On Thu, 21 Nov 2019 13:33:40 -0800, Haiyang Zhang wrote: > To reach the data region, the existing code adds offset in struct > nvsp_5_send_indirect_table on the beginning of this struct. But the > offset should be based on the beginning of its container, > struct nvsp_message. This bug causes the first table entry missing, > and adds an extra zero from the zero pad after the data region. > This can put extra burden on the channel 0. > > So, correct the offset usage. Also add a boundary check to ensure > not reading beyond data region. Please provide a change log at the end of the commit message when posting new version in the future. > Fixes: 5b54dac856cb ("hyperv: Add support for virtual Receive Side Scaling (vRSS)") > Signed-off-by: Haiyang Zhang <haiyangz@xxxxxxxxxxxxx> > > - tab = (u32 *)((unsigned long)&nvmsg->msg.v5_msg.send_table + > - nvmsg->msg.v5_msg.send_table.offset); > + if (offset > msglen - count * sizeof(u32)) { Can't this underflow now? What if msglen is small? > + netdev_err(ndev, "Received send-table offset too big:%u\n", > + offset); > + return; > + } > + > + tab = (void *)nvmsg + offset; > > for (i = 0; i < count; i++) > net_device_ctx->tx_table[i] = tab[i];