From: Paolo Abeni <pabeni@redhat.com>
To: Ratheesh Kannoth <rkannoth@marvell.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-rdma@vger.kernel.org
Cc: sgoutham@marvell.com, andrew+netdev@lunn.ch, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, donald.hunter@gmail.com,
horms@kernel.org, jiri@resnulli.us, chuck.lever@oracle.com,
matttbe@kernel.org, cjubran@nvidia.com, saeedm@nvidia.com,
leon@kernel.org, tariqt@nvidia.com, mbloch@nvidia.com,
dtatulea@nvidia.com
Subject: Re: [PATCH v9 net-next 6/6] octeontx2-af: npc: Support for custom KPU profile from filesystem
Date: Thu, 2 Apr 2026 10:54:42 +0200 [thread overview]
Message-ID: <ac20d8bc-4af5-4338-adc3-01e4aac4e70e@redhat.com> (raw)
In-Reply-To: <20260330053105.2722453-7-rkannoth@marvell.com>
On 3/30/26 7:31 AM, Ratheesh Kannoth wrote:
> @@ -1635,9 +1651,9 @@ int npc_cn20k_apply_custom_kpu(struct rvu *rvu,
> }
>
> /* Verify if profile fits the HW */
> - if (fw->kpus > profile->kpus) {
> - dev_warn(rvu->dev, "Not enough KPUs: %d > %ld\n", fw->kpus,
> - profile->kpus);
> + if (fw->kpus > rvu->hw->npc_kpus) {
> + dev_warn(rvu->dev, "Not enough KPUs: %d > %d\n", fw->kpus,
> + rvu->hw->npc_kpus);
> return -EINVAL;
> }
AI review says:
---
The bounds check was changed from profile->kpus (which equals
ARRAY_SIZE(npc_kpu_profiles) = 16) to rvu->hw->npc_kpus (a 5-bit
hardware field, max value 31). Can this cause an out-of-bounds write?
In the subsequent loop at lines 1658-1685 (visible earlier in the
function), the code writes to profile->kpu[kpu].cam[entry] and
profile->kpu[kpu].action[entry], where profile->kpu points to the static
global npc_kpu_profiles[] array that has exactly 16 elements.
If cn20k hardware reports npc_kpus > 16 and the firmware provides
fw->kpus > 16, the new check passes but the loop iterates beyond the
array bounds, corrupting adjacent memory.
---
Also there are several remarks for sashiko, some of them looks valid:
https://sashiko.dev/#/patchset/20260330053105.2722453-1-rkannoth%40marvell.com
please a look.
Thanks,
Paolo
next prev parent reply other threads:[~2026-04-02 8:54 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 5:30 [PATCH v9 net-next 0/6] octeontx2-af: npc: Enhancements Ratheesh Kannoth
2026-03-30 5:31 ` [PATCH v9 net-next 1/6] octeontx2-af: npc: cn20k: debugfs enhancements Ratheesh Kannoth
2026-03-30 5:31 ` [PATCH v9 net-next 2/6] net/mlx5e: heap-allocate devlink param values Ratheesh Kannoth
2026-03-30 5:31 ` [PATCH v9 net-next 3/6] devlink: Implement devlink param multi attribute nested data values Ratheesh Kannoth
2026-03-30 5:31 ` [PATCH v9 net-next 4/6] octeontx2-af: npc: cn20k: add subbank search order control Ratheesh Kannoth
2026-03-30 5:31 ` [PATCH v9 net-next 5/6] octeontx2-af: npc: cn20k: dynamically allocate and free default MCAM entries Ratheesh Kannoth
2026-04-02 8:48 ` [v9,net-next,5/6] " Paolo Abeni
2026-03-30 5:31 ` [PATCH v9 net-next 6/6] octeontx2-af: npc: Support for custom KPU profile from filesystem Ratheesh Kannoth
2026-04-02 8:54 ` Paolo Abeni [this message]
2026-04-03 2:05 ` Ratheesh Kannoth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ac20d8bc-4af5-4338-adc3-01e4aac4e70e@redhat.com \
--to=pabeni@redhat.com \
--cc=andrew+netdev@lunn.ch \
--cc=chuck.lever@oracle.com \
--cc=cjubran@nvidia.com \
--cc=davem@davemloft.net \
--cc=donald.hunter@gmail.com \
--cc=dtatulea@nvidia.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=matttbe@kernel.org \
--cc=mbloch@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=rkannoth@marvell.com \
--cc=saeedm@nvidia.com \
--cc=sgoutham@marvell.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox