* [PATCH net 1/3] net: hns3: using the num_tqps in the vf driver to apply for resources
2025-12-09 13:38 [PATCH net 0/3] There are some bugfix for the HNS3 ethernet driver Jijie Shao
@ 2025-12-09 13:38 ` Jijie Shao
2025-12-09 16:59 ` Simon Horman
2025-12-09 13:38 ` [PATCH net 2/3] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx Jijie Shao
2025-12-09 13:38 ` [PATCH net 3/3] net: hns3: add VLAN id validation before using Jijie Shao
2 siblings, 1 reply; 9+ messages in thread
From: Jijie Shao @ 2025-12-09 13:38 UTC (permalink / raw)
To: davem, edumazet, kuba, pabeni, andrew+netdev, horms
Cc: shenjian15, liuyonglong, chenhao418, lantao5, huangdonghua3,
yangshuaisong, jonathan.cameron, salil.mehta, netdev,
linux-kernel, shaojijie
From: Jian Shen <shenjian15@huawei.com>
Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp
is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to
min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller
than hdev->num_tqps, which causes some hdev->htqp[i] to remain
uninitialized in hclgevf_knic_setup().
Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps,
ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent
and that all elements are properly initialized.
Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
---
drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
index 8fcf220a120d..70327a73dee3 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
@@ -368,12 +368,12 @@ static int hclgevf_knic_setup(struct hclgevf_dev *hdev)
new_tqps = kinfo->rss_size * num_tc;
kinfo->num_tqps = min(new_tqps, hdev->num_tqps);
- kinfo->tqp = devm_kcalloc(&hdev->pdev->dev, kinfo->num_tqps,
+ kinfo->tqp = devm_kcalloc(&hdev->pdev->dev, hdev->num_tqps,
sizeof(struct hnae3_queue *), GFP_KERNEL);
if (!kinfo->tqp)
return -ENOMEM;
- for (i = 0; i < kinfo->num_tqps; i++) {
+ for (i = 0; i < hdev->num_tqps; i++) {
hdev->htqp[i].q.handle = &hdev->nic;
hdev->htqp[i].q.tqp_index = i;
kinfo->tqp[i] = &hdev->htqp[i].q;
--
2.33.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH net 1/3] net: hns3: using the num_tqps in the vf driver to apply for resources
2025-12-09 13:38 ` [PATCH net 1/3] net: hns3: using the num_tqps in the vf driver to apply for resources Jijie Shao
@ 2025-12-09 16:59 ` Simon Horman
0 siblings, 0 replies; 9+ messages in thread
From: Simon Horman @ 2025-12-09 16:59 UTC (permalink / raw)
To: Jijie Shao
Cc: davem, edumazet, kuba, pabeni, andrew+netdev, shenjian15,
liuyonglong, chenhao418, lantao5, huangdonghua3, yangshuaisong,
jonathan.cameron, salil.mehta, netdev, linux-kernel
On Tue, Dec 09, 2025 at 09:38:23PM +0800, Jijie Shao wrote:
> From: Jian Shen <shenjian15@huawei.com>
>
> Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp
> is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to
> min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller
> than hdev->num_tqps, which causes some hdev->htqp[i] to remain
> uninitialized in hclgevf_knic_setup().
>
> Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps,
> ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent
> and that all elements are properly initialized.
>
> Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support")
> Signed-off-by: Jian Shen <shenjian15@huawei.com>
> Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH net 2/3] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx
2025-12-09 13:38 [PATCH net 0/3] There are some bugfix for the HNS3 ethernet driver Jijie Shao
2025-12-09 13:38 ` [PATCH net 1/3] net: hns3: using the num_tqps in the vf driver to apply for resources Jijie Shao
@ 2025-12-09 13:38 ` Jijie Shao
2025-12-09 16:59 ` Simon Horman
2025-12-09 13:38 ` [PATCH net 3/3] net: hns3: add VLAN id validation before using Jijie Shao
2 siblings, 1 reply; 9+ messages in thread
From: Jijie Shao @ 2025-12-09 13:38 UTC (permalink / raw)
To: davem, edumazet, kuba, pabeni, andrew+netdev, horms
Cc: shenjian15, liuyonglong, chenhao418, lantao5, huangdonghua3,
yangshuaisong, jonathan.cameron, salil.mehta, netdev,
linux-kernel, shaojijie
From: Jian Shen <shenjian15@huawei.com>
Currently, rss_size = num_tqps / tc_num. If tc_num is 1, then num_tqps
equals rss_size. However, if the tc_num is greater than 1, then rss_size
will be less than num_tqps, causing the tqp_index check for subsequent TCs
using rss_size to always fail.
