From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id AC44CC5AE59 for ; Wed, 4 Jun 2025 00:54:48 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 5835280D41; Wed, 4 Jun 2025 00:54:48 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id GMp58i-hK1nB; Wed, 4 Jun 2025 00:54:47 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.142; helo=lists1.osuosl.org; envelope-from=intel-wired-lan-bounces@osuosl.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 86F1980D66 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=osuosl.org; s=default; t=1748998487; bh=x9p0McvhpC5QxFUCoI+PAOg+dLw2bWIJELsr9LuXA/M=; h=From:To:Cc:Date:In-Reply-To:References:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=G1tvlHnLGKpROvDnpzEyIb2r2VAYgp3KnBp6e9W+BKuBZL8LDhikCuo5eSVfzFrim JMmbaugHxYq5VdnulzffTXANZhTJbrA4LnINWvBAxP98dvMqtIwPGD0knpBPUoyc9j rzWseSU+vlsI/m7FfuwkKFM3BC9hrbm7FQ7AlTylTJOrwZA3eiDBEEc4LfI5uuRxqM zhmaSxiVSO9ev7A0aOBEMUPR0UVtGTN4HeFuIAhAWwvFomjom5YNlcawubfQAKznVI 6pliY2TppiKHX/RYhA1RLcdADOU/a2UC9U7mhPBGZw0TM7rG5tgQha9rNFZoTd754J k1fEx89ZtvmJw== Received: from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142]) by smtp1.osuosl.org (Postfix) with ESMTP id 86F1980D66; Wed, 4 Jun 2025 00:54:47 +0000 (UTC) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists1.osuosl.org (Postfix) with ESMTP id 8709AB07 for ; Wed, 4 Jun 2025 00:54:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 6D35480D69 for ; Wed, 4 Jun 2025 00:54:46 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id VehdotUhgQW1 for ; Wed, 4 Jun 2025 00:54:45 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2600:3c0a:e001:78e:0:1991:8:25; helo=sea.source.kernel.org; envelope-from=sashal@kernel.org; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org A702B80D4F DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org A702B80D4F Received: from sea.source.kernel.org (sea.source.kernel.org [IPv6:2600:3c0a:e001:78e:0:1991:8:25]) by smtp1.osuosl.org (Postfix) with ESMTPS id A702B80D4F for ; Wed, 4 Jun 2025 00:54:45 +0000 (UTC) Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sea.source.kernel.org (Postfix) with ESMTP id 0180F43FCD; Wed, 4 Jun 2025 00:54:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BB387C4CEEF; Wed, 4 Jun 2025 00:54:43 +0000 (UTC) From: Sasha Levin To: patches@lists.linux.dev, stable@vger.kernel.org Cc: Kyungwook Boo , Przemek Kitszel , Simon Horman , Aleksandr Loktionov , Rinitha S , Tony Nguyen , Sasha Levin , intel-wired-lan@lists.osuosl.org Date: Tue, 3 Jun 2025 20:50:32 -0400 Message-Id: <20250604005049.4147522-101-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250604005049.4147522-1-sashal@kernel.org> References: <20250604005049.4147522-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.15 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1748998484; bh=eKMQyV1C91DAC7hK8qLEUulNHkD5CAVhLyhXYXFIokA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OVzj0JtPptA4vX4EFGtMMKNUPUl5gyvhQBjzYa1CKVylxY2IsdysaSjryFqpZGZHp 9AyN0Q2zqj/IHmJ99XmRIkgQ5AsiJ9d9C+SgWvFTvANriBU+2CM/uz4roCb+UJMZKP slrr956A86fU5Wx3BzhGvmm48jC/IHvOc1bHdVGK1dJSLr525FscXxkQcBrB546sKx 3pQJ5VXKVOWg2pSi4f9gUTVC74ZSPqphbeLZ221YUA4rQi5z1VIS7PfhMeeCqnPDPi WD1BlM2CNOpJC5c3zEp74z1avfLcs/mCBk3dkiT9OJeX7mphxjhlrgkFboEY5eXCHo PnXFWB0Avxyrg== X-Mailman-Original-Authentication-Results: smtp1.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=kernel.org X-Mailman-Original-Authentication-Results: smtp1.osuosl.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256 header.s=k20201202 header.b=OVzj0JtP Subject: [Intel-wired-lan] [PATCH AUTOSEL 6.15 101/118] i40e: fix MMIO write access to an invalid page in i40e_clear_hw X-BeenThere: intel-wired-lan@osuosl.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Intel Wired Ethernet Linux Kernel Driver Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: intel-wired-lan-bounces@osuosl.org Sender: "Intel-wired-lan" From: Kyungwook Boo [ Upstream commit 015bac5daca978448f2671478c553ce1f300c21e ] When the device sends a specific input, an integer underflow can occur, leading to MMIO write access to an invalid page. Prevent the integer underflow by changing the type of related variables. Signed-off-by: Kyungwook Boo Link: https://lore.kernel.org/lkml/ffc91764-1142-4ba2-91b6-8c773f6f7095@gmail.com/T/ Reviewed-by: Przemek Kitszel Reviewed-by: Simon Horman Reviewed-by: Aleksandr Loktionov Tested-by: Rinitha S (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin --- **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Analysis of Code Changes