From: Simon Horman <horms@kernel.org>
To: Jacob Keller <jacob.e.keller@intel.com>
Cc: Aleksandr Loktionov <aleksandr.loktionov@intel.com>,
intel-wired-lan@lists.osuosl.org, anthony.l.nguyen@intel.com,
netdev@vger.kernel.org, Paul Greenwalt <paul.greenwalt@intel.com>
Subject: Re: [Intel-wired-lan] [PATCH iwl-net v2 2/6] ixgbe: add bounds check for debugfs register access
Date: Tue, 14 Apr 2026 18:16:30 +0100 [thread overview]
Message-ID: <20260414171630.GA772670@horms.kernel.org> (raw)
In-Reply-To: <dda1f0f3-f57b-418a-93e6-2cdaa1d2ef35@intel.com>
On Mon, Apr 13, 2026 at 06:00:28PM -0700, Jacob Keller wrote:
> On 4/13/2026 3:30 AM, Simon Horman wrote:
> > On Wed, Apr 08, 2026 at 03:11:50PM +0200, Aleksandr Loktionov wrote:
> >> From: Paul Greenwalt <paul.greenwalt@intel.com>
> >>
> >> Prevent out-of-bounds MMIO accesses triggered through user-controlled
> >> register offsets. IXGBE_HFDR (0x15FE8) is the highest valid MMIO
> >> register in the ixgbe register map; any offset beyond it would address
> >> unmapped memory.
> >>
> >> Add a defense-in-depth check at two levels:
> >>
> >> 1. ixgbe_read_reg() -- the noinline register read accessor. A
> >> WARN_ON_ONCE() guard here catches any future code path (including
> >> ioctl extensions) that might inadvertently pass an out-of-range
> >> offset without relying on higher layers to catch it first.
> >> ixgbe_write_reg() is a static inline called from the TX/RX hot path;
> >> adding WARN_ON_ONCE there would inline the check at every call site,
> >> so only the read path gets this guard.
> >>
> >> 2. ixgbe_dbg_reg_ops_write() -- the debugfs 'reg_ops' interface is the
> >> only current path where a raw, user-supplied offset enters the driver.
> >> Gating it before invoking the register accessors provides a clean,
> >> user-visible failure (silent ignore with no kernel splat) for
> >> deliberately malformed debugfs writes.
> >>
> >> Add a reg <= IXGBE_HFDR guard to both the read and write paths in
> >> ixgbe_dbg_reg_ops_write(), and a WARN_ON_ONCE + early-return guard to
> >> ixgbe_read_reg().
> >>
> >> Fixes: 91fbd8f081e2 ("ixgbe: added reg_ops file to debugfs")
> >> Signed-off-by: Paul Greenwalt <paul.greenwalt@intel.com>
> >> Cc: stable@vger.kernel.org
> >> Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
> >> ---
> >> v1 -> v2:
> >> - Add Fixes: tag; reroute from iwl-next to iwl-net (security-relevant
> >> hardening for user-controllable out-of-bounds MMIO).
> >
> > Thanks for the update.
> >
> > And sorry for not thinking to ask this earlier: this patch
> > addresses possible overruns of the mapped address space if the
> > supplied value for reg is too large. But do we also need a
> > guard against underrun if the value for reg is too small?
> >
>
> I don't think so. This is bounds checking a register offset which is an
> unsigned 32-bit value and begins at 0, so the map goes from 0 to
> IXGBE_HFDR. Since the value is unsigned, if it does underflow somehow it
> would then get caught by the check for IXGBE_HFDR right?
If the entire range from 0 to IXGBE_HFDR is mapped,
and it's ok for reg to have any value in that range,
then I agree there is no problem here.
Reviewed-by: Simon Horman <horms@kernel.org>
next prev parent reply other threads:[~2026-04-14 17:16 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 13:11 [PATCH iwl-net v2 0/6] ixgbe: six bug fixes Aleksandr Loktionov
2026-04-08 13:11 ` [PATCH iwl-net v2 1/6] ixgbe: fix SWFW semaphore timeout for X550 family Aleksandr Loktionov
2026-04-13 10:52 ` Simon Horman
2026-04-14 0:56 ` [Intel-wired-lan] " Jacob Keller
2026-04-08 13:11 ` [PATCH iwl-net v2 2/6] ixgbe: add bounds check for debugfs register access Aleksandr Loktionov
2026-04-13 10:30 ` Simon Horman
2026-04-14 1:00 ` [Intel-wired-lan] " Jacob Keller
2026-04-14 17:16 ` Simon Horman [this message]
2026-04-08 13:11 ` [PATCH iwl-net v2 3/6] ixgbe: call ixgbe_setup_fc() before fc_enable() after NVM update Aleksandr Loktionov
2026-04-13 10:51 ` Simon Horman
2026-04-08 13:11 ` [PATCH iwl-net v2 4/6] ixgbe: fix cls_u32 nexthdr path returning success when no entry installed Aleksandr Loktionov
2026-04-13 10:54 ` Simon Horman
2026-04-08 13:11 ` [PATCH iwl-net v2 5/6] ixgbe: fix ITR value overflow in adaptive interrupt throttling Aleksandr Loktionov
2026-04-13 13:39 ` Simon Horman
2026-04-08 13:11 ` [PATCH iwl-net v2 6/6] ixgbe: fix integer overflow and wrong bit position in ixgbe_validate_rtr() Aleksandr Loktionov
2026-04-13 13:43 ` Simon Horman
2026-04-13 14:02 ` Simon Horman
2026-04-13 14:03 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260414171630.GA772670@horms.kernel.org \
--to=horms@kernel.org \
--cc=aleksandr.loktionov@intel.com \
--cc=anthony.l.nguyen@intel.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=jacob.e.keller@intel.com \
--cc=netdev@vger.kernel.org \
--cc=paul.greenwalt@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox