diff mbox series

fsl/fman: Add array size check

Message ID 20240307080452.13278-1-amishin@t-argos.ru (mailing list archive)
State Rejected
Delegated to: Netdev Maintainers
Headers show
Series fsl/fman: Add array size check | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 940 this patch: 940
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 956 this patch: 956
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 956 this patch: 956
netdev/checkpatch warning WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: 414fd46e7762 ("fsl/fman: Add FMan support")'
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-03-07--15-00 (tests: 892)

Commit Message

Aleksandr Mishin March 7, 2024, 8:04 a.m. UTC 
In fman_register_intr() and fman_unregister_intr()
get_module_event() is assigned to event which is then used
as array index without size check.
Fix this bug by adding a check of event.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 414fd46e7762 (fsl/fman: Add FMan support)
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
---
 drivers/net/ethernet/freescale/fman/fman.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

Comments

Sean Anderson March 7, 2024, 4:06 p.m. UTC | #1 
On 3/7/24 03:04, Aleksandr Mishin wrote:
> [You don't often get email from amishin@t-argos.ru. Learn why this is important at https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2faka.ms%2fLearnAboutSenderIdentification&umid=bdb4cfa6-c48e-4063-9c43-6d5ce09db688&auth=d807158c60b7d2502abde8a2fc01f40662980862-eff8dde9dd9e5b6c3f9e726ab81488b46e7dd147 ]
>
> In fman_register_intr() and fman_unregister_intr()
> get_module_event() is assigned to event which is then used
> as array index without size check.
> Fix this bug by adding a check of event.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 414fd46e7762 (fsl/fman: Add FMan support)
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> ---
>  drivers/net/ethernet/freescale/fman/fman.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c
> index d96028f01770..902d05ffff1b 100644
> --- a/drivers/net/ethernet/freescale/fman/fman.c
> +++ b/drivers/net/ethernet/freescale/fman/fman.c
> @@ -2054,7 +2054,10 @@ void fman_register_intr(struct fman *fman, enum fman_event_modules module,
>         int event = 0;
>
>         event = get_module_event(module, mod_id, intr_type);
> -       WARN_ON(event >= FMAN_EV_CNT);
> +       if (event >= FMAN_EV_CNT) {
> +               WARN_ON(event >= FMAN_EV_CNT);
> +               return;
> +       }
>
>         /* register in local FM structure */
>         fman->intr_mng[event].isr_cb = isr_cb;
> @@ -2079,7 +2082,10 @@ void fman_unregister_intr(struct fman *fman, enum fman_event_modules module,
>         int event = 0;
>
>         event = get_module_event(module, mod_id, intr_type);
> -       WARN_ON(event >= FMAN_EV_CNT);
> +       if (event >= FMAN_EV_CNT) {
> +               WARN_ON(event >= FMAN_EV_CNT);
> +               return;
> +       }
>
>         fman->intr_mng[event].isr_cb = NULL;
>         fman->intr_mng[event].src_handle = NULL;
> --
> 2.30.2
>

Nack. This condition should never occur, that's why we have the WARN_ON.

--Sean

[Embedded World 2024, SECO SpA]<https://www.messe-ticket.de/Nuernberg/embeddedworld2024/Register/ew24517689>
diff mbox series

Patch

diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c
index d96028f01770..902d05ffff1b 100644
--- a/drivers/net/ethernet/freescale/fman/fman.c
+++ b/drivers/net/ethernet/freescale/fman/fman.c
@@ -2054,7 +2054,10 @@  void fman_register_intr(struct fman *fman, enum fman_event_modules module,
 	int event = 0;
 
 	event = get_module_event(module, mod_id, intr_type);
-	WARN_ON(event >= FMAN_EV_CNT);
+	if (event >= FMAN_EV_CNT) {
+		WARN_ON(event >= FMAN_EV_CNT);
+		return;
+	}
 
 	/* register in local FM structure */
 	fman->intr_mng[event].isr_cb = isr_cb;
@@ -2079,7 +2082,10 @@  void fman_unregister_intr(struct fman *fman, enum fman_event_modules module,
 	int event = 0;
 
 	event = get_module_event(module, mod_id, intr_type);
-	WARN_ON(event >= FMAN_EV_CNT);
+	if (event >= FMAN_EV_CNT) {
+		WARN_ON(event >= FMAN_EV_CNT);
+		return;
+	}
 
 	fman->intr_mng[event].isr_cb = NULL;
 	fman->intr_mng[event].src_handle = NULL;