From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Kai-Heng Feng <kai.heng.feng@canonical.com>,
Mario Limonciello <mario.limonciello@amd.com>,
Igor Russkikh <irusskikh@marvell.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>,
davem@davemloft.net, pabeni@redhat.com, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.17 14/34] net: atlantic: Avoid out-of-bounds indexing
Date: Tue, 19 Apr 2022 14:10:41 -0400 [thread overview]
Message-ID: <20220419181104.484667-14-sashal@kernel.org> (raw)
In-Reply-To: <20220419181104.484667-1-sashal@kernel.org>
From: Kai-Heng Feng <kai.heng.feng@canonical.com>
[ Upstream commit 8d3a6c37d50d5a0504c126c932cc749e6dd9c78f ]
UBSAN warnings are observed on atlantic driver:
[ 294.432996] UBSAN: array-index-out-of-bounds in /build/linux-Qow4fL/linux-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:484:48
[ 294.433695] index 8 is out of range for type 'aq_vec_s *[8]'
The ring is dereferenced right before breaking out the loop, to prevent
that from happening, only use the index in the loop to fix the issue.
BugLink: https://bugs.launchpad.net/bugs/1958770
Tested-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Reviewed-by: Igor Russkikh <irusskikh@marvell.com>
Link: https://lore.kernel.org/r/20220408022204.16815-1-kai.heng.feng@canonical.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/aquantia/atlantic/aq_nic.c | 8 +++----
.../net/ethernet/aquantia/atlantic/aq_vec.c | 24 +++++++++----------
2 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
index 33f1a1377588..24d715c28a35 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
@@ -486,8 +486,8 @@ int aq_nic_start(struct aq_nic_s *self)
if (err < 0)
goto err_exit;
- for (i = 0U, aq_vec = self->aq_vec[0];
- self->aq_vecs > i; ++i, aq_vec = self->aq_vec[i]) {
+ for (i = 0U; self->aq_vecs > i; ++i) {
+ aq_vec = self->aq_vec[i];
err = aq_vec_start(aq_vec);
if (err < 0)
goto err_exit;
@@ -517,8 +517,8 @@ int aq_nic_start(struct aq_nic_s *self)
mod_timer(&self->polling_timer, jiffies +
AQ_CFG_POLLING_TIMER_INTERVAL);
} else {
- for (i = 0U, aq_vec = self->aq_vec[0];
- self->aq_vecs > i; ++i, aq_vec = self->aq_vec[i]) {
+ for (i = 0U; self->aq_vecs > i; ++i) {
+ aq_vec = self->aq_vec[i];
err = aq_pci_func_alloc_irq(self, i, self->ndev->name,
aq_vec_isr, aq_vec,
aq_vec_get_affinity_mask(aq_vec));
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_vec.c b/drivers/net/ethernet/aquantia/atlantic/aq_vec.c
index f4774cf051c9..6ab1f3212d24 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_vec.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_vec.c
@@ -43,8 +43,8 @@ static int aq_vec_poll(struct napi_struct *napi, int budget)
if (!self) {
err = -EINVAL;
} else {
- for (i = 0U, ring = self->ring[0];
- self->tx_rings > i; ++i, ring = self->ring[i]) {
+ for (i = 0U; self->tx_rings > i; ++i) {
+ ring = self->ring[i];
u64_stats_update_begin(&ring[AQ_VEC_RX_ID].stats.rx.syncp);
ring[AQ_VEC_RX_ID].stats.rx.polls++;
u64_stats_update_end(&ring[AQ_VEC_RX_ID].stats.rx.syncp);
@@ -182,8 +182,8 @@ int aq_vec_init(struct aq_vec_s *self, const struct aq_hw_ops *aq_hw_ops,
self->aq_hw_ops = aq_hw_ops;
self->aq_hw = aq_hw;
- for (i = 0U, ring = self->ring[0];
- self->tx_rings > i; ++i, ring = self->ring[i]) {
+ for (i = 0U; self->tx_rings > i; ++i) {
+ ring = self->ring[i];
err = aq_ring_init(&ring[AQ_VEC_TX_ID], ATL_RING_TX);
if (err < 0)
goto err_exit;
@@ -224,8 +224,8 @@ int aq_vec_start(struct aq_vec_s *self)
unsigned int i = 0U;
int err = 0;
- for (i = 0U, ring = self->ring[0];
- self->tx_rings > i; ++i, ring = self->ring[i]) {
+ for (i = 0U; self->tx_rings > i; ++i) {
+ ring = self->ring[i];
err = self->aq_hw_ops->hw_ring_tx_start(self->aq_hw,
&ring[AQ_VEC_TX_ID]);
if (err < 0)
@@ -248,8 +248,8 @@ void aq_vec_stop(struct aq_vec_s *self)
struct aq_ring_s *ring = NULL;
unsigned int i = 0U;
- for (i = 0U, ring = self->ring[0];
- self->tx_rings > i; ++i, ring = self->ring[i]) {
+ for (i = 0U; self->tx_rings > i; ++i) {
+ ring = self->ring[i];
self->aq_hw_ops->hw_ring_tx_stop(self->aq_hw,
&ring[AQ_VEC_TX_ID]);
@@ -268,8 +268,8 @@ void aq_vec_deinit(struct aq_vec_s *self)
if (!self)
goto err_exit;
- for (i = 0U, ring = self->ring[0];
- self->tx_rings > i; ++i, ring = self->ring[i]) {
+ for (i = 0U; self->tx_rings > i; ++i) {
+ ring = self->ring[i];
aq_ring_tx_clean(&ring[AQ_VEC_TX_ID]);
aq_ring_rx_deinit(&ring[AQ_VEC_RX_ID]);
}
@@ -297,8 +297,8 @@ void aq_vec_ring_free(struct aq_vec_s *self)
if (!self)
goto err_exit;
