: Re: [PATCH v7 28/28] sfc: support pio mapping based on cxl
Date: Thu, 12 Dec 2024 21:22:29 +0000 [thread overview]
Message-ID: <20241212212229.GD2110@kernel.org> (raw)
In-Reply-To: <20241209185429.54054-29-alejandro.lucero-palau@amd.com>
On Mon, Dec 09, 2024 at 06:54:29PM +0000, alejandro.lucero-palau@amd.com wrote:
> From: Alejandro Lucero <alucerop@amd.com>
>
> With a device supporting CXL and successfully initialised, use the cxl
> region to map the memory range and use this mapping for PIO buffers.
>
> Signed-off-by: Alejandro Lucero <alucerop@amd.com>
> ---
> drivers/net/ethernet/sfc/ef10.c | 48 +++++++++++++++++++++++----
> drivers/net/ethernet/sfc/efx_cxl.c | 19 ++++++++++-
> drivers/net/ethernet/sfc/net_driver.h | 2 ++
> drivers/net/ethernet/sfc/nic.h | 3 ++
> 4 files changed, 65 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c
> index 452009ed7a43..4587ca884c03 100644
> --- a/drivers/net/ethernet/sfc/ef10.c
> +++ b/drivers/net/ethernet/sfc/ef10.c
> @@ -24,6 +24,7 @@
> #include <linux/wait.h>
> #include <linux/workqueue.h>
> #include <net/udp_tunnel.h>
> +#include "efx_cxl.h"
>
> /* Hardware control for EF10 architecture including 'Huntington'. */
>
> @@ -177,6 +178,12 @@ static int efx_ef10_init_datapath_caps(struct efx_nic *efx)
> efx->num_mac_stats);
> }
Hi Alejandro,
Earlier in efx_ef10_init_datapath_caps, outbuf is declared using:
MCDI_DECLARE_BUF(outbuf, MC_CMD_GET_CAPABILITIES_V4_OUT_LEN);
This will result in the following declaration:
efx_dword_t _name[DIV_ROUND_UP(MC_CMD_GET_CAPABILITIES_V4_OUT_LEN, 4)]
Where MC_CMD_GET_CAPABILITIES_V4_OUT_LEN is defined as 78.
So outbuf will be an array with DIV_ROUND_UP(78, 4) == 20 elements.
>
> + if (outlen < MC_CMD_GET_CAPABILITIES_V7_OUT_LEN)
> + nic_data->datapath_caps3 = 0;
> + else
> + nic_data->datapath_caps3 = MCDI_DWORD(outbuf,
> + GET_CAPABILITIES_V7_OUT_FLAGS3);
> +
> return 0;
> }
>
MC_CMD_GET_CAPABILITIES_V7_OUT_FLAGS3_OFST is defined as 148.
And the above will result in an access to element 148 / 4 == 37 of
outbuf. A buffer overflow.
Flagged by gcc-14 W=1 allmodconfig builds as:
In file included from drivers/net/ethernet/sfc/net_driver.h:33,
from drivers/net/ethernet/sfc/ef10.c:7:
drivers/net/ethernet/sfc/ef10.c: In function 'efx_ef10_init_datapath_caps':
drivers/net/ethernet/sfc/bitfield.h:167:35: warning: array subscript 37 is above array bounds of 'efx_dword_t[20]' {aka 'union efx_dword[20]'} [-Warray-bounds=]
167 | (EFX_EXTRACT32((dword).u32[0], 0, 31, low, high) & \
drivers/net/ethernet/sfc/bitfield.h:129:11: note: in definition of macro 'EFX_EXTRACT_NATIVE'
129 | (native_element) << ((min) - (low)))
| ^~~~~~~~~~~~~~
./include/linux/byteorder/generic.h:89:21: note: in expansion of macro '__le32_to_cpu'
89 | #define le32_to_cpu __le32_to_cpu
| ^~~~~~~~~~~~~
drivers/net/ethernet/sfc/bitfield.h:167:10: note: in expansion of macro 'EFX_EXTRACT32'
167 | (EFX_EXTRACT32((dword).u32[0], 0, 31, low, high) & \
