From: David Laight <david.laight.linux@gmail.com>
To: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Cc: intel-wired-lan@lists.osuosl.org, anthony.l.nguyen@intel.com,
netdev@vger.kernel.org
Subject: Re: [Intel-wired-lan] [PATCH iwl-next] ixgbe: fix integer overflow and wrong bit position in ixgbe_validate_rtr()
Date: Fri, 3 Apr 2026 11:00:34 +0100 [thread overview]
Message-ID: <20260403110034.6fe45f70@pumpkin> (raw)
In-Reply-To: <20260327073046.134085-10-aleksandr.loktionov@intel.com>
On Fri, 27 Mar 2026 08:30:44 +0100
Aleksandr Loktionov <aleksandr.loktionov@intel.com> wrote:
> Two bugs in the same loop in ixgbe_validate_rtr():
>
> 1. When extracting 3-bit traffic class values from the IXGBE_RTRUP2TC
> register the shifted value was assigned directly to a u8, silently
> truncating any bits above bit 7. Mask with IXGBE_RTRUP2TC_UP_MASK
> before the assignment so only the intended 3 bits are kept.
>
> 2. When clearing an out-of-bounds entry the mask was always shifted by
> the fixed constant IXGBE_RTRUP2TC_UP_SHIFT (== 3), regardless of
> which loop iteration was being processed. This means only the entry
> at bit position 3 was ever cleared; entries at bit positions 0, 6, 9,
> ..., 21 were left unreset. Use i * IXGBE_RTRUP2TC_UP_SHIFT to target
> the correct field for each iteration.
>
> Also replace the hardcoded 0x7 literal with the IXGBE_RTRUP2TC_UP_MASK
> constant for consistency with other parts of the driver.
>
> Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
> ---
> drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> index 9aec66c..53b82a5 100644
> --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> @@ -9798,11 +9798,12 @@ static void ixgbe_validate_rtr(struct ixgbe_adapter *adapter, u8 tc)
> rsave = reg;
>
> for (i = 0; i < MAX_TRAFFIC_CLASS; i++) {
> - u8 up2tc = reg >> (i * IXGBE_RTRUP2TC_UP_SHIFT);
> + u8 up2tc = IXGBE_RTRUP2TC_UP_MASK &
> + (reg >> (i * IXGBE_RTRUP2TC_UP_SHIFT));
That really ought to be the opposite way round: expr & constant.
Or add a second line to mask the value.
David
>
> /* If up2tc is out of bounds default to zero */
> if (up2tc > tc)
> - reg &= ~(0x7 << IXGBE_RTRUP2TC_UP_SHIFT);
> + reg &= ~(IXGBE_RTRUP2TC_UP_MASK << (i * IXGBE_RTRUP2TC_UP_SHIFT));
> }
>
> if (reg != rsave)
WARNING: multiple messages have this Message-ID (diff)
From: David Laight <david.laight.linux@gmail.com>
To: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Cc: intel-wired-lan@lists.osuosl.org, anthony.l.nguyen@intel.com,
netdev@vger.kernel.org
Subject: Re: [PATCH iwl-next] ixgbe: fix integer overflow and wrong bit position in ixgbe_validate_rtr()
Date: Fri, 3 Apr 2026 11:00:34 +0100 [thread overview]
Message-ID: <20260403110034.6fe45f70@pumpkin> (raw)
In-Reply-To: <20260327073046.134085-10-aleksandr.loktionov@intel.com>
On Fri, 27 Mar 2026 08:30:44 +0100
Aleksandr Loktionov <aleksandr.loktionov@intel.com> wrote:
> Two bugs in the same loop in ixgbe_validate_rtr():
>
> 1. When extracting 3-bit traffic class values from the IXGBE_RTRUP2TC
> register the shifted value was assigned directly to a u8, silently
> truncating any bits above bit 7. Mask with IXGBE_RTRUP2TC_UP_MASK
> before the assignment so only the intended 3 bits are kept.
>
> 2. When clearing an out-of-bounds entry the mask was always shifted by
> the fixed constant IXGBE_RTRUP2TC_UP_SHIFT (== 3), regardless of
> which loop iteration was being processed. This means only the entry
> at bit position 3 was ever cleared; entries at bit positions 0, 6, 9,
> ..., 21 were left unreset. Use i * IXGBE_RTRUP2TC_UP_SHIFT to target
> the correct field for each iteration.
>
> Also replace the hardcoded 0x7 literal with the IXGBE_RTRUP2TC_UP_MASK
> constant for consistency with other parts of the driver.
>
> Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
> ---
> drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> index 9aec66c..53b82a5 100644
> --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> @@ -9798,11 +9798,12 @@ static void ixgbe_validate_rtr(struct ixgbe_adapter *adapter, u8 tc)
> rsave = reg;
>
> for (i = 0; i < MAX_TRAFFIC_CLASS; i++) {
> - u8 up2tc = reg >> (i * IXGBE_RTRUP2TC_UP_SHIFT);
> + u8 up2tc = IXGBE_RTRUP2TC_UP_MASK &
> + (reg >> (i * IXGBE_RTRUP2TC_UP_SHIFT));
That really ought to be the opposite way round: expr & constant.
Or add a second line to mask the value.
