Re: [PATCH v3 net] ixgbe: check adapter->vfinfo before dereference

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Thierry Herbelot <thierry.herbelot@6wind.com>
To: "Tantilov, Emil S" <emil.s.tantilov@intel.com>,
	"Kirsher, Jeffrey T" <jeffrey.t.kirsher@intel.com>,
	"Brandeburg, Jesse" <jesse.brandeburg@intel.com>,
	"Allan, Bruce W" <bruce.w.allan@intel.com>,
	"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: [PATCH v3 net] ixgbe: check adapter->vfinfo before dereference
Date: Thu, 16 Oct 2014 09:23:01 +0200	[thread overview]
Message-ID: <543F7255.7070606@6wind.com> (raw)
In-Reply-To: <87618083B2453E4A8714035B62D67992500E2629@FMSMSX105.amr.corp.intel.com>

On 10/16/2014 12:50 AM, Tantilov, Emil S wrote:
>> -----Original Message-----
>> From: Thierry Herbelot [mailto:thierry.herbelot@6wind.com]
>> Sent: Wednesday, October 15, 2014 2:58 AM
>> To: Kirsher, Jeffrey T; Brandeburg, Jesse; Allan, Bruce W;
>> netdev@vger.kernel.org; Tantilov, Emil S
>> Cc: Thierry Herbelot
>> Subject: [PATCH v3 net] ixgbe: check adapter->vfinfo before dereference
>>
>> this protects against the following panic:
>> (before a VF was actually created on p96p1 PF Ethernet port)
>>
>> ip link set p96p1 vf 0 spoofchk off
>> BUG: unable to handle kernel NULL pointer dereference at 0000000000000052
>> IP: [<ffffffffa044a1c1>]
>> ixgbe_ndo_set_vf_spoofchk+0x51/0x150 [ixgbe]
>>
>> Signed-off-by: Thierry Herbelot <thierry.herbelot@6wind.com>
>> ---
>>
>> v2:
>>   compilation fixes
>>
>> v3:
>>   remove checks in functions where vfinfo is known not to be NULL
>>   return -EINVAL as error code
>>
>> drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c |   42
>> ++++++++++++++++++++++--
>> 1 file changed, 40 insertions(+), 2 deletions(-)
>
> Actually looking into this a bit more, the check for vfinfo is not sufficient
> because it does not protect against specifying vf that is outside of sriov_num_vfs range.
>
> All of the ndo functions have a check for it except for ixgbevf_ndo_set_spoofcheck().
>
> The following patch should be all we need to protect against this panic:
>
> This patch adds a check to return -EINVAL when setting spoofcheck on
> VF that is not configured.
>
> Reported-by: Thierry Herbelot <thierry.herbelot@6wind.com>
> Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
> ---
>   drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c |    3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
> index 706fc69..97c85b8 100644
> --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
> +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
> @@ -1261,6 +1261,9 @@ int ixgbe_ndo_set_vf_spoofchk(struct net_device *netdev, int vf, bool setting)
>   	struct ixgbe_hw *hw = &adapter->hw;
>   	u32 regval;
>
> +	if (vf >= adapter->num_vfs)
> +		return -EINVAL;
> +
>   	adapter->vfinfo[vf].spoofchk_enabled = setting;
>
>   	regval = IXGBE_READ_REG(hw, IXGBE_PFVFSPOOF(vf_target_reg));
>
>

Hello,

Indeed your patch solves the initial issue.

And indeed I also double-checked that all other instances are protected 
by the (vf >= adapter->num_vfs) condition.

	Best regards

	Thierry

-- 
Thierry Herbelot
6WIND
Software Engineer

next prev parent reply	other threads:[~2014-10-16  7:23 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-10  8:45 [PATCH v2] ixgbe: check adapter->vfinfo before dereference Thierry Herbelot
2014-10-10  8:50 ` Jeff Kirsher
2014-10-10  8:53   ` Thierry Herbelot
2014-10-14 23:18 ` Tantilov, Emil S
2014-10-15  9:58 ` [PATCH v3 net] " Thierry Herbelot
2014-10-15 11:00   ` Jeff Kirsher
2014-10-15 22:50   ` Tantilov, Emil S
2014-10-16  7:23     ` Thierry Herbelot [this message]
2014-10-16  7:32       ` Jeff Kirsher
2014-10-16  7:34         ` Thierry Herbelot
2014-10-16  7:36           ` Jeff Kirsher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=543F7255.7070606@6wind.com \
    --to=thierry.herbelot@6wind.com \
    --cc=bruce.w.allan@intel.com \
    --cc=emil.s.tantilov@intel.com \
    --cc=jeffrey.t.kirsher@intel.com \
    --cc=jesse.brandeburg@intel.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.