* [linux-next:master 9725/10183] drivers/net/ethernet/qlogic/qede/qede_fp.c:989 qede_tpa_end() error: testing array offset 'i' after use.
@ 2025-11-19 13:39 ` Dan Carpenter
0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2025-11-19 13:16 UTC (permalink / raw)
To: oe-kbuild; +Cc: lkp, Dan Carpenter
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
TO: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
CC: Paolo Abeni <pabeni@redhat.com>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head: fe4d0dea039f2befb93f27569593ec209843b0f5
commit: 896f1a2493b59beb2b5ccdf990503dbb16cb2256 [9725/10183] net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()
:::::: branch date: 10 hours ago
:::::: commit date: 27 hours ago
config: xtensa-randconfig-r073-20251119 (https://download.01.org/0day-ci/archive/20251119/202511192128.aqouWvbT-lkp@intel.com/config)
compiler: xtensa-linux-gcc (GCC) 8.5.0
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202511192128.aqouWvbT-lkp@intel.com/
New smatch warnings:
drivers/net/ethernet/qlogic/qede/qede_fp.c:989 qede_tpa_end() error: testing array offset 'i' after use.
drivers/net/ethernet/qlogic/qede/qede_fp.c:964 qede_tpa_cont() error: testing array offset 'i' after use.
Old smatch warnings:
arch/xtensa/include/asm/thread_info.h:97 current_thread_info() warn: inconsistent indenting
vim +/i +989 drivers/net/ethernet/qlogic/qede/qede_fp.c
cdda926d409869 Mintz, Yuval 2017-01-01 957
cdda926d409869 Mintz, Yuval 2017-01-01 958 static inline void qede_tpa_cont(struct qede_dev *edev,
cdda926d409869 Mintz, Yuval 2017-01-01 959 struct qede_rx_queue *rxq,
cdda926d409869 Mintz, Yuval 2017-01-01 960 struct eth_fast_path_rx_tpa_cont_cqe *cqe)
cdda926d409869 Mintz, Yuval 2017-01-01 961 {
cdda926d409869 Mintz, Yuval 2017-01-01 962 int i;
cdda926d409869 Mintz, Yuval 2017-01-01 963
896f1a2493b59b Pavel Zhigulin 2025-11-13 @964 for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)
cdda926d409869 Mintz, Yuval 2017-01-01 965 qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,
cdda926d409869 Mintz, Yuval 2017-01-01 966 le16_to_cpu(cqe->len_list[i]));
cdda926d409869 Mintz, Yuval 2017-01-01 967
cdda926d409869 Mintz, Yuval 2017-01-01 968 if (unlikely(i > 1))
cdda926d409869 Mintz, Yuval 2017-01-01 969 DP_ERR(edev,
cdda926d409869 Mintz, Yuval 2017-01-01 970 "Strange - TPA cont with more than a single len_list entry\n");
cdda926d409869 Mintz, Yuval 2017-01-01 971 }
cdda926d409869 Mintz, Yuval 2017-01-01 972
10a0176e4e6eb6 Mintz, Yuval 2017-04-07 973 static int qede_tpa_end(struct qede_dev *edev,
cdda926d409869 Mintz, Yuval 2017-01-01 974 struct qede_fastpath *fp,
cdda926d409869 Mintz, Yuval 2017-01-01 975 struct eth_fast_path_rx_tpa_end_cqe *cqe)
cdda926d409869 Mintz, Yuval 2017-01-01 976 {
cdda926d409869 Mintz, Yuval 2017-01-01 977 struct qede_rx_queue *rxq = fp->rxq;
cdda926d409869 Mintz, Yuval 2017-01-01 978 struct qede_agg_info *tpa_info;
cdda926d409869 Mintz, Yuval 2017-01-01 979 struct sk_buff *skb;
cdda926d409869 Mintz, Yuval 2017-01-01 980 int i;
cdda926d409869 Mintz, Yuval 2017-01-01 981
cdda926d409869 Mintz, Yuval 2017-01-01 982 tpa_info = &rxq->tpa_info[cqe->tpa_agg_index];
cdda926d409869 Mintz, Yuval 2017-01-01 983 skb = tpa_info->skb;
cdda926d409869 Mintz, Yuval 2017-01-01 984
8a8633978b842c Manish Chopra 2018-05-17 985 if (tpa_info->buffer.page_offset == PAGE_SIZE)
8a8633978b842c Manish Chopra 2018-05-17 986 dma_unmap_page(rxq->dev, tpa_info->buffer.mapping,
8a8633978b842c Manish Chopra 2018-05-17 987 PAGE_SIZE, rxq->data_direction);
8a8633978b842c Manish Chopra 2018-05-17 988