David
>
> /* If up2tc is out of bounds default to zero */
> if (up2tc > tc)
> - reg &= ~(0x7 << IXGBE_RTRUP2TC_UP_SHIFT);
> + reg &= ~(IXGBE_RTRUP2TC_UP_MASK << (i * IXGBE_RTRUP2TC_UP_SHIFT));
> }
>
> if (reg != rsave)
next prev parent reply other threads:[~2026-04-03 10:00 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-27 7:30 [Intel-wired-lan] [PATCH iwl-next] ixgbe: increase SWFW semaphore timeout for X550 FW updates Aleksandr Loktionov
2026-03-27 7:30 ` Aleksandr Loktionov
2026-03-27 7:30 ` [Intel-wired-lan] [PATCH iwl-next] ixgbe: add bounds check for debugfs register access Aleksandr Loktionov
2026-03-27 7:30 ` Aleksandr Loktionov
2026-04-03 13:36 ` [Intel-wired-lan] " Simon Horman
2026-04-03 13:36 ` Simon Horman
2026-03-27 7:30 ` [Intel-wired-lan] [PATCH iwl-next] ixgbe: clean up adaptive interrupt moderation algorithm Aleksandr Loktionov
2026-03-27 7:30 ` Aleksandr Loktionov
2026-04-03 13:31 ` [Intel-wired-lan] " Simon Horman
2026-04-03 13:31 ` Simon Horman
2026-03-27 7:30 ` [Intel-wired-lan] [PATCH iwl-next] ixgbe: remove ixgbe_ping_all_vfs() from watchdog link-up handler Aleksandr Loktionov
2026-03-27 7:30 ` Aleksandr Loktionov
2026-04-03 13:25 ` [Intel-wired-lan] " Simon Horman
2026-03-27 7:30 ` [Intel-wired-lan] [PATCH iwl-next] ixgbe: use ktime_get_real_ns() in ixgbe_ptp_reset() Aleksandr Loktionov
2026-03-27 7:30 ` Aleksandr Loktionov
2026-04-03 13:10 ` [Intel-wired-lan] " Simon Horman
2026-04-03 13:10 ` Simon Horman
2026-04-03 13:11 ` [Intel-wired-lan] " Simon Horman
2026-04-03 13:11 ` Simon Horman
2026-04-03 20:26 ` [Intel-wired-lan] " Keller, Jacob E
2026-04-03 20:26 ` Keller, Jacob E
2026-04-06 14:07 ` [Intel-wired-lan] " Simon Horman
2026-04-06 14:07 ` Simon Horman
2026-03-27 7:30 ` [Intel-wired-lan] [PATCH iwl-next] ixgbe: call ixgbe_setup_fc() before fc_enable() after NVM update Aleksandr Loktionov
2026-03-27 7:30 ` Aleksandr Loktionov
2026-04-03 13:38 ` [Intel-wired-lan] " Simon Horman
2026-04-03 13:38 ` Simon Horman
2026-04-03 13:39 ` [Intel-wired-lan] " Simon Horman
2026-03-27 7:30 ` [Intel-wired-lan] [PATCH iwl-next] ixgbe: replace GFP_ATOMIC with GFP_KERNEL in ixgbe_fcoe_ddp_setup() Aleksandr Loktionov
2026-03-27 7:30 ` Aleksandr Loktionov
2026-04-03 13:21 ` [Intel-wired-lan] " Simon Horman
2026-04-03 13:38 ` Kohei Enju
2026-03-27 7:30 ` [Intel-wired-lan] [PATCH iwl-next] ixgbe: fix cls_u32 nexthdr path returning success when no entry installed Aleksandr Loktionov
2026-03-27 7:30 ` Aleksandr Loktionov
2026-04-03 13:46 ` [Intel-wired-lan] " Simon Horman
2026-04-03 13:46 ` Simon Horman
2026-03-27 7:30 ` [Intel-wired-lan] [PATCH iwl-next] ixgbe: use int instead of u32 for error code variables Aleksandr Loktionov
2026-03-27 7:30 ` Aleksandr Loktionov
2026-04-03 13:41 ` [Intel-wired-lan] " Simon Horman
2026-04-03 13:41 ` Simon Horman
2026-03-27 7:30 ` [Intel-wired-lan] [PATCH iwl-next] ixgbe: fix integer overflow and wrong bit position in ixgbe_validate_rtr() Aleksandr Loktionov
2026-03-27 7:30 ` Aleksandr Loktionov
2026-04-03 8:41 ` [Intel-wired-lan] " Simon Horman
2026-04-03 8:41 ` Simon Horman
2026-04-03 10:00 ` David Laight [this message]
2026-04-03 10:00 ` David Laight
2026-03-27 7:30 ` [Intel-wired-lan] [PATCH iwl-next] ixgbe: fix ITR value overflow in adaptive interrupt throttling Aleksandr Loktionov
2026-03-27 7:30 ` Aleksandr Loktionov
2026-04-03 13:18 ` [Intel-wired-lan] " Simon Horman
2026-04-03 13:18 ` Simon Horman
2026-04-03 16:12 ` [Intel-wired-lan] " Loktionov, Aleksandr
2026-04-03 16:12 ` Loktionov, Aleksandr
2026-04-06 14:06 ` [Intel-wired-lan] " Simon Horman
2026-04-06 14:06 ` Simon Horman
2026-03-27 7:30 ` [Intel-wired-lan] [PATCH iwl-next] ixgbe: extend 5 s SWFW semaphore timeout to all X550EM variants Aleksandr Loktionov
2026-03-27 7:30 ` Aleksandr Loktionov
2026-04-03 20:55 ` [Intel-wired-lan] " Tony Nguyen
2026-04-03 20:55 ` Tony Nguyen
2026-04-03 12:49 ` [Intel-wired-lan] [PATCH iwl-next] ixgbe: increase SWFW semaphore timeout for X550 FW updates Simon Horman
2026-04-03 12:49 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260403110034.6fe45f70@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=aleksandr.loktionov@intel.com \
--cc=anthony.l.nguyen@intel.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.