| ^~~~~~~~~~~~~
drivers/net/ethernet/sfc/bitfield.h:187:9: note: in expansion of macro 'EFX_EXTRACT_DWORD'
187 | EFX_EXTRACT_DWORD(dword, EFX_LOW_BIT(field), \
| ^~~~~~~~~~~~~~~~~
drivers/net/ethernet/sfc/mcdi.h:257:9: note: in expansion of macro 'EFX_DWORD_FIELD'
257 | EFX_DWORD_FIELD(*_MCDI_DWORD(_buf, _field), EFX_DWORD_0)
| ^~~~~~~~~~~~~~~
drivers/net/ethernet/sfc/ef10.c:184:44: note: in expansion of macro 'MCDI_DWORD'
184 | nic_data->datapath_caps3 = MCDI_DWORD(outbuf,
| ^~~~~~~~~~
In file included from drivers/net/ethernet/sfc/ef10.c:12:
drivers/net/ethernet/sfc/ef10.c:110:26: note: while referencing 'outbuf'
110 | MCDI_DECLARE_BUF(outbuf, MC_CMD_GET_CAPABILITIES_V4_OUT_LEN);
| ^~~~~~
drivers/net/ethernet/sfc/mcdi.h:187:21: note: in definition of macro '_MCDI_DECLARE_BUF'
187 | efx_dword_t _name[DIV_ROUND_UP(_len, 4)]
| ^~~~~
drivers/net/ethernet/sfc/ef10.c:110:9: note: in expansion of macro 'MCDI_DECLARE_BUF'
110 | MCDI_DECLARE_BUF(outbuf, MC_CMD_GET_CAPABILITIES_V4_OUT_LEN);
| ^~~~~~~~~~~~~~~~
...
next prev parent reply other threads:[~2024-12-12 21:22 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-09 18:54 [PATCH v7 00/28] cxl: add type2 device basic support alejandro.lucero-palau
2024-12-09 18:54 ` [PATCH v7 01/28] " alejandro.lucero-palau
2024-12-09 18:54 ` [PATCH v7 02/28] sfc: add cxl support using new CXL API alejandro.lucero-palau
2024-12-09 18:54 ` [PATCH v7 03/28] cxl: add capabilities field to cxl_dev_state and cxl_port alejandro.lucero-palau
2024-12-09 18:54 ` [PATCH v7 04/28] cxl/pci: add check for validating capabilities alejandro.lucero-palau
2024-12-11 19:20 ` Zhi Wang
2024-12-09 18:54 ` [PATCH v7 05/28] cxl: move pci generic code alejandro.lucero-palau
2024-12-09 18:54 ` [PATCH v7 06/28] cxl: add function for type2 cxl regs setup alejandro.lucero-palau
2024-12-09 18:54 ` [PATCH v7 07/28] sfc: use cxl api for regs setup and checking alejandro.lucero-palau
2024-12-09 23:22 ` Edward Cree
2024-12-12 18:04 ` Simon Horman
2024-12-13 9:17 ` Alejandro Lucero Palau
2024-12-09 18:54 ` [PATCH v7 08/28] cxl: add functions for resource request/release by a driver alejandro.lucero-palau
2024-12-09 18:54 ` [PATCH v7 09/28] sfc: request cxl ram resource alejandro.lucero-palau
2024-12-09 23:23 ` Edward Cree
2024-12-09 18:54 ` [PATCH v7 10/28] resource: harden resource_contains alejandro.lucero-palau
2024-12-09 18:54 ` [PATCH v7 11/28] cxl: add function for setting media ready by a driver alejandro.lucero-palau
2024-12-09 18:54 ` [PATCH v7 12/28] sfc: set cxl media ready alejandro.lucero-palau
2024-12-09 23:27 ` Edward Cree
2024-12-09 18:54 ` [PATCH v7 13/28] cxl: prepare memdev creation for type2 alejandro.lucero-palau
2024-12-09 23:30 ` Edward Cree
2024-12-10 12:33 ` Alejandro Lucero Palau
2024-12-09 18:54 ` [PATCH v7 14/28] sfc: create type2 cxl memdev alejandro.lucero-palau
2024-12-09 23:31 ` Edward Cree
2024-12-09 18:54 ` [PATCH v7 15/28] cxl: define a driver interface for HPA free space enumeration alejandro.lucero-palau
2024-12-12 18:09 ` Simon Horman
2024-12-13 9:25 ` Alejandro Lucero Palau
2024-12-09 18:54 ` [PATCH v7 16/28] sfc: obtain root decoder with enough HPA free space alejandro.lucero-palau
2024-12-10 9:51 ` Edward Cree
2024-12-10 12:34 ` Alejandro Lucero Palau
2024-12-09 18:54 ` [PATCH v7 17/28] cxl: define a driver interface for DPA allocation alejandro.lucero-palau
2024-12-12 18:12 ` Simon Horman
2024-12-13 9:37 ` Alejandro Lucero Palau
2024-12-09 18:54 ` [PATCH v7 18/28] sfc: get endpoint decoder alejandro.lucero-palau
2024-12-11 0:25 ` Edward Cree
2024-12-11 9:15 ` Alejandro Lucero Palau
2024-12-12 18:21 ` Simon Horman
2024-12-13 9:42 ` Alejandro Lucero Palau
2024-12-09 18:54 ` [PATCH v7 19/28] cxl: make region type based on endpoint type alejandro.lucero-palau
2024-12-09 18:54 ` [PATCH v7 20/28] cxl/region: factor out interleave ways setup alejandro.lucero-palau
2024-12-09 18:54 ` [PATCH v7 21/28] cxl/region: factor out interleave granularity setup alejandro.lucero-palau
2024-12-09 18:54 ` [PATCH v7 22/28] cxl: allow region creation by type2 drivers alejandro.lucero-palau
2024-12-11 19:17 ` Zhi Wang
2024-12-09 18:54 ` [PATCH v7 23/28] sfc: create cxl region alejandro.lucero-palau
2024-12-11 2:26 ` Edward Cree
2024-12-11 9:18 ` Alejandro Lucero Palau
2024-12-12 18:29 ` Simon Horman
2024-12-13 9:46 ` Alejandro Lucero Palau
2024-12-09 18:54 ` [PATCH v7 24/28] cxl: add region flag for precluding a device memory to be used for dax alejandro.lucero-palau
2024-12-11 2:31 ` Edward Cree
2024-12-11 9:23 ` Alejandro Lucero Palau
2024-12-24 16:02 ` Jonathan Cameron
2024-12-12 18:44 ` Simon Horman
2024-12-13 9:47 ` Alejandro Lucero Palau
2024-12-13 10:23 ` Simon Horman
2024-12-09 18:54 ` [PATCH v7 25/28] sfc: specify no dax when cxl region is created alejandro.lucero-palau
2024-12-09 18:54 ` [PATCH v7 26/28] cxl: add function for obtaining region range alejandro.lucero-palau
2024-12-11 17:43 ` Zhi Wang
2024-12-09 18:54 ` [PATCH v7 27/28] sfc: update MCDI protocol headers alejandro.lucero-palau
2024-12-09 18:54 ` [PATCH v7 28/28] sfc: support pio mapping based on cxl alejandro.lucero-palau
2024-12-11 2:39 ` Edward Cree
2024-12-11 9:38 ` Alejandro Lucero Palau
2024-12-11 10:11 ` Edward Cree
2024-12-11 10:25 ` Alejandro Lucero Palau
2024-12-12 21:22 ` Simon Horman [this message]
2024-12-13 10:20 ` Alejandro Lucero Palau
2024-12-13 10:24 ` Simon Horman
2024-12-13 11:45 ` Alejandro Lucero Palau
2024-12-13 12:04 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241212212229.GD2110@kernel.org \
--to=horms@kernel.org \
--cc=alejandro.lucero-palau@amd.com \
--cc=alucerop@amd.com \
--cc=dan.j.williams@intel.com \
--cc=dave.jiang@intel.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=edward.cree@amd.com \
--cc=kuba@kernel.org \
--cc=linux-cxl@vger.kernel.org \
--cc=martin.habets@xilinx.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.