From: Jakub Kicinski <kuba@kernel.org>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, edumazet@google.com, pabeni@redhat.com,
andrew+netdev@lunn.ch, horms@kernel.org, o.rempel@pengutronix.de,
kory.maincent@bootlin.com, maxime.chevallier@bootlin.com,
haiyangz@microsoft.com, Jakub Kicinski <kuba@kernel.org>,
andrew@lunn.ch, hengqi@linux.alibaba.com
Subject: [PATCH net 01/10] ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES
Date: Tue, 26 May 2026 08:35:24 -0700 [thread overview]
Message-ID: <20260526153533.2779187-2-kuba@kernel.org> (raw)
In-Reply-To: <20260526153533.2779187-1-kuba@kernel.org>
ethnl_update_profile() walks the ETHTOOL_A_PROFILE_IRQ_MODERATION
nest list with an index 'i' and writes new_profile[i++] without
bounding i. The destination is kmemdup()'d at NET_DIM_PARAMS_NUM_PROFILES
entries (5), but the Netlink nest count is entirely user-controlled.
Netlink policies do not have support for constraining the number
of nested entries (or number of multi-attr entries).
Fixes: f750dfe825b9 ("ethtool: provide customized dim profile management")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
CC: andrew@lunn.ch
CC: maxime.chevallier@bootlin.com
CC: haiyangz@microsoft.com
CC: hengqi@linux.alibaba.com
---
net/ethtool/coalesce.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/ethtool/coalesce.c b/net/ethtool/coalesce.c
index 1e2c5c7048a8..e73fc3e5a02b 100644
--- a/net/ethtool/coalesce.c
+++ b/net/ethtool/coalesce.c
@@ -472,6 +472,12 @@ static int ethnl_update_profile(struct net_device *dev,
nla_for_each_nested_type(nest, ETHTOOL_A_PROFILE_IRQ_MODERATION,
nests, rem) {
+ if (i >= NET_DIM_PARAMS_NUM_PROFILES) {
+ NL_SET_BAD_ATTR(extack, nest);
+ ret = -E2BIG;
+ goto err_out;
+ }
+
ret = nla_parse_nested(tb, len_irq_moder - 1, nest,
coalesce_irq_moderation_policy,
extack);
--
2.54.0
next prev parent reply other threads:[~2026-05-26 15:35 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 15:35 [PATCH net 00/10] ethtool: more bug fixes Jakub Kicinski
2026-05-26 15:35 ` Jakub Kicinski [this message]
2026-05-26 17:41 ` [PATCH net 01/10] ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES Maxime Chevallier
2026-05-26 15:35 ` [PATCH net 02/10] ethtool: tsconfig: fix reply error handling Jakub Kicinski
2026-05-26 16:04 ` Vadim Fedorenko
2026-05-27 14:32 ` Kory Maincent
2026-05-26 15:35 ` [PATCH net 03/10] ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error Jakub Kicinski
2026-05-26 16:41 ` Maxime Chevallier
2026-05-26 15:35 ` [PATCH net 04/10] ethtool: pse-pd: fix missing ethnl_ops_complete() Jakub Kicinski
2026-05-26 16:51 ` Maxime Chevallier
2026-05-26 15:35 ` [PATCH net 05/10] ethtool: tsconfig: " Jakub Kicinski
2026-05-26 16:06 ` Vadim Fedorenko
2026-05-27 14:34 ` Kory Maincent
2026-05-26 15:35 ` [PATCH net 06/10] ethtool: tsinfo: fix uninitialized stats on the by-PHC path Jakub Kicinski
2026-05-26 17:23 ` Maxime Chevallier
2026-05-26 22:51 ` Jakub Kicinski
2026-05-26 15:35 ` [PATCH net 07/10] ethtool: tsinfo: don't pass ERR_PTR to genlmsg_cancel on prepare failure Jakub Kicinski
2026-05-26 17:46 ` Maxime Chevallier
2026-05-27 14:35 ` Kory Maincent
2026-05-26 15:35 ` [PATCH net 08/10] ethtool: strset: fix header attribute index in ethnl_req_get_phydev() Jakub Kicinski
2026-05-26 17:15 ` Maxime Chevallier
2026-05-26 15:35 ` [PATCH net 09/10] ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback Jakub Kicinski
2026-05-26 17:13 ` Maxime Chevallier
2026-05-26 15:35 ` [PATCH net 10/10] ethtool: eeprom: add more safeties to EEPROM Netlink fallback Jakub Kicinski
2026-05-26 17:30 ` Maxime Chevallier
2026-05-28 1:00 ` [PATCH net 00/10] ethtool: more bug fixes patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260526153533.2779187-2-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=haiyangz@microsoft.com \
--cc=hengqi@linux.alibaba.com \
--cc=horms@kernel.org \
--cc=kory.maincent@bootlin.com \
--cc=maxime.chevallier@bootlin.com \
--cc=netdev@vger.kernel.org \
--cc=o.rempel@pengutronix.de \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.