From: Simon Horman <horms@kernel.org>
To: Kohei Enju <kohei@enjuk.jp>
Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,
Tony Nguyen <anthony.l.nguyen@intel.com>,
Przemek Kitszel <przemyslaw.kitszel@intel.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Jedrzej Jagielski <jedrzej.jagielski@intel.com>,
Mateusz Palczewski <mateusz.palczewski@intel.com>,
Witold Fijalkowski <witoldx.fijalkowski@intel.com>,
Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>,
kohei.enju@gmail.com
Subject: Re: [Intel-wired-lan] [PATCH v1 iwl-net] iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()
Date: Mon, 16 Feb 2026 13:19:09 +0000 [thread overview]
Message-ID: <aZMZTTXWtIO1ERpm@horms.kernel.org> (raw)
In-Reply-To: <20260214191502.267670-1-kohei@enjuk.jp>
On Sat, Feb 14, 2026 at 07:14:25PM +0000, Kohei Enju wrote:
> iavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the
> value could change in runtime, we should use num_tx_queues instead.
>
> Moreover iavf_get_ethtool_stats() uses num_active_queues while
> iavf_get_sset_count() and iavf_get_stat_strings() use
> real_num_tx_queues, which triggers out-of-bounds writes when we do
> "ethtool -L" and "ethtool -S" simultaneously [1].
>
> For example when we change channels from 1 to 8, Thread 3 could be
> scheduled before Thread 2, and out-of-bounds writes could be triggered
> in Thread 3:
>
> Thread 1 (ethtool -L) Thread 2 (work) Thread 3 (ethtool -S)
> iavf_set_channels()
> ...
> iavf_alloc_queues()
> -> num_active_queues = 8
> iavf_schedule_finish_config()
> iavf_get_sset_count()
> real_num_tx_queues: 1
> -> buffer for 1 queue
> iavf_get_ethtool_stats()
> num_active_queues: 8
> -> out-of-bounds!
> iavf_finish_config()
> -> real_num_tx_queues = 8
...
> Fixes: 64430f70ba6f ("iavf: Fix displaying queue statistics shown by ethtool")
> Signed-off-by: Kohei Enju <kohei@enjuk.jp>
...
> @@ -345,19 +344,19 @@ static void iavf_get_ethtool_stats(struct net_device *netdev,
> iavf_add_ethtool_stats(&data, adapter, iavf_gstrings_stats);
>
> rcu_read_lock();
> - /* As num_active_queues describe both tx and rx queues, we can use
> - * it to iterate over rings' stats.
> + /* Use num_tx_queues to report stats for the maximum number of queues.
> + * Queues beyond num_active_queues will report zero.
> */
> - for (i = 0; i < adapter->num_active_queues; i++) {
> - struct iavf_ring *ring;
> + for (i = 0; i < netdev->num_tx_queues; i++) {
> + struct iavf_ring *tx_ring = NULL, *rx_ring = NULL;
>
> - /* Tx rings stats */
> - ring = &adapter->tx_rings[i];
> - iavf_add_queue_stats(&data, ring);
> + if (i < adapter->num_active_queues) {
Hi Enju-san,
If I understand things correctly, in the scenario described in the patch
description, num_active_queues will be 8 here.
Won't that result in an overflow?
> + tx_ring = &adapter->tx_rings[i];
> + rx_ring = &adapter->rx_rings[i];
> + }
>
> - /* Rx rings stats */
> - ring = &adapter->rx_rings[i];
> - iavf_add_queue_stats(&data, ring);
> + iavf_add_queue_stats(&data, tx_ring);
> + iavf_add_queue_stats(&data, rx_ring);
> }
> rcu_read_unlock();
> }
...
WARNING: multiple messages have this Message-ID (diff)
From: Simon Horman <horms@kernel.org>
To: Kohei Enju <kohei@enjuk.jp>
Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,
Tony Nguyen <anthony.l.nguyen@intel.com>,
Przemek Kitszel <przemyslaw.kitszel@intel.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Jedrzej Jagielski <jedrzej.jagielski@intel.com>,
Mateusz Palczewski <mateusz.palczewski@intel.com>,
Witold Fijalkowski <witoldx.fijalkowski@intel.com>,
Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>,
kohei.enju@gmail.com
Subject: Re: [PATCH v1 iwl-net] iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()
Date: Mon, 16 Feb 2026 13:19:09 +0000 [thread overview]
Message-ID: <aZMZTTXWtIO1ERpm@horms.kernel.org> (raw)
In-Reply-To: <20260214191502.267670-1-kohei@enjuk.jp>
On Sat, Feb 14, 2026 at 07:14:25PM +0000, Kohei Enju wrote:
> iavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the
> value could change in runtime, we should use num_tx_queues instead.
