diff for duplicates of <202511192128.aqouWvbT-lkp@intel.com> diff --git a/a/1.txt b/N1/1.txt index 76594ce..15d6656 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,20 +1,13 @@ -BCC: lkp@intel.com -CC: oe-kbuild-all@lists.linux.dev -TO: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com> -CC: Paolo Abeni <pabeni@redhat.com> - tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master head: fe4d0dea039f2befb93f27569593ec209843b0f5 commit: 896f1a2493b59beb2b5ccdf990503dbb16cb2256 [9725/10183] net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() -:::::: branch date: 10 hours ago -:::::: commit date: 27 hours ago config: xtensa-randconfig-r073-20251119 (https://download.01.org/0day-ci/archive/20251119/202511192128.aqouWvbT-lkp@intel.com/config) compiler: xtensa-linux-gcc (GCC) 8.5.0 If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@intel.com> -| Reported-by: Dan Carpenter <error27@gmail.com> +| Reported-by: Dan Carpenter <dan.carpenter@linaro.org> | Closes: https://lore.kernel.org/r/202511192128.aqouWvbT-lkp@intel.com/ New smatch warnings: @@ -26,7 +19,6 @@ arch/xtensa/include/asm/thread_info.h:97 current_thread_info() warn: inconsisten vim +/i +989 drivers/net/ethernet/qlogic/qede/qede_fp.c -cdda926d409869 Mintz, Yuval 2017-01-01 957 cdda926d409869 Mintz, Yuval 2017-01-01 958 static inline void qede_tpa_cont(struct qede_dev *edev, cdda926d409869 Mintz, Yuval 2017-01-01 959 struct qede_rx_queue *rxq, cdda926d409869 Mintz, Yuval 2017-01-01 960 struct eth_fast_path_rx_tpa_cont_cqe *cqe) @@ -34,6 +26,11 @@ cdda926d409869 Mintz, Yuval 2017-01-01 961 { cdda926d409869 Mintz, Yuval 2017-01-01 962 int i; cdda926d409869 Mintz, Yuval 2017-01-01 963 896f1a2493b59b Pavel Zhigulin 2025-11-13 @964 for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +This needs to be done the other way to avoid an off-by-one access. + + i < ARRAY_SIZE(cqe->len_list) && cqe->len_list[i] + cdda926d409869 Mintz, Yuval 2017-01-01 965 qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, cdda926d409869 Mintz, Yuval 2017-01-01 966 le16_to_cpu(cqe->len_list[i])); cdda926d409869 Mintz, Yuval 2017-01-01 967 @@ -59,52 +56,12 @@ cdda926d409869 Mintz, Yuval 2017-01-01 984 8a8633978b842c Manish Chopra 2018-05-17 987 PAGE_SIZE, rxq->data_direction); 8a8633978b842c Manish Chopra 2018-05-17 988 896f1a2493b59b Pavel Zhigulin 2025-11-13 @989 for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Same. + cdda926d409869 Mintz, Yuval 2017-01-01 990 qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, cdda926d409869 Mintz, Yuval 2017-01-01 991 le16_to_cpu(cqe->len_list[i])); cdda926d409869 Mintz, Yuval 2017-01-01 992 if (unlikely(i > 1)) -cdda926d409869 Mintz, Yuval 2017-01-01 993 DP_ERR(edev, -cdda926d409869 Mintz, Yuval 2017-01-01 994 "Strange - TPA emd with more than a single len_list entry\n"); -cdda926d409869 Mintz, Yuval 2017-01-01 995 -cdda926d409869 Mintz, Yuval 2017-01-01 996 if (unlikely(tpa_info->state != QEDE_AGG_STATE_START)) -cdda926d409869 Mintz, Yuval 2017-01-01 997 goto err; -cdda926d409869 Mintz, Yuval 2017-01-01 998 -cdda926d409869 Mintz, Yuval 2017-01-01 999 /* Sanity */ -cdda926d409869 Mintz, Yuval 2017-01-01 1000 if (unlikely(cqe->num_of_bds != tpa_info->frag_id + 1)) -cdda926d409869 Mintz, Yuval 2017-01-01 1001 DP_ERR(edev, -cdda926d409869 