This patch uses the num_tqps to check whether tqp_index is out of range,
instead of rss_size.
Fixes: 326334aad024 ("net: hns3: add a check for tqp_index in hclge_get_ring_chain_from_mbx()")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
index c7ff12a6c076..b7d4e06a55d4 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
@@ -193,10 +193,10 @@ static int hclge_get_ring_chain_from_mbx(
return -EINVAL;
for (i = 0; i < ring_num; i++) {
- if (req->msg.param[i].tqp_index >= vport->nic.kinfo.rss_size) {
+ if (req->msg.param[i].tqp_index >= vport->nic.kinfo.num_tqps) {
dev_err(&hdev->pdev->dev, "tqp index(%u) is out of range(0-%u)\n",
req->msg.param[i].tqp_index,
- vport->nic.kinfo.rss_size - 1U);
+ vport->nic.kinfo.num_tqps - 1U);
return -EINVAL;
}
}
--
2.33.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH net 2/3] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx
2025-12-09 13:38 ` [PATCH net 2/3] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx Jijie Shao
@ 2025-12-09 16:59 ` Simon Horman
0 siblings, 0 replies; 9+ messages in thread
From: Simon Horman @ 2025-12-09 16:59 UTC (permalink / raw)
To: Jijie Shao
Cc: davem, edumazet, kuba, pabeni, andrew+netdev, shenjian15,
liuyonglong, chenhao418, lantao5, huangdonghua3, yangshuaisong,
jonathan.cameron, salil.mehta, netdev, linux-kernel
On Tue, Dec 09, 2025 at 09:38:24PM +0800, Jijie Shao wrote:
> From: Jian Shen <shenjian15@huawei.com>
>
> Currently, rss_size = num_tqps / tc_num. If tc_num is 1, then num_tqps
> equals rss_size. However, if the tc_num is greater than 1, then rss_size
> will be less than num_tqps, causing the tqp_index check for subsequent TCs
> using rss_size to always fail.
>
> This patch uses the num_tqps to check whether tqp_index is out of range,
> instead of rss_size.
>
> Fixes: 326334aad024 ("net: hns3: add a check for tqp_index in hclge_get_ring_chain_from_mbx()")
> Signed-off-by: Jian Shen <shenjian15@huawei.com>
> Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH net 3/3] net: hns3: add VLAN id validation before using
2025-12-09 13:38 [PATCH net 0/3] There are some bugfix for the HNS3 ethernet driver Jijie Shao
2025-12-09 13:38 ` [PATCH net 1/3] net: hns3: using the num_tqps in the vf driver to apply for resources Jijie Shao
2025-12-09 13:38 ` [PATCH net 2/3] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx Jijie Shao
@ 2025-12-09 13:38 ` Jijie Shao
2025-12-09 16:50 ` Simon Horman
2 siblings, 1 reply; 9+ messages in thread
From: Jijie Shao @ 2025-12-09 13:38 UTC (permalink / raw)
To: davem, edumazet, kuba, pabeni, andrew+netdev, horms
Cc: shenjian15, liuyonglong, chenhao418, lantao5, huangdonghua3,
yangshuaisong, jonathan.cameron, salil.mehta, netdev,
linux-kernel, shaojijie
From: Jian Shen <shenjian15@huawei.com>
Currently, the VLAN id may be used without validation when
receive a VLAN configuration mailbox from VF. It may cause
out-of-bounds memory access once the VLAN id is bigger than
4095.
Fixes: fe4144d47eef ("net: hns3: sync VLAN filter entries when kill VLAN ID failed")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
index cf8abbe01840..c589baea7c77 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -10555,6 +10555,9 @@ int hclge_set_vlan_filter(struct hnae3_handle *handle, __be16 proto,
bool writen_to_tbl = false;
int ret = 0;
+ if (vlan_id >= VLAN_N_VID)
+ return -EINVAL;
+
/* When device is resetting or reset failed, firmware is unable to
* handle mailbox. Just record the vlan id, and remove it after
* reset finished.
--
2.33.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH net 3/3] net: hns3: add VLAN id validation before using
2025-12-09 13:38 ` [PATCH net 3/3] net: hns3: add VLAN id validation before using Jijie Shao
@ 2025-12-09 16:50 ` Simon Horman
2025-12-10 6:39 ` Jijie Shao
0 siblings, 1 reply; 9+ messages in thread
From: Simon Horman @ 2025-12-09 16:50 UTC (permalink / raw)
To: Jijie Shao
Cc: davem, edumazet, kuba, pabeni, andrew+netdev, shenjian15,
liuyonglong, chenhao418, lantao5, huangdonghua3, yangshuaisong,
jonathan.cameron, salil.mehta, netdev, linux-kernel
On Tue, Dec 09, 2025 at 09:38:25PM +0800, Jijie Shao wrote:
> From: Jian Shen <shenjian15@huawei.com>
>
> Currently, the VLAN id may be used without validation when
> receive a VLAN configuration mailbox from VF. It may cause
> out-of-bounds memory access once the VLAN id is bigger than
> 4095.
>
> Fixes: fe4144d47eef ("net: hns3: sync VLAN filter entries when kill VLAN ID failed")
> Signed-off-by: Jian Shen <shenjian15@huawei.com>
> Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Hi Jijie,
Can you clarify that the (only) oob access is to vlan_del_fail_bmap?
If so, I agree with this change and that the problem was introduced in
the cited commit. But I think it would be worth mentioning vlan_del_fail_bmap
in the commit message.
...
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH net 3/3] net: hns3: add VLAN id validation before using
2025-12-09 16:50 ` Simon Horman
@ 2025-12-10 6:39 ` Jijie Shao
2025-12-10 12:55 ` Simon Horman
0 siblings, 1 reply; 9+ messages in thread
From: Jijie Shao @ 2025-12-10 6:39 UTC (permalink / raw)
To: Simon Horman
Cc: shaojijie, davem, edumazet, kuba, pabeni, andrew+netdev,
shenjian15, liuyonglong, chenhao418, lantao5, huangdonghua3,
yangshuaisong, jonathan.cameron, salil.mehta, netdev,
linux-kernel
on 2025/12/10 0:50, Simon Horman wrote:
> On Tue, Dec 09, 2025 at 09:38:25PM +0800, Jijie Shao wrote:
>> From: Jian Shen <shenjian15@huawei.com>
>>
>> Currently, the VLAN id may be used without validation when
>> receive a VLAN configuration mailbox from VF. It may cause
>> out-of-bounds memory access once the VLAN id is bigger than
>> 4095.
>>
>> Fixes: fe4144d47eef ("net: hns3: sync VLAN filter entries when kill VLAN ID failed")
>> Signed-off-by: Jian Shen <shenjian15@huawei.com>
>> Signed-off-by: Jijie Shao <shaojijie@huawei.com>
> Hi Jijie,
>
> Can you clarify that the (only) oob access is to vlan_del_fail_bmap?
>
> If so, I agree with this change and that the problem was introduced in
> the cited commit. But I think it would be worth mentioning vlan_del_fail_bmap
> in the commit message.
>
Yes, the length of vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID).
Therefore, vlan_id needs to be checked to ensure it is within the range of VLAN_N_VID.
I will add this in V2
Thanks,
Jijie Shao
> ...
>
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH net 3/3] net: hns3: add VLAN id validation before using
2025-12-10 6:39 ` Jijie Shao
@ 2025-12-10 12:55 ` Simon Horman
0 siblings, 0 replies; 9+ messages in thread
From: Simon Horman @ 2025-12-10 12:55 UTC (permalink / raw)
To: Jijie Shao
Cc: davem, edumazet, kuba, pabeni, andrew+netdev, shenjian15,
liuyonglong, chenhao418, lantao5, huangdonghua3, yangshuaisong,
jonathan.cameron, salil.mehta, netdev, linux-kernel
On Wed, Dec 10, 2025 at 02:39:11PM +0800, Jijie Shao wrote:
>
> on 2025/12/10 0:50, Simon Horman wrote:
> > On Tue, Dec 09, 2025 at 09:38:25PM +0800, Jijie Shao wrote:
> > > From: Jian Shen <shenjian15@huawei.com>
> > >
> > > Currently, the VLAN id may be used without validation when
> > > receive a VLAN configuration mailbox from VF. It may cause
> > > out-of-bounds memory access once the VLAN id is bigger than
> > > 4095.
> > >
> > > Fixes: fe4144d47eef ("net: hns3: sync VLAN filter entries when kill VLAN ID failed")
> > > Signed-off-by: Jian Shen <shenjian15@huawei.com>
> > > Signed-off-by: Jijie Shao <shaojijie@huawei.com>
> > Hi Jijie,
> >
> > Can you clarify that the (only) oob access is to vlan_del_fail_bmap?
> >
> > If so, I agree with this change and that the problem was introduced in
> > the cited commit. But I think it would be worth mentioning vlan_del_fail_bmap
> > in the commit message.
> >
> Yes, the length of vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID).
> Therefore, vlan_id needs to be checked to ensure it is within the range of VLAN_N_VID.
>
> I will add this in V2
Thanks.
Feel free to also add:
Reviewed-by: Simon Horman <horms@kernel.org>
^ permalink raw reply [flat|nested] 9+ messages in thread