[PATCH net] qede: Fix out-of-bound fastpath memory access

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net] qede: Fix out-of-bound fastpath memory access
@ 2016-10-29 14:04 Yuval Mintz
  2016-10-30  0:52 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Yuval Mintz @ 2016-10-29 14:04 UTC (permalink / raw)
  To: davem, netdev; +Cc: Yuval Mintz

Driver allocates a shadow array for transmitted SKBs with X entries;
That means valid indices are {0,...,X - 1}. [X == 8191]
Problem is the driver also uses X as a mask for a
producer/consumer in order to choose the right entry in the
array which allows access to entry X which is out of bounds.

To fix this, simply allocate X + 1 entries in the shadow array.

Signed-off-by: Yuval Mintz <Yuval.Mintz@cavium.com>
---
Hi Dave,

Please consider applying this to `net'.

Thanks,
Yuval
---
 drivers/net/ethernet/qlogic/qede/qede_main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c
index 444b271..7def29a 100644
--- a/drivers/net/ethernet/qlogic/qede/qede_main.c
+++ b/drivers/net/ethernet/qlogic/qede/qede_main.c
@@ -2940,7 +2940,7 @@ static int qede_alloc_mem_txq(struct qede_dev *edev, struct qede_tx_queue *txq)
 	txq->num_tx_buffers = edev->q_num_tx_buffers;
 
 	/* Allocate the parallel driver ring for Tx buffers */
-	size = sizeof(*txq->sw_tx_ring) * NUM_TX_BDS_MAX;
+	size = sizeof(*txq->sw_tx_ring) * TX_RING_SIZE;
 	txq->sw_tx_ring = kzalloc(size, GFP_KERNEL);
 	if (!txq->sw_tx_ring) {
 		DP_NOTICE(edev, "Tx buffers ring allocation failed\n");
@@ -2951,7 +2951,7 @@ static int qede_alloc_mem_txq(struct qede_dev *edev, struct qede_tx_queue *txq)
 					    QED_CHAIN_USE_TO_CONSUME_PRODUCE,
 					    QED_CHAIN_MODE_PBL,
 					    QED_CHAIN_CNT_TYPE_U16,
-					    NUM_TX_BDS_MAX,
+					    TX_RING_SIZE,
 					    sizeof(*p_virt), &txq->tx_pbl);
 	if (rc)
 		goto err;
-- 
1.9.3

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net] qede: Fix out-of-bound fastpath memory access
  2016-10-29 14:04 [PATCH net] qede: Fix out-of-bound fastpath memory access Yuval Mintz
@ 2016-10-30  0:52 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2016-10-30  0:52 UTC (permalink / raw)
  To: Yuval.Mintz; +Cc: netdev

From: Yuval Mintz <Yuval.Mintz@cavium.com>
Date: Sat, 29 Oct 2016 17:04:35 +0300

> Driver allocates a shadow array for transmitted SKBs with X entries;
> That means valid indices are {0,...,X - 1}. [X == 8191]
> Problem is the driver also uses X as a mask for a
> producer/consumer in order to choose the right entry in the
> array which allows access to entry X which is out of bounds.
> 
> To fix this, simply allocate X + 1 entries in the shadow array.
> 
> Signed-off-by: Yuval Mintz <Yuval.Mintz@cavium.com>

Applied.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-10-30  0:56 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-29 14:04 [PATCH net] qede: Fix out-of-bound fastpath memory access Yuval Mintz
2016-10-30  0:52 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).