The commit changes variable types in `i40e_clear_hw()` from unsigned (`u32`) to signed (`s32`) for: 1. `num_pf_int` - number of PF interrupts 2. `num_vf_int` - number of VF interrupts 3. `i` - loop counter variable **Critical Security Issue**: The problem occurs when hardware registers contain malicious values where `num_pf_int` or `num_vf_int` could be 0 or 1. In the loops at lines 852-853 and 858-859: ```c for (i = 0; i < num_pf_int - 2; i++) wr32(hw, I40E_PFINT_DYN_CTLN(i), val); ``` If `num_pf_int` is 0 or 1, then `num_pf_int - 2` becomes a large positive number due to unsigned integer underflow (0xFFFFFFFE or 0xFFFFFFFF), causing the loop to iterate billions of times and write to invalid MMIO addresses, leading to system crashes or potential security vulnerabilities. ## Comparison with Similar Commits This fix follows the **exact same pattern** as Similar Commit #2 (fc6f716a5069), which was marked **YES** for backporting. That commit addressed the same class of vulnerability in the same function: - **Similar Commit #2**: Added bounds checking (`j >= base_queue`, `j >= i`) to prevent underflow in queue/VF calculations - **Current Commit**: Changes variable types to signed to prevent underflow in interrupt calculations Both fixes address **integer underflow vulnerabilities in `i40e_clear_hw()`** that can lead to **MMIO writes to invalid memory pages**. ## Backport Suitability Criteria ✅ **Fixes important security bug**: Prevents system crashes and potential memory corruption ✅ **Small, contained change**: Only changes variable types, no logic changes ✅ **Minimal side effects**: Type changes are safe and don't affect functionality ✅ **No architectural changes**: Simple type fix ✅ **Critical subsystem**: Network driver, but change is isolated ✅ **Clear commit message**: Explicitly describes the security issue ✅ **Follows stable rules**: Important security bugfix with minimal risk ## Historical Context The vulnerability was introduced in commit 838d41d92a90 ("i40e: clear all queues and interrupts") from 2014. A related fix (fc6f716a5069) was already applied for similar underflow issues in the same function and was backported. This commit completes the fix by addressing the remaining underflow vectors. ## Risk Assessment **Risk: MINIMAL** - This is a simple type change that: - Makes signed arithmetic behave correctly - Prevents undefined behavior from unsigned underflow - Has no functional impact on normal operation - Only affects error conditions with malformed hardware registers The fix is **essential for security** and has **virtually zero regression risk**, making it an ideal candidate for stable backporting. drivers/net/ethernet/intel/i40e/i40e_common.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c index 370b4bddee441..b11c35e307ca9 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_common.c +++ b/drivers/net/ethernet/intel/i40e/i40e_common.c @@ -817,10 +817,11 @@ int i40e_pf_reset(struct i40e_hw *hw) void i40e_clear_hw(struct i40e_hw *hw) { u32 num_queues, base_queue; - u32 num_pf_int; - u32 num_vf_int; + s32 num_pf_int; + s32 num_vf_int; u32 num_vfs; - u32 i, j; + s32 i; + u32 j; u32 val; u32 eol = 0x7ff; -- 2.39.5 From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 007641C4A20; Wed, 4 Jun 2025 00:54:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1748998485; cv=none; b=E6gyx/oHIiccN7Kl+KO423FOSmFvUt9SMJQ3QR4pduPFX253mg5ARTE6gkXCRXfGxigan3QxQoUkBxJaGRDn73LQwaFAQwvpTvZCHNjyiJ9eVK6TuYsUb+y0d2LbMsLEJm/WxPQ5z0ktDqfJ3Q/W2n9fGIEf/Y9bTTaOLIcB3lQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1748998485; c=relaxed/simple; bh=eKMQyV1C91DAC7hK8qLEUulNHkD5CAVhLyhXYXFIokA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=GGTIVe78n6dMxRFKyESdT4tR4FX+nsmsBG93YByyABDIY+GABNDN/HqowuwXSjkiuEIFzU3fs7H9THbk1ZgBbdXv5jnqTE2Sep1+6/hKwJ2k4MbUL8pGIGV8zj2bk3QczGxRqIbThxyj63NR1yjmduKROxUIGHlEplfFm6eFNZQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=OVzj0JtP; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="OVzj0JtP" Received: by smtp.kernel.org (Postfix) with ESMTPSA id BB387C4CEEF; Wed, 4 Jun 2025 00:54:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1748998484; bh=eKMQyV1C91DAC7hK8qLEUulNHkD5CAVhLyhXYXFIokA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OVzj0JtPptA4vX4EFGtMMKNUPUl5gyvhQBjzYa1CKVylxY2IsdysaSjryFqpZGZHp 9AyN0Q2zqj/IHmJ99XmRIkgQ5AsiJ9d9C+SgWvFTvANriBU+2CM/uz4roCb+UJMZKP slrr956A86fU5Wx3BzhGvmm48jC/IHvOc1bHdVGK1dJSLr525FscXxkQcBrB546sKx 3pQJ5VXKVOWg2pSi4f9gUTVC74ZSPqphbeLZ221YUA4rQi5z1VIS7PfhMeeCqnPDPi