Re: [PATCH net] qed: Don't write past the end of GRC debug buffer

From: Jakub Kicinski
Date: Tue Aug 19 2025 - 20:47:58 EST

Next message: Junjie Cao: "[PATCH v2] iio: core: switch info_mask fields to unsigned long to match find_bit helpers"
Previous message: Steven Rostedt: "Re: [PATCH -next 1/2] ftrace: Remove unnecessary free_ftrace_hash in ftrace_regex_open"
Next in thread: Jamie Bainbridge: "Re: [PATCH net] qed: Don't write past the end of GRC debug buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 15 Aug 2025 14:17:25 +1000 Jamie Bainbridge wrote:
> In the GRC dump path, "len" count of dword-sized registers are read into
> the previously-allocated GRC dump buffer.

How did you find the issue? Did you happen to have a stack trace?
It'd be great to know the call trace cause the code is hard to make
sense of.

> However, the amount of data written into the GRC dump buffer is never
> checked against the length of the dump buffer. This can result in
> writing past the end of the dump buffer's kmalloc and a kernel panic.

I could be misreading but it sounds to me like you're trying to protect
against overflow on dump_buf, while the code is protecting against going
over the "feature" buf_size.

> Resolve this by clamping the amount of data written to the length of the
> dump buffer, avoiding the out-of-bounds memory access and panic.
>
> Fixes: d52c89f120de8 ("qed*: Utilize FW 8.37.2.0")
> Signed-off-by: Jamie Bainbridge <jamie.bainbridge@xxxxxxxxx>
> ---
> drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c
> index 9c3d3dd2f84753100d3c639505677bd53e3ca543..2e88fd79a02e220fc05caa8c27bb7d41b4b37c0d 100644
> --- a/drivers/net/ethernet/qlogic/qed/qed_debug.c
> +++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c
> @@ -2085,6 +2085,13 @@ static u32 qed_grc_dump_addr_range(struct qed_hwfn *p_hwfn,
> dev_data->pretend.split_id = split_id;
> }
>
> + /* Ensure we don't write past the end of the GRC buffer */
> + u32 buf_size_bytes = p_hwfn->cdev->dbg_features[DBG_FEATURE_GRC].buf_size;
> + u32 len_bytes = len * sizeof(u32);

Please don't mix code with variable declarations.

> + if (len_bytes > buf_size_bytes)
> + len = buf_size_bytes / sizeof(u32);

The way it's written it seems to be protecting from buffer being too
big for the feature. In which case you must take addr into account
and make sure dump_buf was zeroed.
--
pw-bot: cr

Next message: Junjie Cao: "[PATCH v2] iio: core: switch info_mask fields to unsigned long to match find_bit helpers"
Previous message: Steven Rostedt: "Re: [PATCH -next 1/2] ftrace: Remove unnecessary free_ftrace_hash in ftrace_regex_open"
Next in thread: Jamie Bainbridge: "Re: [PATCH net] qed: Don't write past the end of GRC debug buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]