Mintz, Yuval 2017-01-01 1002 "Strange - TPA had %02x BDs, but SKB has only %d frags\n", -cdda926d409869 Mintz, Yuval 2017-01-01 1003 cqe->num_of_bds, tpa_info->frag_id); -cdda926d409869 Mintz, Yuval 2017-01-01 1004 if (unlikely(skb->len != le16_to_cpu(cqe->total_packet_len))) -cdda926d409869 Mintz, Yuval 2017-01-01 1005 DP_ERR(edev, -cdda926d409869 Mintz, Yuval 2017-01-01 1006 "Strange - total packet len [cqe] is %4x but SKB has len %04x\n", -cdda926d409869 Mintz, Yuval 2017-01-01 1007 le16_to_cpu(cqe->total_packet_len), skb->len); -cdda926d409869 Mintz, Yuval 2017-01-01 1008 -cdda926d409869 Mintz, Yuval 2017-01-01 1009 /* Finalize the SKB */ -cdda926d409869 Mintz, Yuval 2017-01-01 1010 skb->protocol = eth_type_trans(skb, edev->ndev); -cdda926d409869 Mintz, Yuval 2017-01-01 1011 skb->ip_summed = CHECKSUM_UNNECESSARY; -cdda926d409869 Mintz, Yuval 2017-01-01 1012 -cdda926d409869 Mintz, Yuval 2017-01-01 1013 /* tcp_gro_complete() will copy NAPI_GRO_CB(skb)->count -cdda926d409869 Mintz, Yuval 2017-01-01 1014 * to skb_shinfo(skb)->gso_segs -cdda926d409869 Mintz, Yuval 2017-01-01 1015 */ -cdda926d409869 Mintz, Yuval 2017-01-01 1016 NAPI_GRO_CB(skb)->count = le16_to_cpu(cqe->num_of_coalesced_segs); -cdda926d409869 Mintz, Yuval 2017-01-01 1017 -cdda926d409869 Mintz, Yuval 2017-01-01 1018 qede_gro_receive(edev, fp, skb, tpa_info->vlan_tag); -cdda926d409869 Mintz, Yuval 2017-01-01 1019 -cdda926d409869 Mintz, Yuval 2017-01-01 1020 tpa_info->state = QEDE_AGG_STATE_NONE; -cdda926d409869 Mintz, Yuval 2017-01-01 1021 -10a0176e4e6eb6 Mintz, Yuval 2017-04-07 1022 return 1; -cdda926d409869 Mintz, Yuval 2017-01-01 1023 err: -cdda926d409869 Mintz, Yuval 2017-01-01 1024 tpa_info->state = QEDE_AGG_STATE_NONE; -8a8633978b842c Manish Chopra 2018-05-17 1025 -8a8633978b842c Manish Chopra 2018-05-17 1026 if (tpa_info->tpa_start_fail) { -8a8633978b842c Manish Chopra 2018-05-17 1027 qede_reuse_page(rxq, &tpa_info->buffer); -8a8633978b842c Manish Chopra 2018-05-17 1028 tpa_info->tpa_start_fail = false; -8a8633978b842c Manish Chopra 2018-05-17 1029 } -8a8633978b842c Manish Chopra 2018-05-17 1030 -cdda926d409869 Mintz, Yuval 2017-01-01 1031 dev_kfree_skb_any(tpa_info->skb); -cdda926d409869 Mintz, Yuval 2017-01-01 1032 tpa_info->skb = NULL; -10a0176e4e6eb6 Mintz, Yuval 2017-04-07 1033 return 0; -cdda926d409869 Mintz, Yuval 2017-01-01 1034 } -cdda926d409869 Mintz, Yuval 2017-01-01 1035 -- 0-DAY CI Kernel Test Service diff --git a/a/content_digest b/N1/content_digest index 0329aed..f5b2800 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,28 +1,23 @@ - "From\0kernel test robot <lkp@intel.com>\0" + "From\0Dan Carpenter <dan.carpenter@linaro.org>\0" "Subject\0[linux-next:master 9725/10183] drivers/net/ethernet/qlogic/qede/qede_fp.c:989 qede_tpa_end() error: testing array offset 'i' after use.