WD1BlM2CNOpJC5c3zEp74z1avfLcs/mCBk3dkiT9OJeX7mphxjhlrgkFboEY5eXCHo PnXFWB0Avxyrg== From: Sasha Levin To: patches@lists.linux.dev, stable@vger.kernel.org Cc: Kyungwook Boo , Przemek Kitszel , Simon Horman , Aleksandr Loktionov , Rinitha S , Tony Nguyen , Sasha Levin , intel-wired-lan@lists.osuosl.org Subject: [PATCH AUTOSEL 6.15 101/118] i40e: fix MMIO write access to an invalid page in i40e_clear_hw Date: Tue, 3 Jun 2025 20:50:32 -0400 Message-Id: <20250604005049.4147522-101-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250604005049.4147522-1-sashal@kernel.org> References: <20250604005049.4147522-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.15 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Kyungwook Boo [ Upstream commit 015bac5daca978448f2671478c553ce1f300c21e ] When the device sends a specific input, an integer underflow can occur, leading to MMIO write access to an invalid page. Prevent the integer underflow by changing the type of related variables. Signed-off-by: Kyungwook Boo Link: https://lore.kernel.org/lkml/ffc91764-1142-4ba2-91b6-8c773f6f7095@gmail.com/T/ Reviewed-by: Przemek Kitszel Reviewed-by: Simon Horman Reviewed-by: Aleksandr Loktionov Tested-by: Rinitha S (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin --- **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Analysis of Code Changes The commit changes variable types in `i40e_clear_hw()` from unsigned (`u32`) to signed (`s32`) for: 1. `num_pf_int` - number of PF interrupts 2. `num_vf_int` - number of VF interrupts 3. `i` - loop counter variable **Critical Security Issue**: The problem occurs when hardware registers contain malicious values where `num_pf_int` or `num_vf_int` could be 0 or 1. In the loops at lines 852-853 and 858-859: ```c for (i = 0; i < num_pf_int - 2; i++) wr32(hw, I40E_PFINT_DYN_CTLN(i), val); ``` If `num_pf_int` is 0 or 1, then `num_pf_int - 2` becomes a large positive number due to unsigned integer underflow (0xFFFFFFFE or 0xFFFFFFFF), causing the loop to iterate billions of times and write to invalid MMIO addresses, leading to system crashes or potential security vulnerabilities. ## Comparison with Similar Commits This fix follows the **exact same pattern** as Similar Commit #2 (fc6f716a5069), which was marked **YES** for backporting. That commit addressed the same class of vulnerability in the same function: - **Similar Commit #2**: Added bounds checking (`j >= base_queue`, `j >= i`) to prevent underflow in queue/VF calculations - **Current Commit**: Changes variable types to signed to prevent underflow in interrupt calculations Both fixes address **integer underflow vulnerabilities in `i40e_clear_hw()`** that can lead to **MMIO writes to invalid memory pages**. ## Backport Suitability Criteria ✅ **Fixes important security bug**: Prevents system crashes and potential memory corruption ✅ **Small, contained change**: Only changes variable types, no logic changes ✅ **Minimal side effects**: Type changes are safe and don't affect functionality ✅ **No architectural changes**: Simple type fix ✅ **Critical subsystem**: Network driver, but change is isolated ✅ **Clear commit message**: Explicitly describes the security issue ✅ **Follows stable rules**: Important security bugfix with minimal risk ## Historical Context The vulnerability was introduced in commit 838d41d92a90 ("i40e: clear all queues and interrupts") from 2014. A related fix (fc6f716a5069) was already applied for similar underflow issues in the same function and was backported. This commit completes the fix by addressing the remaining underflow vectors. ## Risk Assessment **Risk: MINIMAL** - This is a simple type change that: - Makes signed arithmetic behave correctly - Prevents undefined behavior from unsigned underflow - Has no functional impact on normal operation - Only affects error conditions with malformed hardware registers The fix is **essential for security** and has **virtually zero regression risk**, making it an ideal candidate for stable backporting. drivers/net/ethernet/intel/i40e/i40e_common.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c index 370b4bddee441..b11c35e307ca9 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_common.c +++ b/drivers/net/ethernet/intel/i40e/i40e_common.c @@ -817,10 +817,11 @@ int i40e_pf_reset(struct i40e_hw *hw) void i40e_clear_hw(struct i40e_hw *hw) { u32 num_queues, base_queue; - u32 num_pf_int; - u32 num_vf_int; + s32 num_pf_int; + s32 num_vf_int; u32 num_vfs; - u32 i, j; + s32 i; + u32 j; u32 val; u32 eol = 0x7ff; -- 2.39.5