| Message ID | Y1vvAJ6jOmKEUZue@kili (mailing list archive) |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net-next] ice: Fix off by one in ice_tc_forward_to_queue() | expand |
> -----Original Message----- > From: Dan Carpenter <dan.carpenter@oracle.com> > Sent: Friday, October 28, 2022 8:02 AM > To: Brandeburg, Jesse <jesse.brandeburg@intel.com>; Nambiar, Amritha > <amritha.nambiar@intel.com> > Cc: Nguyen, Anthony L <anthony.l.nguyen@intel.com>; David S. Miller > <davem@davemloft.net>; Eric Dumazet <edumazet@google.com>; Jakub > Kicinski <kuba@kernel.org>; Paolo Abeni <pabeni@redhat.com>; Samudrala, > Sridhar <sridhar.samudrala@intel.com>; Gomes, Vinicius > <vinicius.gomes@intel.com>; intel-wired-lan@lists.osuosl.org; > netdev@vger.kernel.org; kernel-janitors@vger.kernel.org > Subject: [PATCH net-next] ice: Fix off by one in ice_tc_forward_to_queue() > > The > comparison should be >= to prevent reading one element beyond > the end of the array. > > The "vsi->num_rxq" is not strictly speaking the number of elements in > the vsi->rxq_map[] array. The array has "vsi->alloc_rxq" elements and > "vsi->num_rxq" is less than or equal to the number of elements in the > array. The array is allocated in ice_vsi_alloc_arrays(). It's still > an off by one but it might not access outside the end of the array. > > Fixes: 143b86f346c7 ("ice: Enable RX queue selection using skbedit action") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Amritha Nambiar <amritha.nambiar@intel.com> > --- > Applies to net-next. > > drivers/net/ethernet/intel/ice/ice_tc_lib.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/intel/ice/ice_tc_lib.c > b/drivers/net/ethernet/intel/ice/ice_tc_lib.c > index faba0f857cd9..95f392ab9670 100644 > --- a/drivers/net/ethernet/intel/ice/ice_tc_lib.c > +++ b/drivers/net/ethernet/intel/ice/ice_tc_lib.c > @@ -1681,7 +1681,7 @@ ice_tc_forward_to_queue(struct ice_vsi *vsi, struct > ice_tc_flower_fltr *fltr, > struct ice_vsi *ch_vsi = NULL; > u16 queue = act->rx_queue; > > - if (queue > vsi->num_rxq) { > + if (queue >= vsi->num_rxq) { > NL_SET_ERR_MSG_MOD(fltr->extack, > "Unable to add filter because specified > queue is invalid"); > return -EINVAL; > -- > 2.35.1
diff --git a/drivers/net/ethernet/intel/ice/ice_tc_lib.c b/drivers/net/ethernet/intel/ice/ice_tc_lib.c index faba0f857cd9..95f392ab9670 100644 --- a/drivers/net/ethernet/intel/ice/ice_tc_lib.c +++ b/drivers/net/ethernet/intel/ice/ice_tc_lib.c @@ -1681,7 +1681,7 @@ ice_tc_forward_to_queue(struct ice_vsi *vsi, struct ice_tc_flower_fltr *fltr, struct ice_vsi *ch_vsi = NULL; u16 queue = act->rx_queue; - if (queue > vsi->num_rxq) { + if (queue >= vsi->num_rxq) { NL_SET_ERR_MSG_MOD(fltr->extack, "Unable to add filter because specified queue is invalid"); return -EINVAL;
The > comparison should be >= to prevent reading one element beyond the end of the array. The "vsi->num_rxq" is not strictly speaking the number of elements in the vsi->rxq_map[] array. The array has "vsi->alloc_rxq" elements and "vsi->num_rxq" is less than or equal to the number of elements in the array. The array is allocated in ice_vsi_alloc_arrays(). It's still an off by one but it might not access outside the end of the array. Fixes: 143b86f346c7 ("ice: Enable RX queue selection using skbedit action") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- Applies to net-next. drivers/net/ethernet/intel/ice/ice_tc_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)