\0" - "Date\0Wed, 19 Nov 2025 21:16:09 +0800\0" - "To\0oe-kbuild@lists.linux.dev\0" + "Date\0Wed, 19 Nov 2025 16:39:08 +0300\0" + "To\0oe-kbuild@lists.linux.dev" + " Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>\0" "Cc\0lkp@intel.com" - " Dan Carpenter <error27@gmail.com>\0" + oe-kbuild-all@lists.linux.dev + " Paolo Abeni <pabeni@redhat.com>\0" "\00:1\0" "b\0" - "BCC: lkp@intel.com\n" - "CC: oe-kbuild-all@lists.linux.dev\n" - "TO: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>\n" - "CC: Paolo Abeni <pabeni@redhat.com>\n" - "\n" "tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master\n" "head: fe4d0dea039f2befb93f27569593ec209843b0f5\n" "commit: 896f1a2493b59beb2b5ccdf990503dbb16cb2256 [9725/10183] net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()\n" - ":::::: branch date: 10 hours ago\n" - ":::::: commit date: 27 hours ago\n" "config: xtensa-randconfig-r073-20251119 (https://download.01.org/0day-ci/archive/20251119/202511192128.aqouWvbT-lkp@intel.com/config)\n" "compiler: xtensa-linux-gcc (GCC) 8.5.0\n" "\n" "If you fix the issue in a separate patch/commit (i.e. not just a new version of\n" "the same patch/commit), kindly add following tags\n" "| Reported-by: kernel test robot <lkp@intel.com>\n" - "| Reported-by: Dan Carpenter <error27@gmail.com>\n" + "| Reported-by: Dan Carpenter <dan.carpenter@linaro.org>\n" "| Closes: https://lore.kernel.org/r/202511192128.aqouWvbT-lkp@intel.com/\n" "\n" "New smatch warnings:\n" @@ -34,7 +29,6 @@ "\n" "vim +/i +989 drivers/net/ethernet/qlogic/qede/qede_fp.c\n" "\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 957 \n" "cdda926d409869 Mintz, Yuval 2017-01-01 958 static inline void qede_tpa_cont(struct qede_dev *edev,\n" "cdda926d409869 Mintz, Yuval 2017-01-01 959 \t\t\t\t struct qede_rx_queue *rxq,\n" "cdda926d409869 Mintz, Yuval 2017-01-01 960 \t\t\t\t struct eth_fast_path_rx_tpa_cont_cqe *cqe)\n" @@ -42,6 +36,11 @@ "cdda926d409869 Mintz, Yuval 2017-01-01 962 \tint i;\n" "cdda926d409869 Mintz, Yuval 2017-01-01 963 \n" "896f1a2493b59b Pavel Zhigulin 2025-11-13 @964 \tfor (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)\n" + " ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n" + "This needs to be done the other way to avoid an off-by-one access.\n" + "\n" + "\ti < ARRAY_SIZE(cqe->len_list) && cqe->len_list[i]\n" + "\n" "cdda926d409869 Mintz, Yuval 2017-01-01 965 \t\tqede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,\n" "cdda926d409869 Mintz, Yuval 2017-01-01 966 \t\t\t\t le16_to_cpu(cqe->len_list[i]));\n" "cdda926d409869 Mintz, Yuval 2017-01-01 967 \n" @@ -67,55 +66,15 @@ "8a8633978b842c Manish Chopra 2018-05-17 987 \t\t\t PAGE_SIZE, rxq->data_direction);\n" "8a8633978b842c Manish Chopra 2018-05-17 988 \n" "896f1a2493b59b Pavel Zhigulin 2025-11-13 @989 \tfor (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)\n" + " ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n" + "Same.\n" + "\n" "cdda926d409869 Mintz, Yuval 2017-01-01 990 \t\tqede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,\n" "cdda926d409869 Mintz, Yuval 2017-01-01 991 \t\t\t\t le16_to_cpu(cqe->len_list[i]));\n" "cdda926d409869 Mintz, Yuval 2017-01-01 992 \tif (unlikely(i > 1))\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 993 \t\tDP_ERR(edev,\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 994 \t\t \"Strange - TPA emd with more than a single len_list entry\\n\");\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 995 \n" - "cdda926d409869 Mintz, Yuval 2017-01-01 996 \tif (unlikely(tpa_info->state != QEDE_AGG_STATE_START))\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 997 \t\tgoto err;\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 998 \n" - "cdda926d409869 Mintz, Yuval 2017-01-01 999 \t/* Sanity */\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1000 \tif (unlikely(cqe->num_of_bds != tpa_info->frag_id + 1))\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1001 \t\tDP_ERR(edev,\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1002 \t\t \"Strange - TPA had %02x BDs, but SKB has only %d frags\\n\",\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1003 \t\t cqe->num_of_bds, tpa_info->frag_id);\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1004 \tif (unlikely(skb->len != le16_to_cpu(cqe->total_packet_len)))\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1005 \t\tDP_ERR(edev,\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1006 \t\t \"Strange - total packet len [cqe] is %4x but SKB has len %04x\\n\",\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1007 \t\t le16_to_cpu(cqe->total_packet_len), skb->len);\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1008 \n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1009 \t/* Finalize the SKB */\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1010 \tskb->protocol = eth_type_trans(skb, edev->ndev);\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1011 \tskb->ip_summed = CHECKSUM_UNNECESSARY;\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1012 \n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1013 \t/* tcp_gro_complete() will copy NAPI_GRO_CB(skb)->count\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1014 \t * to skb_shinfo(skb)->gso_segs\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1015 \t */\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1016 \tNAPI_GRO_CB(skb)->count = le16_to_cpu(cqe->num_of_coalesced_segs);\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1017 \n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1018 \tqede_gro_receive(edev, fp, skb, tpa_info->vlan_tag);\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1019 \n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1020 \ttpa_info->state = QEDE_AGG_STATE_NONE;\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1021 \n" - "10a0176e4e6eb6 Mintz, Yuval 2017-04-07 1022 \treturn 1;\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1023 err:\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1024 \ttpa_info->state = QEDE_AGG_STATE_NONE;\n" - "8a8633978b842c Manish Chopra 2018-05-17 1025 \n" - "8a8633978b842c Manish Chopra 2018-05-17 1026 \tif (tpa_info->tpa_start_fail) {\n" - "8a8633978b842c Manish Chopra 2018-05-17 1027 \t\tqede_reuse_page(rxq, &tpa_info->buffer);\n" - "8a8633978b842c Manish Chopra 2018-05-17 1028 \t\ttpa_info->tpa_start_fail = false;\n" - "8a8633978b842c Manish Chopra 2018-05-17 1029 \t}\n" - "8a8633978b842c Manish Chopra 2018-05-17 1030 \n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1031 \tdev_kfree_skb_any(tpa_info->skb);\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1032 \ttpa_info->skb = NULL;\n" - "10a0176e4e6eb6 Mintz, Yuval 2017-04-07 1033 \treturn 0;\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1034 }\n" - "cdda926d409869 Mintz, Yuval 2017-01-01 1035 \n" "\n" "-- \n" "0-DAY CI Kernel Test Service\n" https://github.com/intel/lkp-tests/wiki -8a076ff5dfc5c46574251d6252117e30b897d45fb123fe9fa39560bcebbfa290 +0815c900fcbf8e02d6c298ce3b9495010c259d283a9730cfe6bcd0464ba23863
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.