Patch "octeontx2-af: Fix possible buffer overflow" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 3 Dec 2023 15:12:23 -0500

This is a note to let you know that I've just added the patch titled

    octeontx2-af: Fix possible buffer overflow

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     octeontx2-af-fix-possible-buffer-overflow.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit bc372976c87c8d5b4ca00f0ab9257173c7344a6a
Author: Elena Salomatkina <elena.salomatkina.cmc@xxxxxxxxx>
Date:   Sat Nov 25 00:08:02 2023 +0300

    octeontx2-af: Fix possible buffer overflow
    
    [ Upstream commit ad31c629ca3c87f6d557488c1f9faaebfbcd203c ]
    
    A loop in rvu_mbox_handler_nix_bandprof_free() contains
    a break if (idx == MAX_BANDPROF_PER_PFFUNC),
    but if idx may reach MAX_BANDPROF_PER_PFFUNC
    buffer '(*req->prof_idx)[layer]' overflow happens before that check.
    
    The patch moves the break to the
    beginning of the loop.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: e8e095b3b370 ("octeontx2-af: cn10k: Bandwidth profiles config support").
    Signed-off-by: Elena Salomatkina <elena.salomatkina.cmc@xxxxxxxxx>
    Reviewed-by: Simon Horman <horms@xxxxxxxxxx>
    Reviewed-by: Subbaraya Sundeep <sbhatta@xxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20231124210802.109763-1-elena.salomatkina.cmc@xxxxxxxxx
    Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
index 1f3a8cf42765e..7310047136986 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
@@ -5236,6 +5236,8 @@ int rvu_mbox_handler_nix_bandprof_free(struct rvu *rvu,
 
 		ipolicer = &nix_hw->ipolicer[layer];
 		for (idx = 0; idx < req->prof_count[layer]; idx++) {
+			if (idx == MAX_BANDPROF_PER_PFFUNC)
+				break;
 			prof_idx = req->prof_idx[layer][idx];
 			if (prof_idx >= ipolicer->band_prof.max ||
 			    ipolicer->pfvf_map[prof_idx] != pcifunc)
@@ -5249,8 +5251,6 @@ int rvu_mbox_handler_nix_bandprof_free(struct rvu *rvu,
 			ipolicer->pfvf_map[prof_idx] = 0x00;
 			ipolicer->match_id[prof_idx] = 0;
 			rvu_free_rsrc(&ipolicer->band_prof, prof_idx);
-			if (idx == MAX_BANDPROF_PER_PFFUNC)
-				break;
 		}
 	}
 	mutex_unlock(&rvu->rsrc_lock);






