From: Saeed Mahameed <saeed@kernel.org>
To: "David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Eric Dumazet <edumazet@google.com>
Cc: Saeed Mahameed <saeedm@nvidia.com>,
netdev@vger.kernel.org, Tariq Toukan <tariqt@nvidia.com>,
Jianbo Liu <jianbol@nvidia.com>, Roi Dayan <roid@nvidia.com>
Subject: [net 07/15] net/mlx5e: Fix overrun reported by coverity
Date: Wed, 13 Dec 2023 17:24:57 -0800 [thread overview]
Message-ID: <20231214012505.42666-8-saeed@kernel.org> (raw)
In-Reply-To: <20231214012505.42666-1-saeed@kernel.org>
From: Jianbo Liu <jianbol@nvidia.com>
Coverity Scan reports the following issue. But it's impossible that
mlx5_get_dev_index returns 7 for PF, even if the index is calculated
from PCI FUNC ID. So add the checking to make coverity slience.
CID 610894 (#2 of 2): Out-of-bounds write (OVERRUN)
Overrunning array esw->fdb_table.offloads.peer_miss_rules of 4 8-byte
elements at element index 7 (byte offset 63) using index
mlx5_get_dev_index(peer_dev) (which evaluates to 7).
Fixes: 9bee385a6e39 ("net/mlx5: E-switch, refactor FDB miss rule add/remove")
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Roi Dayan <roid@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
---
.../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
index bb8bcb448ae9..9bd5609cf659 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
@@ -1177,9 +1177,9 @@ static int esw_add_fdb_peer_miss_rules(struct mlx5_eswitch *esw,
struct mlx5_flow_handle *flow;
struct mlx5_flow_spec *spec;
struct mlx5_vport *vport;
+ int err, pfindex;
unsigned long i;
void *misc;
- int err;
if (!MLX5_VPORT_MANAGER(esw->dev) && !mlx5_core_is_ecpf_esw_manager(esw->dev))
return 0;
@@ -1255,7 +1255,15 @@ static int esw_add_fdb_peer_miss_rules(struct mlx5_eswitch *esw,
flows[vport->index] = flow;
}
}
- esw->fdb_table.offloads.peer_miss_rules[mlx5_get_dev_index(peer_dev)] = flows;
+
+ pfindex = mlx5_get_dev_index(peer_dev);
+ if (pfindex >= MLX5_MAX_PORTS) {
+ esw_warn(esw->dev, "Peer dev index(%d) is over the max num defined(%d)\n",
+ pfindex, MLX5_MAX_PORTS);
+ err = -EINVAL;
+ goto add_ec_vf_flow_err;
+ }
+ esw->fdb_table.offloads.peer_miss_rules[pfindex] = flows;
kvfree(spec);
return 0;
--
2.43.0
next prev parent reply other threads:[~2023-12-14 1:25 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-14 1:24 [pull request][net 00/15] mlx5 fixes 2023-12-13 Saeed Mahameed
2023-12-14 1:24 ` [net 01/15] Revert "net/mlx5e: fix double free of encap_header in update funcs" Saeed Mahameed
2023-12-15 3:10 ` patchwork-bot+netdevbpf
2023-12-14 1:24 ` [net 02/15] Revert "net/mlx5e: fix double free of encap_header" Saeed Mahameed
2023-12-14 1:24 ` [net 03/15] net/mlx5e: fix double free of encap_header Saeed Mahameed
2023-12-14 1:24 ` [net 04/15] net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() Saeed Mahameed
2023-12-14 1:24 ` [net 05/15] net/mlx5e: Fix a race in command alloc flow Saeed Mahameed
2023-12-14 1:24 ` [net 06/15] net/mlx5e: fix a potential double-free in fs_udp_create_groups Saeed Mahameed
2023-12-14 1:24 ` Saeed Mahameed [this message]
2023-12-14 1:24 ` [net 08/15] net/mlx5e: Decrease num_block_tc when unblock tc offload Saeed Mahameed
2023-12-14 1:24 ` [net 09/15] net/mlx5e: XDP, Drop fragmented packets larger than MTU size Saeed Mahameed
2023-12-14 1:25 ` [net 10/15] net/mlx5: Fix fw tracer first block check Saeed Mahameed
2023-12-14 1:25 ` [net 11/15] net/mlx5: Refactor mlx5_flow_destination->rep pointer to vport num Saeed Mahameed
2023-12-14 1:25 ` [net 12/15] net/mlx5e: Fix error code in mlx5e_tc_action_miss_mapping_get() Saeed Mahameed
2023-12-14 1:25 ` [net 13/15] net/mlx5e: Fix error codes in alloc_branch_attr() Saeed Mahameed
2023-12-14 1:25 ` [net 14/15] net/mlx5e: Correct snprintf truncation handling for fw_version buffer Saeed Mahameed
2023-12-14 1:25 ` [net 15/15] net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors Saeed Mahameed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231214012505.42666-8-saeed@kernel.org \
--to=saeed@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jianbol@nvidia.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=roid@nvidia.com \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).