- for (i = 0U, ring = self->ring[0];
- self->tx_rings > i; ++i, ring = self->ring[i]) {
+ for (i = 0U; self->tx_rings > i; ++i) {
+ ring = self->ring[i];
aq_ring_free(&ring[AQ_VEC_TX_ID]);
if (i < self->rx_rings)
aq_ring_free(&ring[AQ_VEC_RX_ID]);
--
2.35.1
next prev parent reply other threads:[~2022-04-19 18:12 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-19 18:10 [PATCH AUTOSEL 5.17 01/34] drm/msm/gpu: Rename runtime suspend/resume functions Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 02/34] drm/msm/gpu: Remove mutex from wait_event condition Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 03/34] ARM: vexpress/spc: Avoid negative array index when !SMP Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 04/34] reset: renesas: Check return value of reset_control_deassert() Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 05/34] reset: tegra-bpmp: Restore Handle errors in BPMP response Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 06/34] platform/x86: samsung-laptop: Fix an unsigned comparison which can never be negative Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 07/34] ALSA: usb-audio: Fix undefined behavior due to shift overflowing the constant Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 08/34] drm/msm/disp: check the return value of kzalloc() Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 09/34] selftests: KVM: Free the GIC FD when cleaning up in arch_timer Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 10/34] ALSA: hda: intel-dsp-config: update AlderLake PCI IDs Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 11/34] arm64: dts: imx: Fix imx8*-var-som touchscreen property sizes Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 12/34] vxlan: fix error return code in vxlan_fdb_append Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 13/34] cifs: Check the IOCB_DIRECT flag, not O_DIRECT Sasha Levin
2022-04-19 18:10 ` Sasha Levin [this message]
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 15/34] mt76: Fix undefined behavior due to shift overflowing the constant Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 16/34] brcmfmac: sdio: " Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 17/34] dpaa_eth: Fix missing of_node_put in dpaa_get_ts_info() Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 18/34] drm/msm/mdp5: check the return of kzalloc() Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 19/34] drm/msm: Stop using iommu_present() Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 20/34] KVM: x86: hyper-v: Avoid writing to TSC page without an active vCPU Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 21/34] net: macb: Restart tx only if queue pointer is lagging Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 22/34] scsi: iscsi: Move iscsi_ep_disconnect() Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 23/34] scsi: iscsi: Fix offload conn cleanup when iscsid restarts Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 24/34] scsi: iscsi: Release endpoint ID when its freed Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 25/34] scsi: iscsi: Merge suspend fields Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 26/34] scsi: iscsi: Fix NOP handling during conn recovery Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 27/34] scsi: qedi: Fix failed disconnect handling Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 28/34] stat: fix inconsistency between struct stat and struct compat_stat Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 29/34] VFS: filename_create(): fix incorrect intent Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 30/34] nvme: add a quirk to disable namespace identifiers Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 31/34] nvme-pci: disable namespace identifiers for the MAXIO MAP1002/1202 Sasha Levin
2022-04-19 18:10 ` [PATCH AUTOSEL 5.17 32/34] nvme-pci: disable namespace identifiers for Qemu controllers Sasha Levin
2022-04-19 18:11 ` [PATCH AUTOSEL 5.17 33/34] block/compat_ioctl: fix range check in BLKGETSIZE Sasha Levin
2022-04-19 18:11 ` [PATCH AUTOSEL 5.17 34/34] irq_work: use kasan_record_aux_stack_noalloc() record callstack Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220419181104.484667-14-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=irusskikh@marvell.com \
--cc=kai.heng.feng@canonical.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mario.limonciello@amd.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox