From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CDFBF222587; Fri, 1 Aug 2025 22:06:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754086012; cv=none; b=DSoIAYoMZwCbKU1KL8NOyGmT10MF5+v4rtaxWb/uGvq7FRpBkhilBRqTcGOrQ/m7BDZPhnadBdzR7AkenusBYGcQsyvd7FuK2Hqse0FvwzPtNAJxPF+/atkZ2YA2tOyTODAtgS6NoK/uD8smPsStkVwFdIhbCfM2LSzUc4MB1/U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754086012; c=relaxed/simple; bh=pwxbqxUHDfTPGoCghA+CLoB275KxIHwAbXzxd7xhiBQ=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=d+CSi07nta+NnOFgWc4cTUNXTOSDkziBXcuitJH7Fdt14CnkNJDjRyi8sZhLvi1YwhUOCV70NTCOuc0I+fwEVFCUJ/7Hx5QdGRKN2UoCtPTctkxB9bmGPOUgD5NiiWF61/uyo7EDjKVvM2fMHrnnRhGPn/+7HYYnuJoLE2Apoqc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=jA6ETZOc; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="jA6ETZOc" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E0839C4CEE7; Fri, 1 Aug 2025 22:06:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1754086012; bh=pwxbqxUHDfTPGoCghA+CLoB275KxIHwAbXzxd7xhiBQ=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=jA6ETZOcf/PV/IbKiZN3Znm1BqaK55SSBxGTNoZzSWpIuGX/5xOsqLNRC5JVx/TOq aVUWe/uPludz3M44heR+sprjyQT87Z5PjKpCg9LG198F2wKlbIMtCjBReZsaEyHfm5 0hhz4p/Sdesv+PaVpiRovtEwTkC4nkRMhL80+UZZKxvwMJo/IV1xjANPtWuB2KhgHT 87XWawVTQ6hR4itYaWdrpL3k2r4iGB3isTewCsn9ZuDhh/8I6ZABlzDnWQCW1txmQM pMwB0kTTlOTkxYIRzOWv/ian9wGnzxZBcBeJCCjcwlAqBYvJCH0cPee47XNPM3XvxW wIUJ8y2L3/LHA== Date: Fri, 1 Aug 2025 15:06:51 -0700 From: Jakub Kicinski To: maher azz Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Jamal Hadi Salim , Cong Wang , jiri@resnulli.us, davem@davemloft.net, Eric Dumazet , pabeni@redhat.com, Simon Horman , Ferenc Fejes , Vladimir Oltean Subject: Re: [PATCH v2 net] net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing Message-ID: <20250801150651.54969a4e@kernel.org> In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Tue, 29 Jul 2025 16:39:26 +0100 maher azz wrote: > From: Maher Azzouzi >=20 > TCA_MQPRIO_TC_ENTRY_INDEX is validated using > NLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value > TC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack write = in > the fp[] array, which only has room for 16 elements (0=E2=80=9315). >=20 > Fix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1. >=20 > Fixes: f62af20bed2d ("net/sched: mqprio: allow per-TC user input of FP > adminStatus") Don't wrap the Fixes tags; >=20 no empty lines between tags; > Signed-off-by: Maher Azzouzi your email client is corrupting the emails, tabs get replaced with spaces. Please add the review tag you received from Eric on v1 and try sending v3 with git send-email? --=20 pw-bot: cr