From patchwork Fri Mar 17 18:19:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nick Child X-Patchwork-Id: 13179359 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78826C74A5B for ; Fri, 17 Mar 2023 18:20:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230039AbjCQSUi (ORCPT ); Fri, 17 Mar 2023 14:20:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53276 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229799AbjCQSUh (ORCPT ); Fri, 17 Mar 2023 14:20:37 -0400 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 69B201BAFC for ; Fri, 17 Mar 2023 11:20:33 -0700 (PDT) Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 32HHf8U5019637 for ; Fri, 17 Mar 2023 18:20:33 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : content-transfer-encoding : mime-version; s=pp1; bh=veOpOzwVOSKbRDZpIVWnbUrPbiZWlBQTMfo1QXhNoI4=; b=PtZDe8QN2NnWEeTUHw44fCAxXPlfSDA+v8p69OwuKk5g5cnXz6PA1HXh4+cd1rQ5TTvh DSnR1M1HqBPG4F6Q7Ish4wNa4gywOgHRZ/XqSuCOPxxdRfvevjxlWPoY7P08PniVxMjp hZIO+iYbV1HHr7TIPfyX140I/42yoO2bDxPWTvpb+u6yCAqa6Yuuqby3lTPSbNm+53Se 8gg81pnzq1AGgBklFq8Lg5o6eCJeef6gA8BVNg2DLnRdYfR3gQi1xmZvDsDrlzPkCF47 mg9JMO3IWKP6Btgv6yRLmuYuI03AKAMan9gjy9shT2nEFhXF3a130tay4EU2f/beuNqY tQ== Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3pcvhjh354-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 17 Mar 2023 18:20:33 +0000 Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1]) by ppma03dal.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 32HHwQIQ026747 for ; Fri, 17 Mar 2023 18:19:46 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([9.208.130.99]) by ppma03dal.us.ibm.com (PPS) with ESMTPS id 3pbsa04csy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 17 Mar 2023 18:19:45 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 32HIJi0230474988 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 17 Mar 2023 18:19:44 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7646B58061; Fri, 17 Mar 2023 18:19:44 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1A66F58058; Fri, 17 Mar 2023 18:19:44 +0000 (GMT) Received: from li-8d37cfcc-31b9-11b2-a85c-83226d7135c9.ibm.com.com (unknown [9.65.227.169]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Fri, 17 Mar 2023 18:19:43 +0000 (GMT) From: Nick Child To: netdev@vger.kernel.org Cc: Nick Child Subject: [PATCH net 1/2] net: Catch invalid index in XPS mapping Date: Fri, 17 Mar 2023 13:19:40 -0500 Message-Id: <20230317181941.86151-1-nnac123@linux.ibm.com> X-Mailer: git-send-email 2.31.1 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: G70ZMymDmvSwzpBPE14XJSQZhWfF2Dg8 X-Proofpoint-ORIG-GUID: G70ZMymDmvSwzpBPE14XJSQZhWfF2Dg8 X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-17_14,2023-03-16_02,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 spamscore=0 mlxlogscore=997 adultscore=0 mlxscore=0 impostorscore=0 lowpriorityscore=0 clxscore=1015 malwarescore=0 priorityscore=1501 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303150002 definitions=main-2303170122 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org When setting the XPS value of a TX queue, add a conditional to ensure that the index of the queue is less than the number of allocated TX queues. Previously, this scenario went uncaught. In the best case, it resulted in unnecessary allocations. In the worst case, it resulted in out-of-bounds memory references through calls to `netdev_get_tx_queue( dev, index)`. Fixes: 537c00de1c9b ("net: Add functions netif_reset_xps_queue and netif_set_xps_queue") Signed-off-by: Nick Child Reviewed-by: Piotr Raczynski --- This is a result of my own foolish mistake of giving an invalid index to __netif_set_xps_queue [1]. While the function adds the queue to the cpu's XPS queue map, the queue is never used due to a conditional in __get_xps_queue_idx. But there is a risk of random memory reading and writing that should be prevented. 