Hi! > [ Upstream commit 6c19d772618fea40d9681f259368f284a330fd90 ] > > Ensure that the adapter->q_vector[MAX_Q_VECTORS] array isn't accessed > beyond its size. It was fixed by using a local variable num_q_vectors > as a limit for loop index, and ensure that num_q_vectors is not bigger > than MAX_Q_VECTORS. Ok, so this is interesting design. > +++ b/drivers/net/ethernet/intel/igb/igb_main.c > @@ -945,6 +945,7 @@ static void igb_configure_msix(struct igb_adapter *adapter) > **/ > static int igb_request_msix(struct igb_adapter *adapter) > { > + unsigned int num_q_vectors = adapter->num_q_vectors; > struct net_device *netdev = adapter->netdev; > int i, err = 0, vector = 0, free_vector = 0; > > @@ -953,7 +954,13 @@ static int igb_request_msix(struct igb_adapter *adapter) > if (err) > goto err_out; > > - for (i = 0; i < adapter->num_q_vectors; i++) { > + if (num_q_vectors > MAX_Q_VECTORS) { > + num_q_vectors = MAX_Q_VECTORS; > + dev_warn(&adapter->pdev->dev, > + "The number of queue vectors (%d) is higher than max allowed (%d)\n", > + adapter->num_q_vectors, MAX_Q_VECTORS); > + } > + for (i = 0; i < num_q_vectors; i++) { > struct igb_q_vector *q_vector = adapter->q_vector[i]; > > vector++; We limit num_q_vectors here, but too big value remains in adapter->num_q_vectors. Loop in igb_request_msix is fixed, but there's similar loop in igb_configure_msix() and in igb_free_irq() and igp_up() and ... Either adapter->num_q_vectors should be limited, or all those places need fixing, no? Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Attachment:
signature.asc
Description: Digital signature