>
> Moreover iavf_get_ethtool_stats() uses num_active_queues while
> iavf_get_sset_count() and iavf_get_stat_strings() use
> real_num_tx_queues, which triggers out-of-bounds writes when we do
> "ethtool -L" and "ethtool -S" simultaneously [1].
>
> For example when we change channels from 1 to 8, Thread 3 could be
> scheduled before Thread 2, and out-of-bounds writes could be triggered
> in Thread 3:
>
> Thread 1 (ethtool -L) Thread 2 (work) Thread 3 (ethtool -S)
> iavf_set_channels()
> ...
> iavf_alloc_queues()
> -> num_active_queues = 8
> iavf_schedule_finish_config()
> iavf_get_sset_count()
> real_num_tx_queues: 1
> -> buffer for 1 queue
> iavf_get_ethtool_stats()
> num_active_queues: 8
> -> out-of-bounds!
> iavf_finish_config()
> -> real_num_tx_queues = 8
...
> Fixes: 64430f70ba6f ("iavf: Fix displaying queue statistics shown by ethtool")
> Signed-off-by: Kohei Enju <kohei@enjuk.jp>
...
> @@ -345,19 +344,19 @@ static void iavf_get_ethtool_stats(struct net_device *netdev,
> iavf_add_ethtool_stats(&data, adapter, iavf_gstrings_stats);
>
> rcu_read_lock();
> - /* As num_active_queues describe both tx and rx queues, we can use
> - * it to iterate over rings' stats.
> + /* Use num_tx_queues to report stats for the maximum number of queues.
> + * Queues beyond num_active_queues will report zero.
> */
> - for (i = 0; i < adapter->num_active_queues; i++) {
> - struct iavf_ring *ring;
> + for (i = 0; i < netdev->num_tx_queues; i++) {
> + struct iavf_ring *tx_ring = NULL, *rx_ring = NULL;
>
> - /* Tx rings stats */
> - ring = &adapter->tx_rings[i];
> - iavf_add_queue_stats(&data, ring);
> + if (i < adapter->num_active_queues) {
Hi Enju-san,
If I understand things correctly, in the scenario described in the patch
description, num_active_queues will be 8 here.
Won't that result in an overflow?
> + tx_ring = &adapter->tx_rings[i];
> + rx_ring = &adapter->rx_rings[i];
> + }
>
> - /* Rx rings stats */
> - ring = &adapter->rx_rings[i];
> - iavf_add_queue_stats(&data, ring);
> + iavf_add_queue_stats(&data, tx_ring);
> + iavf_add_queue_stats(&data, rx_ring);
> }
> rcu_read_unlock();
> }
...
next prev parent reply other threads:[~2026-02-16 13:19 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-14 19:14 [Intel-wired-lan] [PATCH v1 iwl-net] iavf: fix out-of-bounds writes in iavf_get_ethtool_stats() Kohei Enju
2026-02-14 19:14 ` Kohei Enju
2026-02-16 13:19 ` Simon Horman [this message]
2026-02-16 13:19 ` Simon Horman
2026-02-16 14:44 ` [Intel-wired-lan] " Kohei Enju
2026-02-16 14:44 ` Kohei Enju
2026-02-16 15:17 ` [Intel-wired-lan] " Kohei Enju
2026-02-16 15:17 ` Kohei Enju
2026-02-17 16:02 ` [Intel-wired-lan] " Simon Horman
2026-02-17 16:02 ` Simon Horman
2026-02-18 5:39 ` [Intel-wired-lan] " Przemek Kitszel
2026-02-18 5:39 ` Przemek Kitszel
2026-02-18 6:31 ` [Intel-wired-lan] " Kohei Enju
2026-02-18 6:31 ` Kohei Enju
2026-02-18 8:00 ` [Intel-wired-lan] " Paul Menzel
2026-03-19 9:14 ` Romanowski, Rafal
2026-03-19 9:14 ` Romanowski, Rafal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZMZTTXWtIO1ERpm@horms.kernel.org \
--to=horms@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=anthony.l.nguyen@intel.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=jedrzej.jagielski@intel.com \
--cc=kohei.enju@gmail.com \
--cc=kohei@enjuk.jp \
--cc=kuba@kernel.org \
--cc=mateusz.palczewski@intel.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=przemyslaw.kitszel@intel.com \
--cc=przemyslawx.patynowski@intel.com \
--cc=witoldx.fijalkowski@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.