Message ID | e7e4e5d5-931d-4506-9d75-b87783011379@gmail.com (mailing list archive) |
---|---|
State | Awaiting Upstream |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [iwl-next,v2] i40e: fix MMIO write access to an invalid page in i40e_clear_hw | expand |
On 3/11/25 06:16, Kyungwook Boo wrote: > When the device sends a specific input, an integer underflow can occur, leading > to MMIO write access to an invalid page. > > Prevent the integer underflow by changing the type of related variables. > > Signed-off-by: Kyungwook Boo <bookyungwook@gmail.com> > Link: https://lore.kernel.org/lkml/ffc91764-1142-4ba2-91b6-8c773f6f7095@gmail.com/T/ > --- > Changes in v2: > - Formatting properly > - Fix variable shadowing > - Link to v1: https://lore.kernel.org/netdev/55acc5dc-8d5a-45bc-a59c-9304071e4579@gmail.com/ > --- > drivers/net/ethernet/intel/i40e/i40e_common.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c > index 370b4bddee44..b11c35e307ca 100644 > --- a/drivers/net/ethernet/intel/i40e/i40e_common.c > +++ b/drivers/net/ethernet/intel/i40e/i40e_common.c > @@ -817,10 +817,11 @@ int i40e_pf_reset(struct i40e_hw *hw) > void i40e_clear_hw(struct i40e_hw *hw) > { > u32 num_queues, base_queue; > - u32 num_pf_int; > - u32 num_vf_int; > + s32 num_pf_int; > + s32 num_vf_int; > u32 num_vfs; > - u32 i, j; > + s32 i; > + u32 j; > u32 val; > u32 eol = 0x7ff; thank you for localizing the improvement, now the code is more robust, Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> > > --- > base-commit: 4d872d51bc9d7b899c1f61534e3dbde72613f627 > > Best regards, > Kyungwook Boo >
On Tue, Mar 11, 2025 at 02:16:02PM +0900, Kyungwook Boo wrote: > When the device sends a specific input, an integer underflow can occur, leading > to MMIO write access to an invalid page. > > Prevent the integer underflow by changing the type of related variables. > > Signed-off-by: Kyungwook Boo <bookyungwook@gmail.com> > Link: https://lore.kernel.org/lkml/ffc91764-1142-4ba2-91b6-8c773f6f7095@gmail.com/T/ > --- > Changes in v2: > - Formatting properly > - Fix variable shadowing > - Link to v1: https://lore.kernel.org/netdev/55acc5dc-8d5a-45bc-a59c-9304071e4579@gmail.com/ > --- > drivers/net/ethernet/intel/i40e/i40e_common.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c > index 370b4bddee44..b11c35e307ca 100644 > --- a/drivers/net/ethernet/intel/i40e/i40e_common.c > +++ b/drivers/net/ethernet/intel/i40e/i40e_common.c > @@ -817,10 +817,11 @@ int i40e_pf_reset(struct i40e_hw *hw) > void i40e_clear_hw(struct i40e_hw *hw) > { > u32 num_queues, base_queue; > - u32 num_pf_int; > - u32 num_vf_int; > + s32 num_pf_int; > + s32 num_vf_int; > u32 num_vfs; > - u32 i, j; > + s32 i; > + u32 j; > u32 val; > u32 eol = 0x7ff; > > --- > base-commit: 4d872d51bc9d7b899c1f61534e3dbde72613f627 I see that this addresses the problem at the first link above. And I'd happy to see it accepted as-is. Reviewed-by: Simon Horman <horms@kernel.org> But, as an aside, wouldn't it be more appropriate to use generic types like int and unsigned int for most of the above variables? Perhaps this could be addressed by a follow-up. Or perhaps that would just be churn, IDK.
> -----Original Message----- > From: Kitszel, Przemyslaw <przemyslaw.kitszel@intel.com> > Sent: Tuesday, March 11, 2025 10:15 AM > To: Kyungwook Boo <bookyungwook@gmail.com> > Cc: intel-wired-lan@lists.osuosl.org; netdev@vger.kernel.org; Loktionov, > Aleksandr <aleksandr.loktionov@intel.com>; Nguyen, Anthony L > <anthony.l.nguyen@intel.com> > Subject: Re: [PATCH iwl-next v2] i40e: fix MMIO write access to an invalid page > in i40e_clear_hw > > On 3/11/25 06:16, Kyungwook Boo wrote: > > When the device sends a specific input, an integer underflow can > > occur, leading to MMIO write access to an invalid page. > > > > Prevent the integer underflow by changing the type of related variables. > > > > Signed-off-by: Kyungwook Boo <bookyungwook@gmail.com> > > Link: > > https://lore.kernel.org/lkml/ffc91764-1142-4ba2-91b6- > 8c773f6f7095@gmai > > l.com/T/ > > --- > > Changes in v2: > > - Formatting properly > > - Fix variable shadowing > > - Link to v1: > > https://lore.kernel.org/netdev/55acc5dc-8d5a-45bc-a59c- > 9304071e4579@gm > > ail.com/ > > --- > > drivers/net/ethernet/intel/i40e/i40e_common.c | 7 ++++--- > > 1 file changed, 4 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c > > b/drivers/net/ethernet/intel/i40e/i40e_common.c > > index 370b4bddee44..b11c35e307ca 100644 > > --- a/drivers/net/ethernet/intel/i40e/i40e_common.c > > +++ b/drivers/net/ethernet/intel/i40e/i40e_common.c > > @@ -817,10 +817,11 @@ int i40e_pf_reset(struct i40e_hw *hw) > > void i40e_clear_hw(struct i40e_hw *hw) > > { > > u32 num_queues, base_queue; > > - u32 num_pf_int; > > - u32 num_vf_int; > > + s32 num_pf_int; > > + s32 num_vf_int; > > u32 num_vfs; > > - u32 i, j; > > + s32 i; > > + u32 j; > > u32 val; > > u32 eol = 0x7ff; > > thank you for localizing the improvement, now the code is more robust, > Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> > > > > --- > > base-commit: 4d872d51bc9d7b899c1f61534e3dbde72613f627 > > > > Best regards, > > Kyungwook Boo > >
diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c index 370b4bddee44..b11c35e307ca 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_common.c +++ b/drivers/net/ethernet/intel/i40e/i40e_common.c @@ -817,10 +817,11 @@ int i40e_pf_reset(struct i40e_hw *hw) void i40e_clear_hw(struct i40e_hw *hw) { u32 num_queues, base_queue; - u32 num_pf_int; - u32 num_vf_int; + s32 num_pf_int; + s32 num_vf_int; u32 num_vfs; - u32 i, j; + s32 i; + u32 j; u32 val; u32 eol = 0x7ff;
When the device sends a specific input, an integer underflow can occur, leading to MMIO write access to an invalid page. Prevent the integer underflow by changing the type of related variables. Signed-off-by: Kyungwook Boo <bookyungwook@gmail.com> Link: https://lore.kernel.org/lkml/ffc91764-1142-4ba2-91b6-8c773f6f7095@gmail.com/T/ --- Changes in v2: - Formatting properly - Fix variable shadowing - Link to v1: https://lore.kernel.org/netdev/55acc5dc-8d5a-45bc-a59c-9304071e4579@gmail.com/ --- drivers/net/ethernet/intel/i40e/i40e_common.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- base-commit: 4d872d51bc9d7b899c1f61534e3dbde72613f627 Best regards, Kyungwook Boo