From: spinler@cesnet.cz
To: dev@dpdk.org
Cc: Martin Spinler <spinler@cesnet.cz>, stable@dpdk.org
Subject: [PATCH v5 2/6] net/nfb: fix bad pointer access in queue stats
Date: Mon, 2 Feb 2026 20:33:26 +0100 [thread overview]
Message-ID: <20260202193330.3324681-3-spinler@cesnet.cz> (raw)
In-Reply-To: <20260202193330.3324681-1-spinler@cesnet.cz>
From: Martin Spinler <spinler@cesnet.cz>
The driver code has dereferenced the dev->data->rx_queues pointer
without checking for its validity.
Pointer invalidation can occur when the eth_dev_rx_queue_config
is called with set to 0, for example.
Moreover, an array of pointers (to a structure) was used like array
of structures (which worked with early dereference just for one queue).
Fixes: 6435f9a0ac22 ("net/nfb: add new netcope driver")
Cc: stable@dpdk.org
Signed-off-by: Martin Spinler <spinler@cesnet.cz>
---
drivers/net/nfb/nfb_stats.c | 46 ++++++++++++++++++-------------------
1 file changed, 23 insertions(+), 23 deletions(-)
diff --git a/drivers/net/nfb/nfb_stats.c b/drivers/net/nfb/nfb_stats.c
index 4ea6b7be21..27a01c3160 100644
--- a/drivers/net/nfb/nfb_stats.c
+++ b/drivers/net/nfb/nfb_stats.c
@@ -20,28 +20,28 @@ nfb_eth_stats_get(struct rte_eth_dev *dev, struct rte_eth_stats *stats,
uint64_t rx_total_bytes = 0;
uint64_t tx_total_bytes = 0;
- struct ndp_rx_queue *rx_queue = *((struct ndp_rx_queue **)
- dev->data->rx_queues);
- struct ndp_tx_queue *tx_queue = *((struct ndp_tx_queue **)
- dev->data->tx_queues);
+ struct ndp_rx_queue *rx_queue;
+ struct ndp_tx_queue *tx_queue;
for (i = 0; i < nb_rx; i++) {
+ rx_queue = dev->data->rx_queues[i];
if (qstats && i < RTE_ETHDEV_QUEUE_STAT_CNTRS) {
- qstats->q_ipackets[i] = rx_queue[i].rx_pkts;
- qstats->q_ibytes[i] = rx_queue[i].rx_bytes;
+ qstats->q_ipackets[i] = rx_queue->rx_pkts;
+ qstats->q_ibytes[i] = rx_queue->rx_bytes;
}
- rx_total += rx_queue[i].rx_pkts;
- rx_total_bytes += rx_queue[i].rx_bytes;
+ rx_total += rx_queue->rx_pkts;
+ rx_total_bytes += rx_queue->rx_bytes;
}
for (i = 0; i < nb_tx; i++) {
+ tx_queue = dev->data->tx_queues[i];
if (qstats && i < RTE_ETHDEV_QUEUE_STAT_CNTRS) {
- qstats->q_opackets[i] = tx_queue[i].tx_pkts;
- qstats->q_obytes[i] = tx_queue[i].tx_bytes;
+ qstats->q_opackets[i] = tx_queue->tx_pkts;
+ qstats->q_obytes[i] = tx_queue->tx_bytes;
}
- tx_total += tx_queue[i].tx_pkts;
- tx_total_bytes += tx_queue[i].tx_bytes;
- tx_err_total += tx_queue[i].err_pkts;
+ tx_total += tx_queue->tx_pkts;
+ tx_total_bytes += tx_queue->tx_bytes;
+ tx_err_total += tx_queue->err_pkts;
}
stats->ipackets = rx_total;
@@ -59,20 +59,20 @@ nfb_eth_stats_reset(struct rte_eth_dev *dev)
uint16_t nb_rx = dev->data->nb_rx_queues;
uint16_t nb_tx = dev->data->nb_tx_queues;
- struct ndp_rx_queue *rx_queue = *((struct ndp_rx_queue **)
- dev->data->rx_queues);
- struct ndp_tx_queue *tx_queue = *((struct ndp_tx_queue **)
- dev->data->tx_queues);
+ struct ndp_rx_queue *rx_queue;
+ struct ndp_tx_queue *tx_queue;
for (i = 0; i < nb_rx; i++) {
- rx_queue[i].rx_pkts = 0;
- rx_queue[i].rx_bytes = 0;
- rx_queue[i].err_pkts = 0;
+ rx_queue = dev->data->rx_queues[i];
+ rx_queue->rx_pkts = 0;
+ rx_queue->rx_bytes = 0;
+ rx_queue->err_pkts = 0;
}
for (i = 0; i < nb_tx; i++) {
- tx_queue[i].tx_pkts = 0;
- tx_queue[i].tx_bytes = 0;
- tx_queue[i].err_pkts = 0;
+ tx_queue = dev->data->tx_queues[i];
+ tx_queue->tx_pkts = 0;
+ tx_queue->tx_bytes = 0;
+ tx_queue->err_pkts = 0;
}
return 0;
--
2.52.0
next prev parent reply other threads:[~2026-02-02 19:33 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-15 14:01 [PATCH 0/6] spinler
2026-01-15 14:01 ` [PATCH 1/6] net/nfb: use constant values for max Rx/Tx queues count spinler
2026-01-15 14:01 ` [PATCH 2/6] net/nfb: fix bad pointer access in queue stats spinler
2026-01-15 14:01 ` [PATCH 3/6] net/nfb: update timestamp calculation to meaningful value spinler
2026-01-15 14:01 ` [PATCH 4/6] net/nfb: use process private variable for internal data spinler
2026-01-15 14:01 ` [PATCH 5/6] net/nfb: release allocated resources correctly spinler
2026-01-15 14:01 ` [PATCH 6/6] net/nfb: stop only started queues in fail path spinler
2026-01-15 14:40 ` [PATCH v2 0/6] net/nfb: code cleanup spinler
2026-01-15 14:40 ` [PATCH v2 1/6] net/nfb: use constant values for max Rx/Tx queues count spinler
2026-01-15 14:40 ` [PATCH v2 2/6] net/nfb: fix bad pointer access in queue stats spinler
2026-01-15 14:40 ` [PATCH v2 3/6] net/nfb: update timestamp calculation to meaningful value spinler
2026-01-15 14:40 ` [PATCH v2 4/6] net/nfb: use process private variable for internal data spinler
2026-01-15 14:40 ` [PATCH v2 5/6] net/nfb: release allocated resources correctly spinler
2026-01-15 14:40 ` [PATCH v2 6/6] net/nfb: stop only started queues in fail path spinler
2026-01-16 5:48 ` [PATCH v2 0/6] net/nfb: code cleanup Stephen Hemminger
2026-01-16 9:42 ` Martin Spinler
2026-01-16 17:39 ` Stephen Hemminger
2026-01-16 15:20 ` spinler
2026-01-16 15:20 ` [PATCH v3 1/6] net/nfb: use constant values for max Rx/Tx queues count spinler
2026-02-02 17:47 ` Stephen Hemminger
2026-02-02 18:58 ` Martin Špinler
2026-01-16 15:20 ` [PATCH v3 2/6] net/nfb: fix bad pointer access in queue stats spinler
2026-01-16 15:20 ` [PATCH v3 3/6] net/nfb: update timestamp calculation to meaningful value spinler
2026-01-16 15:20 ` [PATCH v3 4/6] net/nfb: use process private variable for internal data spinler
2026-01-20 0:13 ` Stephen Hemminger
2026-01-20 14:13 ` Martin Spinler
2026-01-20 16:11 ` Stephen Hemminger
2026-01-16 15:20 ` [PATCH v3 5/6] net/nfb: release allocated resources correctly spinler
2026-01-20 0:10 ` Stephen Hemminger
2026-01-20 14:14 ` Martin Spinler
2026-01-16 15:20 ` [PATCH v3 6/6] net/nfb: stop only started queues in fail path spinler
2026-01-20 0:09 ` Stephen Hemminger
2026-01-20 14:14 ` Martin Spinler
2026-01-16 15:22 ` [PATCH v3 0/6] net/nfb: code cleanup spinler
2026-01-21 4:57 ` Stephen Hemminger
2026-01-21 17:01 ` [PATCH v4 " spinler
2026-01-21 17:01 ` [PATCH v4 1/6] net/nfb: use constant values for max Rx/Tx queues count spinler
2026-01-21 17:01 ` [PATCH v4 2/6] net/nfb: fix bad pointer access in queue stats spinler
2026-01-21 17:01 ` [PATCH v4 3/6] net/nfb: update timestamp calculation to meaningful value spinler
2026-01-21 17:33 ` Stephen Hemminger
2026-01-27 8:12 ` Martin Spinler
2026-01-27 0:34 ` Stephen Hemminger
2026-01-27 8:16 ` Martin Spinler
2026-01-21 17:01 ` [PATCH v4 4/6] net/nfb: use process private variable for internal data spinler
2026-01-21 17:01 ` [PATCH v4 5/6] net/nfb: release allocated resources correctly spinler
2026-01-21 17:01 ` [PATCH v4 6/6] net/nfb: stop only started queues in fail path spinler
2026-01-21 17:35 ` [PATCH v4 0/6] net/nfb: code cleanup Stephen Hemminger
2026-02-02 19:33 ` [PATCH v5 " spinler
2026-02-02 19:33 ` [PATCH v5 1/6] net/nfb: use constant values for max Rx/Tx queues count spinler
2026-02-02 19:33 ` spinler [this message]
2026-02-10 0:51 ` [PATCH v5 2/6] net/nfb: fix bad pointer access in queue stats Stephen Hemminger
2026-02-02 19:33 ` [PATCH v5 3/6] net/nfb: update timestamp calculation to meaningful value spinler
2026-02-02 19:33 ` [PATCH v5 4/6] net/nfb: use process private variable for internal data spinler
2026-02-02 19:33 ` [PATCH v5 5/6] net/nfb: release allocated resources correctly spinler
2026-02-10 0:52 ` Stephen Hemminger
2026-02-02 19:33 ` [PATCH v5 6/6] net/nfb: stop only started queues in fail path spinler
2026-02-03 1:50 ` [PATCH v5 0/6] net/nfb: code cleanup Stephen Hemminger
2026-02-03 6:36 ` Martin Spinler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260202193330.3324681-3-spinler@cesnet.cz \
--to=spinler@cesnet.cz \
--cc=dev@dpdk.org \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox