From: Dan Jurgens <danielj@nvidia.com>
To: Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org, mst@redhat.com, jasowang@redhat.com
Cc: virtualization@lists.linux.dev, parav@nvidia.com,
shshitrit@nvidia.com, yohadt@nvidia.com,
xuanzhuo@linux.alibaba.com, eperezma@redhat.com, jgg@ziepe.ca,
kevin.tian@intel.com, kuba@kernel.org, andrew+netdev@lunn.ch,
edumazet@google.com
Subject: Re: [PATCH net-next v17 07/12] virtio_net: Implement layer 2 ethtool flow rules
Date: Tue, 3 Feb 2026 15:40:24 -0600 [thread overview]
Message-ID: <a3aec539-9468-4273-b7fa-6705331c9b92@nvidia.com> (raw)
In-Reply-To: <90017867-2649-4632-8497-96e2592c73c3@redhat.com>
On 2/3/26 3:19 AM, Paolo Abeni wrote:
> Hi,
>
> The AI review reported a possible issue that looks valid to me.
> Reporting the feedback manually because I think only one to the AI
> remarks is valid, see below.
>
> On 2/2/26 6:05 PM, Daniel Jurgens wrote:
>> +static bool validate_eth_mask(const struct virtnet_ff *ff,
>> + const struct virtio_net_ff_selector *sel,
>> + const struct virtio_net_ff_selector *sel_cap)
>> +{
>> + bool partial_mask = !!(sel_cap->flags & VIRTIO_NET_FF_MASK_F_PARTIAL_MASK);
>> + struct ethhdr *cap, *mask;
>> + struct ethhdr zeros = {};
>> +
>> + cap = (struct ethhdr *)&sel_cap->mask;
>> + mask = (struct ethhdr *)&sel->mask;
>
> This function casts sel_cap->mask to struct ethhdr * and accesses fields
> at offsets 0, 6, and 12. Shouldn't there be validation that
> sel_cap->length is at least sizeof(struct ethhdr) = 14 bytes?
>
> Looking at virtnet_ff_init() at line 6291, it only checks that
> sel->length <= MAX_SEL_LEN (40 bytes) but doesn't enforce a minimum
> length for the ETH selector type. If a device provides an ETH selector
> capability with length < 14 bytes, won't validate_eth_mask() read beyond
> the allocated mask array?
It won't read beyond the end of the array. When we retrieve the selector
caps we make sure the that the size of all the selectors and their data
is less than what we allocated. So I don't think this is really a bug.
I'll change the check here to be sel->length !=
get_mask_size(sel->type). It'll fail in a clearer way if this is the case.
if (sel->length > MAX_SEL_LEN ||
test_and_set_bit(sel->type, &sel_types)) {
WARN_ON_ONCE(true);
err = -EINVAL;
goto err_ff_action;
}
> ---
>
> Note that the AI review additionally reported a possible leak on xarray,
> but I think it got confused possibly because it run out of token and
> mixed-up the patch context.
>
Yes, I saw this and it didn't make sense.
> /P
>
next prev parent reply other threads:[~2026-02-03 21:40 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-02 17:05 [PATCH net-next v17 00/12] virtio_net: Add ethtool flow rules support Daniel Jurgens
2026-02-02 17:05 ` [PATCH net-next v17 01/12] virtio_pci: Remove supported_cap size build assert Daniel Jurgens
2026-02-02 17:05 ` [PATCH net-next v17 02/12] virtio: Add config_op for admin commands Daniel Jurgens
2026-02-02 17:05 ` [PATCH net-next v17 03/12] virtio: Expose generic device capability operations Daniel Jurgens
2026-02-02 17:05 ` [PATCH net-next v17 04/12] virtio: Expose object create and destroy API Daniel Jurgens
2026-02-02 17:05 ` [PATCH net-next v17 05/12] virtio_net: Query and set flow filter caps Daniel Jurgens
2026-02-03 9:02 ` Paolo Abeni
2026-02-03 21:40 ` Dan Jurgens
2026-02-02 17:05 ` [PATCH net-next v17 06/12] virtio_net: Create a FF group for ethtool steering Daniel Jurgens
2026-02-02 17:05 ` [PATCH net-next v17 07/12] virtio_net: Implement layer 2 ethtool flow rules Daniel Jurgens
2026-02-03 9:19 ` Paolo Abeni
2026-02-03 21:40 ` Dan Jurgens [this message]
2026-02-04 8:40 ` Paolo Abeni
2026-02-02 17:05 ` [PATCH net-next v17 08/12] virtio_net: Use existing classifier if possible Daniel Jurgens
2026-02-02 17:05 ` [PATCH net-next v17 09/12] virtio_net: Implement IPv4 ethtool flow rules Daniel Jurgens
2026-02-02 17:05 ` [PATCH net-next v17 10/12] virtio_net: Add support for IPv6 ethtool steering Daniel Jurgens
2026-02-02 17:05 ` [PATCH net-next v17 11/12] virtio_net: Add support for TCP and UDP ethtool rules Daniel Jurgens
2026-02-02 17:05 ` [PATCH net-next v17 12/12] virtio_net: Add get ethtool flow rules ops Daniel Jurgens
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a3aec539-9468-4273-b7fa-6705331c9b92@nvidia.com \
--to=danielj@nvidia.com \
--cc=andrew+netdev@lunn.ch \
--cc=edumazet@google.com \
--cc=eperezma@redhat.com \
--cc=jasowang@redhat.com \
--cc=jgg@ziepe.ca \
--cc=kevin.tian@intel.com \
--cc=kuba@kernel.org \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=parav@nvidia.com \
--cc=shshitrit@nvidia.com \
--cc=virtualization@lists.linux.dev \
--cc=xuanzhuo@linux.alibaba.com \
--cc=yohadt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox