From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Arthur Kiyanovski <akiyano@amazon.com>,
Sameeh Jubran <sameehj@amazon.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 37/50] net: ena: fix corruption of dev_idx_to_host_tbl
Date: Sat, 22 Feb 2020 21:22:22 -0500 [thread overview]
Message-ID: <20200223022235.1404-37-sashal@kernel.org> (raw)
In-Reply-To: <20200223022235.1404-1-sashal@kernel.org>
From: Arthur Kiyanovski <akiyano@amazon.com>
[ Upstream commit e3f89f91e98ce07dc0f121a3b70d21aca749ba39 ]
The function ena_com_ind_tbl_convert_from_device() has an overflow
bug as explained below. Either way, this function is not needed at
all since we don't retrieve the indirection table from the device
at any point which means that this conversion is not needed.
The bug:
The for loop iterates over all io_sq_queues, when passing the actual
number of used queues the io_sq_queues[i].idx equals 0 since they are
uninitialized which results in the following code to be executed till
the end of the loop:
dev_idx_to_host_tbl[0] = i;
This results dev_idx_to_host_tbl[0] in being equal to
ENA_TOTAL_NUM_QUEUES - 1.
Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
Signed-off-by: Sameeh Jubran <sameehj@amazon.com>
Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amazon/ena/ena_com.c | 28 -----------------------
1 file changed, 28 deletions(-)
diff --git a/drivers/net/ethernet/amazon/ena/ena_com.c b/drivers/net/ethernet/amazon/ena/ena_com.c
index 8ab192cb26b74..74743fd8a1e0a 100644
--- a/drivers/net/ethernet/amazon/ena/ena_com.c
+++ b/drivers/net/ethernet/amazon/ena/ena_com.c
@@ -1281,30 +1281,6 @@ static int ena_com_ind_tbl_convert_to_device(struct ena_com_dev *ena_dev)
return 0;
}
-static int ena_com_ind_tbl_convert_from_device(struct ena_com_dev *ena_dev)
-{
- u16 dev_idx_to_host_tbl[ENA_TOTAL_NUM_QUEUES] = { (u16)-1 };
- struct ena_rss *rss = &ena_dev->rss;
- u8 idx;
- u16 i;
-
- for (i = 0; i < ENA_TOTAL_NUM_QUEUES; i++)
- dev_idx_to_host_tbl[ena_dev->io_sq_queues[i].idx] = i;
-
- for (i = 0; i < 1 << rss->tbl_log_size; i++) {
- if (rss->rss_ind_tbl[i].cq_idx > ENA_TOTAL_NUM_QUEUES)
- return -EINVAL;
- idx = (u8)rss->rss_ind_tbl[i].cq_idx;
-
- if (dev_idx_to_host_tbl[idx] > ENA_TOTAL_NUM_QUEUES)
- return -EINVAL;
-
- rss->host_rss_ind_tbl[i] = dev_idx_to_host_tbl[idx];
- }
-
- return 0;
-}
-
static void ena_com_update_intr_delay_resolution(struct ena_com_dev *ena_dev,
u16 intr_delay_resolution)
{
@@ -2638,10 +2614,6 @@ int ena_com_indirect_table_get(struct ena_com_dev *ena_dev, u32 *ind_tbl)
if (!ind_tbl)
return 0;
- rc = ena_com_ind_tbl_convert_from_device(ena_dev);
- if (unlikely(rc))
- return rc;
-
for (i = 0; i < (1 << rss->tbl_log_size); i++)
ind_tbl[i] = rss->host_rss_ind_tbl[i];
--
2.20.1
next prev parent reply other threads:[~2020-02-23 2:23 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200223022235.1404-1-sashal@kernel.org>
2020-02-23 2:21 ` [PATCH AUTOSEL 5.4 07/50] mac80211: consider more elements in parsing CRC Sasha Levin
2020-02-23 2:21 ` [PATCH AUTOSEL 5.4 08/50] cfg80211: check wiphy driver existence for drvinfo report Sasha Levin
2020-02-23 2:21 ` [PATCH AUTOSEL 5.4 10/50] qmi_wwan: re-add DW5821e pre-production variant Sasha Levin
2020-02-23 2:21 ` [PATCH AUTOSEL 5.4 11/50] qmi_wwan: unconditionally reject 2 ep interfaces Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 28/50] i40e: Fix the conditional for i40e_vc_validate_vqs_bitmaps Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 29/50] net: ena: fix potential crash when rxfh key is NULL Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 30/50] net: ena: fix uses of round_jiffies() Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 31/50] net: ena: add missing ethtool TX timestamping indication Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 32/50] net: ena: fix incorrect default RSS key Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 33/50] net: ena: rss: do not allocate key when not supported Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 34/50] net: ena: rss: fix failure to get indirection table Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 35/50] net: ena: rss: store hash function as values and not bits Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 36/50] net: ena: fix incorrectly saving queue numbers when setting RSS indirection table Sasha Levin
2020-02-23 2:22 ` Sasha Levin [this message]
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 38/50] net: ena: ethtool: use correct value for crc32 hash Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 39/50] net: ena: ena-com.c: prevent NULL pointer dereference Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 40/50] enic: prevent waking up stopped tx queues over watchdog reset Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 41/50] ice: update Unit Load Status bitmask to check after reset Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 44/50] cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 45/50] mac80211: fix wrong 160/80+80 MHz setting Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 46/50] net: hns3: add management table after IMP reset Sasha Levin
2020-02-23 2:22 ` [PATCH AUTOSEL 5.4 47/50] net: hns3: fix a copying IPv6 address error in hclge_fd_get_flow_tuples() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200223022235.1404-37-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=akiyano@amazon.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sameehj@amazon.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).