On Fri, Dec 02, 2022 at 12:58:26PM +0300, Dan Carpenter wrote:
> The pp->indir[0] value comes from the user. It is passed to:
>
> if (cpu_online(pp->rxq_def))
>
> inside the mvneta_percpu_elect() function. It needs bounds checkeding
> to ensure that it is not beyond the end of the cpu bitmap.
>
> Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
> Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
> ---
> drivers/net/ethernet/marvell/mvneta.c | 3 +++
> 1 file changed, 3 insertions(+)
I would expect that ethtool_copy_validate_indir() will prevent this.
Thanks
>
> diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
> index c2cb98d24f5c..5abc7c3e399e 100644
> --- a/drivers/net/ethernet/marvell/mvneta.c
> +++ b/drivers/net/ethernet/marvell/mvneta.c
> @@ -4927,6 +4927,9 @@ static int mvneta_config_rss(struct mvneta_port *pp)
> napi_disable(&pp->napi);
> }
>
> + if (pp->indir[0] >= nr_cpu_ids)
> + return -EINVAL;
> +
> pp->rxq_def = pp->indir[0];
>
> /* Update unicast mapping */
> --
> 2.35.1
>
