From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Chan Subject: [PATCH net 2/2] bnxt_en: Fix the 'Invalid VF' id check in bnxt_vf_ndo_prep routine. Date: Thu, 4 Jan 2018 18:46:55 -0500 Message-ID: <1515109615-22695-3-git-send-email-michael.chan@broadcom.com> References: <1515109615-22695-1-git-send-email-michael.chan@broadcom.com> Cc: netdev@vger.kernel.org To: davem@davemloft.net Return-path: Received: from mail-qk0-f196.google.com ([209.85.220.196]:41241 "EHLO mail-qk0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751322AbeADXrG (ORCPT ); Thu, 4 Jan 2018 18:47:06 -0500 Received: by mail-qk0-f196.google.com with SMTP id a8so4020416qkb.8 for ; Thu, 04 Jan 2018 15:47:06 -0800 (PST) In-Reply-To: <1515109615-22695-1-git-send-email-michael.chan@broadcom.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Venkat Duvvuru In bnxt_vf_ndo_prep (which is called by bnxt_get_vf_config ndo), there is a check for "Invalid VF id". Currently, the check is done against max_vfs. However, the user doesn't always create max_vfs. So, the check should be against the created number of VFs. The number of bnxt_vf_info structures that are allocated in bnxt_alloc_vf_resources routine is the "number of requested VFs". So, if an "invalid VF id" falls between the requested number of VFs and the max_vfs, the driver will be dereferencing an invalid pointer. Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") Signed-off-by: Venkat Devvuru Signed-off-by: Michael Chan --- drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c index 5ee1866..c961767 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c @@ -70,7 +70,7 @@ static int bnxt_vf_ndo_prep(struct bnxt *bp, int vf_id) netdev_err(bp->dev, "vf ndo called though sriov is disabled\n"); return -EINVAL; } - if (vf_id >= bp->pf.max_vfs) { + if (vf_id >= bp->pf.active_vfs) { netdev_err(bp->dev, "Invalid VF id %d\n", vf_id); return -EINVAL; } -- 1.8.3.1