From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA80625F7B9; Thu, 28 May 2026 20:31:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780000291; cv=none; b=QbpZ4y5iZkcLz5e5JE9ILyYR3jm7sWdLVQGcIqsGlDF0r9xLGA/5Ts/l/OARzoZQ6dLnnFThLj9cbVuLGkIEV6AukAxwSbYtPV0z5MxXJYOi04uxdkfcbEz2ejbTmxUw/jn61Pdf6fcCUgsQvanoqbIOBDKyxMmCUXFwrmGY3V0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780000291; c=relaxed/simple; bh=+QI1LcKRaiIr9Q+hhdS2t9Qpr+BqOm6d4dUksywbrg4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UEikkw0gou2O2mJDQ9M0V877mvpOsCy2SSH1JDeao3x9AD8HUVNRPkhwS1YGNjem2B8kFhbsIe9MluD/I+ryIQXrkDlbZQbRgzx99uDdIuH0sppkDpbE1V5ZhU1E+YxUIJWTw9nwQDxqzN32+3tcRHSsdB8v7OtPk/y5945olpE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=CWBQOCZi; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="CWBQOCZi" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 230401F000E9; Thu, 28 May 2026 20:31:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1780000290; bh=1qZeYeYvX5OuNoqB/zno8Tw8chGpCyfJ2ecGGOwdIjY=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=CWBQOCZi5WkR9K+gJpJfaqAfx2UTpHUWeicV207RRpoXAd4plintaxGzVysjoVwNf tV72UblEvRFHsg4tbhuL0a9wrSNS3P0WybjYcduHtXHKF9fOfWFBh+EJwI4haThEXJ WsF2lN37QyVZLJewQhcpIAWHlShxUWH4wzLRy2K4= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Aditya Garg , Haiyang Zhang , Jakub Kicinski , Sasha Levin Subject: [PATCH 6.18 370/377] net: mana: validate rx_req_idx to prevent out-of-bounds array access Date: Thu, 28 May 2026 21:50:08 +0200 Message-ID: <20260528194649.140843659@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260528194638.371537336@linuxfoundation.org> References: <20260528194638.371537336@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Aditya Garg [ Upstream commit b809d0409991b75a6cff846a5ac27c3062953f84 ] In mana_hwc_rx_event_handler(), rx_req_idx is derived from sge->address in DMA-coherent memory. In Confidential VMs (SEV-SNP/TDX), this memory is shared unencrypted and HW can modify WQE contents at any time. No bounds check exists on rx_req_idx, which can lead to an out-of-bounds access into reqs[]. Add bounds check on rx_req_idx in mana_hwc_rx_event_handler() before using it to index the reqs[] array. Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") Signed-off-by: Aditya Garg Reviewed-by: Haiyang Zhang Link: https://patch.msgid.link/20260520051553.857120-1-gargaditya@linux.microsoft.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c index 1986bf493399f..5faf4ca75b0f4 100644 --- a/drivers/net/ethernet/microsoft/mana/hw_channel.c +++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c @@ -265,6 +265,12 @@ static void mana_hwc_rx_event_handler(void *ctx, u32 gdma_rxq_id, rq_base_addr = hwc_rxq->msg_buf->mem_info.dma_handle; rx_req_idx = (sge->address - rq_base_addr) / hwc->max_req_msg_size; + if (rx_req_idx >= hwc_rxq->msg_buf->num_reqs) { + dev_err(hwc->dev, "HWC RX: wrong rx_req_idx=%llu, num_reqs=%u\n", + rx_req_idx, hwc_rxq->msg_buf->num_reqs); + return; + } + rx_req = &hwc_rxq->msg_buf->reqs[rx_req_idx]; resp = (struct gdma_resp_hdr *)rx_req->buf_va; -- 2.53.0