896f1a2493b59b Pavel Zhigulin 2025-11-13 @989 for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)
cdda926d409869 Mintz, Yuval 2017-01-01 990 qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,
cdda926d409869 Mintz, Yuval 2017-01-01 991 le16_to_cpu(cqe->len_list[i]));
cdda926d409869 Mintz, Yuval 2017-01-01 992 if (unlikely(i > 1))
cdda926d409869 Mintz, Yuval 2017-01-01 993 DP_ERR(edev,
cdda926d409869 Mintz, Yuval 2017-01-01 994 "Strange - TPA emd with more than a single len_list entry\n");
cdda926d409869 Mintz, Yuval 2017-01-01 995
cdda926d409869 Mintz, Yuval 2017-01-01 996 if (unlikely(tpa_info->state != QEDE_AGG_STATE_START))
cdda926d409869 Mintz, Yuval 2017-01-01 997 goto err;
cdda926d409869 Mintz, Yuval 2017-01-01 998
cdda926d409869 Mintz, Yuval 2017-01-01 999 /* Sanity */
cdda926d409869 Mintz, Yuval 2017-01-01 1000 if (unlikely(cqe->num_of_bds != tpa_info->frag_id + 1))
cdda926d409869 Mintz, Yuval 2017-01-01 1001 DP_ERR(edev,
cdda926d409869 Mintz, Yuval 2017-01-01 1002 "Strange - TPA had %02x BDs, but SKB has only %d frags\n",
cdda926d409869 Mintz, Yuval 2017-01-01 1003 cqe->num_of_bds, tpa_info->frag_id);
cdda926d409869 Mintz, Yuval 2017-01-01 1004 if (unlikely(skb->len != le16_to_cpu(cqe->total_packet_len)))
cdda926d409869 Mintz, Yuval 2017-01-01 1005 DP_ERR(edev,
cdda926d409869 Mintz, Yuval 2017-01-01 1006 "Strange - total packet len [cqe] is %4x but SKB has len %04x\n",
cdda926d409869 Mintz, Yuval 2017-01-01 1007 le16_to_cpu(cqe->total_packet_len), skb->len);
cdda926d409869 Mintz, Yuval 2017-01-01 1008
cdda926d409869 Mintz, Yuval 2017-01-01 1009 /* Finalize the SKB */
cdda926d409869 Mintz, Yuval 2017-01-01 1010 skb->protocol = eth_type_trans(skb, edev->ndev);
cdda926d409869 Mintz, Yuval 2017-01-01 1011 skb->ip_summed = CHECKSUM_UNNECESSARY;
cdda926d409869 Mintz, Yuval 2017-01-01 1012
cdda926d409869 Mintz, Yuval 2017-01-01 1013 /* tcp_gro_complete() will copy NAPI_GRO_CB(skb)->count
cdda926d409869 Mintz, Yuval 2017-01-01 1014 * to skb_shinfo(skb)->gso_segs
cdda926d409869 Mintz, Yuval 2017-01-01 1015 */
cdda926d409869 Mintz, Yuval 2017-01-01 1016 NAPI_GRO_CB(skb)->count = le16_to_cpu(cqe->num_of_coalesced_segs);
cdda926d409869 Mintz, Yuval 2017-01-01 1017
cdda926d409869 Mintz, Yuval 2017-01-01 1018 qede_gro_receive(edev, fp, skb, tpa_info->vlan_tag);
cdda926d409869 Mintz, Yuval 2017-01-01 1019
cdda926d409869 Mintz, Yuval 2017-01-01 1020 tpa_info->state = QEDE_AGG_STATE_NONE;
cdda926d409869 Mintz, Yuval 2017-01-01 1021
10a0176e4e6eb6 Mintz, Yuval 2017-04-07 1022 return 1;
cdda926d409869 Mintz, Yuval 2017-01-01 1023 err:
cdda926d409869 Mintz, Yuval 2017-01-01 1024 tpa_info->state = QEDE_AGG_STATE_NONE;
8a8633978b842c Manish Chopra 2018-05-17 1025
8a8633978b842c Manish Chopra 2018-05-17 1026 if (tpa_info->tpa_start_fail) {
8a8633978b842c Manish Chopra 2018-05-17 1027 qede_reuse_page(rxq, &tpa_info->buffer);
8a8633978b842c Manish Chopra 2018-05-17 1028 tpa_info->tpa_start_fail = false;
8a8633978b842c Manish Chopra 2018-05-17 1029 }
8a8633978b842c Manish Chopra 2018-05-17 1030
cdda926d409869 Mintz, Yuval 2017-01-01 1031 dev_kfree_skb_any(tpa_info->skb);
cdda926d409869 Mintz, Yuval 2017-01-01 1032 tpa_info->skb = NULL;
10a0176e4e6eb6 Mintz, Yuval 2017-04-07 1033 return 0;
cdda926d409869 Mintz, Yuval 2017-01-01 1034 }
cdda926d409869 Mintz, Yuval 2017-01-01 1035
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 2+ messages in thread
* [linux-next:master 9725/10183] drivers/net/ethernet/qlogic/qede/qede_fp.c:989 qede_tpa_end() error: testing array offset 'i' after use.
