Patch "net/mlx5e: Fix overrun reported by coverity" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    net/mlx5e: Fix overrun reported by coverity

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-mlx5e-fix-overrun-reported-by-coverity.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 92a982b437d410a3653e0077ae56aa366d6123fc
Author: Jianbo Liu <jianbol@xxxxxxxxxx>
Date:   Tue Nov 14 01:25:21 2023 +0000

    net/mlx5e: Fix overrun reported by coverity
    
    [ Upstream commit da75fa542873e5f7d7f615566c0b00042d8a0437 ]
    
    Coverity Scan reports the following issue. But it's impossible that
    mlx5_get_dev_index returns 7 for PF, even if the index is calculated
    from PCI FUNC ID. So add the checking to make coverity slience.
    
    CID 610894 (#2 of 2): Out-of-bounds write (OVERRUN)
    Overrunning array esw->fdb_table.offloads.peer_miss_rules of 4 8-byte
    elements at element index 7 (byte offset 63) using index
    mlx5_get_dev_index(peer_dev) (which evaluates to 7).
    
    Fixes: 9bee385a6e39 ("net/mlx5: E-switch, refactor FDB miss rule add/remove")
    Signed-off-by: Jianbo Liu <jianbol@xxxxxxxxxx>
    Reviewed-by: Roi Dayan <roid@xxxxxxxxxx>
    Signed-off-by: Saeed Mahameed <saeedm@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
index bb8bcb448ae90..9bd5609cf6597 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
@@ -1177,9 +1177,9 @@ static int esw_add_fdb_peer_miss_rules(struct mlx5_eswitch *esw,
 	struct mlx5_flow_handle *flow;
 	struct mlx5_flow_spec *spec;
 	struct mlx5_vport *vport;
+	int err, pfindex;
 	unsigned long i;
 	void *misc;
-	int err;
 
 	if (!MLX5_VPORT_MANAGER(esw->dev) && !mlx5_core_is_ecpf_esw_manager(esw->dev))
 		return 0;
@@ -1255,7 +1255,15 @@ static int esw_add_fdb_peer_miss_rules(struct mlx5_eswitch *esw,
 			flows[vport->index] = flow;
 		}
 	}
-	esw->fdb_table.offloads.peer_miss_rules[mlx5_get_dev_index(peer_dev)] = flows;
+
+	pfindex = mlx5_get_dev_index(peer_dev);
+	if (pfindex >= MLX5_MAX_PORTS) {
+		esw_warn(esw->dev, "Peer dev index(%d) is over the max num defined(%d)\n",
+			 pfindex, MLX5_MAX_PORTS);
+		err = -EINVAL;
+		goto add_ec_vf_flow_err;
+	}
+	esw->fdb_table.offloads.peer_miss_rules[pfindex] = flows;
 
 	kvfree(spec);
 	return 0;
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux