Patch "net: hns3: check queue id range before using" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 26 Sep 2021 19:05:06 -0400

This is a note to let you know that I've just added the patch titled

    net: hns3: check queue id range before using

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-hns3-check-queue-id-range-before-using.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d48657ed6ac9813b6299f5ecf1a7c6bec33422a4
Author: Yufeng Mo <moyufeng@xxxxxxxxxx>
Date:   Wed Sep 15 21:52:09 2021 +0800

    net: hns3: check queue id range before using
    
    [ Upstream commit 63b1279d9905100a14da9e043de7b28e99dba3f8 ]
    
    The input parameters may not be reliable. Before using the
    queue id, we should check this parameter. Otherwise, memory
    overwriting may occur.
    
    Fixes: d34100184685 ("net: hns3: refactor the mailbox message between PF and VF")
    Signed-off-by: Yufeng Mo <moyufeng@xxxxxxxxxx>
    Signed-off-by: Guangbin Huang <huangguangbin2@xxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
index 8c528ea33406..8932af32e89d 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
@@ -581,9 +581,17 @@ static void hclge_get_queue_id_in_pf(struct hclge_vport *vport,
 				     struct hclge_mbx_vf_to_pf_cmd *mbx_req,
 				     struct hclge_respond_to_vf_msg *resp_msg)
 {
+	struct hnae3_handle *handle = &vport->nic;
+	struct hclge_dev *hdev = vport->back;
 	u16 queue_id, qid_in_pf;
 
 	memcpy(&queue_id, mbx_req->msg.data, sizeof(queue_id));
+	if (queue_id >= handle->kinfo.num_tqps) {
+		dev_err(&hdev->pdev->dev, "Invalid queue id(%u) from VF %u\n",
+			queue_id, mbx_req->mbx_src_vfid);
+		return;
+	}
+
 	qid_in_pf = hclge_covert_handle_qid_global(&vport->nic, queue_id);
 	memcpy(resp_msg->data, &qid_in_pf, sizeof(qid_in_pf));
 	resp_msg->len = sizeof(qid_in_pf);