1. https://lore.kernel.org/netdev/20230224183659.2a7bfeea@kernel.org/ net/core/dev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/core/dev.c b/net/core/dev.c index c7853192563d..cd3878043846 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -2535,6 +2535,9 @@ int __netif_set_xps_queue(struct net_device *dev, const unsigned long *mask, struct xps_map *map, *new_map; unsigned int nr_ids; + if (index >= dev->num_tx_queues) + return -EINVAL; + if (dev->num_tc) { /* Do not allow XPS on subordinate device directly */ num_tc = dev->num_tc; From patchwork Fri Mar 17 18:19:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nick Child X-Patchwork-Id: 13179358 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 90FDBC74A5B for ; Fri, 17 Mar 2023 18:19:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229902AbjCQSTw (ORCPT ); Fri, 17 Mar 2023 14:19:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51246 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229799AbjCQSTv (ORCPT ); Fri, 17 Mar 2023 14:19:51 -0400 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C6E2A149BB for ; Fri, 17 Mar 2023 11:19:48 -0700 (PDT) Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 32HHglek025514 for ; Fri, 17 Mar 2023 18:19:48 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=MlrMBQb6ukN17nr3p+qt3m6kxT5ob1CF8Z7V5yhyXr4=; b=Zg3eGCKLCgy1vyCy/yFvtaNl0gaxT2VARmLB46QDWdPU0fHAJRUy6bC3EJ5dGtE7tMY3 MUdt35Dgyhx28Sf/MUzpO4Q3yThfGu5zRJTGrtHNtNvIbXrYA8DLtXHiLFcQktHqlr8A pH3QAQiN9hc6/aDaeVvwwv+Uu6phLZt5wbRzayqt8TaMr078OclLwnRSBYEHNpptI/vd EmGkWTi1W+W8if8W2290eM7fIpra8qeMjpOEdhqkl7j+dCCKyqag1I9oa9FOtL3tNjDx TZE5mn/9Wg66PJ6cIMYIKFK97vBWbrG4yT+Z4PotAk3EkWm6fUQRl3n9Q8x4qTzAmt3U UQ== Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3pcvukrtg7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 17 Mar 2023 18:19:48 +0000 Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1]) by ppma03wdc.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 32HH9REb031014 for ; Fri, 17 Mar 2023 18:19:47 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([9.208.129.119]) by ppma03wdc.us.ibm.com (PPS) with ESMTPS id 3pbs919wch-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 17 Mar 2023 18:19:47 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 32HIJj9O30474880 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 17 Mar 2023 18:19:45 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 10C4858057; Fri, 17 Mar 2023 18:19:45 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9FDFA58059; Fri, 17 Mar 2023 18:19:44 +0000 (GMT) Received: from li-8d37cfcc-31b9-11b2-a85c-83226d7135c9.ibm.com.com (unknown [9.65.227.169]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Fri, 17 Mar 2023 18:19:44 +0000 (GMT) From: Nick Child To: netdev@vger.kernel.org Cc: Nick Child Subject: [PATCH net 2/2] netdev: Enforce index cap in netdev_get_tx_queue Date: Fri, 17 Mar 2023 13:19:41 -0500 Message-Id: <20230317181941.86151-2-nnac123@linux.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20230317181941.86151-1-nnac123@linux.ibm.com> References: <20230317181941.86151-1-nnac123@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: EnqfYJILqcwZVLFNtWSf3WSnKMWsfGXR X-Proofpoint-ORIG-GUID: EnqfYJILqcwZVLFNtWSf3WSnKMWsfGXR X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-17_14,2023-03-16_02,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 impostorscore=0 spamscore=0 suspectscore=0 phishscore=0 mlxlogscore=999 lowpriorityscore=0 priorityscore=1501 mlxscore=0 clxscore=1011 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303150002 definitions=main-2303170122 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org When requesting a TX queue at a given index, prevent out-of-bounds referencing by ensuring that the index is within the allocated number of queues. If there is an out-of-bounds reference then inform the user and return a reference to the first tx queue instead. Fixes: e8a0464cc950 ("netdev: Allocate multiple queues for TX.") Signed-off-by: Nick Child --- include/linux/netdevice.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 23b0d7eaaadd..fe88b1a7393d 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -2482,6 +2482,13 @@ static inline struct netdev_queue *netdev_get_tx_queue(const struct net_device *dev, unsigned int index) { + if (unlikely(index >= dev->num_tx_queues)) { + net_warn_ratelimited("%s selects TX queue %d, but number of TX queues is %d\n", + dev->name, index, + dev->num_tx_queues); + return &dev->_tx[0]; + } + return &dev->_tx[index]; }