@ 2025-11-19 13:39 ` Dan Carpenter
0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2025-11-19 13:39 UTC (permalink / raw)
To: oe-kbuild, Pavel Zhigulin; +Cc: lkp, oe-kbuild-all, Paolo Abeni
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head: fe4d0dea039f2befb93f27569593ec209843b0f5
commit: 896f1a2493b59beb2b5ccdf990503dbb16cb2256 [9725/10183] net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()
config: xtensa-randconfig-r073-20251119 (https://download.01.org/0day-ci/archive/20251119/202511192128.aqouWvbT-lkp@intel.com/config)
compiler: xtensa-linux-gcc (GCC) 8.5.0
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
| Closes: https://lore.kernel.org/r/202511192128.aqouWvbT-lkp@intel.com/
New smatch warnings:
drivers/net/ethernet/qlogic/qede/qede_fp.c:989 qede_tpa_end() error: testing array offset 'i' after use.
drivers/net/ethernet/qlogic/qede/qede_fp.c:964 qede_tpa_cont() error: testing array offset 'i' after use.
Old smatch warnings:
arch/xtensa/include/asm/thread_info.h:97 current_thread_info() warn: inconsistent indenting
vim +/i +989 drivers/net/ethernet/qlogic/qede/qede_fp.c
cdda926d409869 Mintz, Yuval 2017-01-01 958 static inline void qede_tpa_cont(struct qede_dev *edev,
cdda926d409869 Mintz, Yuval 2017-01-01 959 struct qede_rx_queue *rxq,
cdda926d409869 Mintz, Yuval 2017-01-01 960 struct eth_fast_path_rx_tpa_cont_cqe *cqe)
cdda926d409869 Mintz, Yuval 2017-01-01 961 {
cdda926d409869 Mintz, Yuval 2017-01-01 962 int i;
cdda926d409869 Mintz, Yuval 2017-01-01 963
896f1a2493b59b Pavel Zhigulin 2025-11-13 @964 for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This needs to be done the other way to avoid an off-by-one access.
i < ARRAY_SIZE(cqe->len_list) && cqe->len_list[i]
cdda926d409869 Mintz, Yuval 2017-01-01 965 qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,
cdda926d409869 Mintz, Yuval 2017-01-01 966 le16_to_cpu(cqe->len_list[i]));
cdda926d409869 Mintz, Yuval 2017-01-01 967
cdda926d409869 Mintz, Yuval 2017-01-01 968 if (unlikely(i > 1))
cdda926d409869 Mintz, Yuval 2017-01-01 969 DP_ERR(edev,
cdda926d409869 Mintz, Yuval 2017-01-01 970 "Strange - TPA cont with more than a single len_list entry\n");
cdda926d409869 Mintz, Yuval 2017-01-01 971 }
cdda926d409869 Mintz, Yuval 2017-01-01 972
10a0176e4e6eb6 Mintz, Yuval 2017-04-07 973 static int qede_tpa_end(struct qede_dev *edev,
cdda926d409869 Mintz, Yuval 2017-01-01 974 struct qede_fastpath *fp,
cdda926d409869 Mintz, Yuval 2017-01-01 975 struct eth_fast_path_rx_tpa_end_cqe *cqe)
cdda926d409869 Mintz, Yuval 2017-01-01 976 {
cdda926d409869 Mintz, Yuval 2017-01-01 977 struct qede_rx_queue *rxq = fp->rxq;
cdda926d409869 Mintz, Yuval 2017-01-01 978 struct qede_agg_info *tpa_info;
cdda926d409869 Mintz, Yuval 2017-01-01 979 struct sk_buff *skb;
cdda926d409869 Mintz, Yuval 2017-01-01 980 int i;
cdda926d409869 Mintz, Yuval 2017-01-01 981
cdda926d409869 Mintz, Yuval 2017-01-01 982 tpa_info = &rxq->tpa_info[cqe->tpa_agg_index];
cdda926d409869 Mintz, Yuval 2017-01-01 983 skb = tpa_info->skb;
cdda926d409869 Mintz, Yuval 2017-01-01 984
8a8633978b842c Manish Chopra 2018-05-17 985 if (tpa_info->buffer.page_offset == PAGE_SIZE)
8a8633978b842c Manish Chopra 2018-05-17 986 dma_unmap_page(rxq->dev, tpa_info->buffer.mapping,
8a8633978b842c Manish Chopra 2018-05-17 987 PAGE_SIZE, rxq->data_direction);
8a8633978b842c Manish Chopra 2018-05-17 988
896f1a2493b59b Pavel Zhigulin 2025-11-13 @989 for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Same.
cdda926d409869 Mintz, Yuval 2017-01-01 990 qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,
cdda926d409869 Mintz, Yuval 2017-01-01 991 le16_to_cpu(cqe->len_list[i]));
cdda926d409869 Mintz, Yuval 2017-01-01 992 if (unlikely(i > 1))
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-11-19 13:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-19 13:16 [linux-next:master 9725/10183] drivers/net/ethernet/qlogic/qede/qede_fp.c:989 qede_tpa_end() error: testing array offset 'i' after use kernel test robot
2025-11-19 13:39 ` Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.