Re: [PATCH net 3/4] net/mlx5e: Bounds-check stats_nch in mlx5e_get_queue_stats_rx()

Next message: Sami Tolvanen: "Re: [PATCH v3 2/2] rust: drm: gpuvm: require Send and Sync for GpuVm's shared data"
Previous message: Jinjie Ruan: "Re: [PATCH v2 2/5] lib/bitrev: Introduce GENERIC_BITREVERSE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Mon Jun 08 2026 - 21:54:28 EST

On Thu, 4 Jun 2026 16:50:40 +0300 Tariq Toukan wrote:
> mlx5e_get_queue_stats_rx() is invoked by the netdev stats core with
> an RX queue index 'i' from real_num_rx_queues. Today it only guards
> against priv->stats_nch == 0 and then dereferences
> priv->channel_stats[i] unconditionally.
>
> During interface bring-up channel_stats[] is populated incrementally
> by mlx5e_channel_stats_alloc(), so a concurrent QSTATS netlink dump
> can call into the helper with i >= stats_nch. The non-zero check
> passes, channel_stats[i] is NULL, and the dereference panics.
>
> Replace the non-zero check with an upper-bound check against
> stats_nch, which subsumes the zero check and prevents the
> out-of-bounds dereference.

I don't think there can be any race here?
The open/close and queue stats readers are under netdev->lock
Your description makes it sound as if we could access half-initialized
state?

Sure, the ndo path is tricky since it's lockless, but please don't
add unnecessary checks in the locked paths.
--
pw-bot: cr