Re: [PATCH 4.4 19/47] igb: Check if num of q_vectors is smaller than max before array access
From: Pavel Machek
Date: Mon Jul 26 2021 - 17:57:48 EST
Hi!
> [ Upstream commit 6c19d772618fea40d9681f259368f284a330fd90 ]
>
> Ensure that the adapter->q_vector[MAX_Q_VECTORS] array isn't accessed
> beyond its size. It was fixed by using a local variable num_q_vectors
> as a limit for loop index, and ensure that num_q_vectors is not bigger
> than MAX_Q_VECTORS.
Ok, so this is interesting design.
> +++ b/drivers/net/ethernet/intel/igb/igb_main.c
> @@ -945,6 +945,7 @@ static void igb_configure_msix(struct igb_adapter *adapter)
> **/
> static int igb_request_msix(struct igb_adapter *adapter)
> {
> + unsigned int num_q_vectors = adapter->num_q_vectors;
> struct net_device *netdev = adapter->netdev;
> int i, err = 0, vector = 0, free_vector = 0;
>
> @@ -953,7 +954,13 @@ static int igb_request_msix(struct igb_adapter *adapter)
> if (err)
> goto err_out;
>
> - for (i = 0; i < adapter->num_q_vectors; i++) {
> + if (num_q_vectors > MAX_Q_VECTORS) {
> + num_q_vectors = MAX_Q_VECTORS;
> + dev_warn(&adapter->pdev->dev,
> + "The number of queue vectors (%d) is higher than max allowed (%d)\n",
> + adapter->num_q_vectors, MAX_Q_VECTORS);
> + }
> + for (i = 0; i < num_q_vectors; i++) {
> struct igb_q_vector *q_vector = adapter->q_vector[i];
>
> vector++;
We limit num_q_vectors here, but too big value remains in
adapter->num_q_vectors. Loop in igb_request_msix is fixed, but there's
similar loop in igb_configure_msix() and in igb_free_irq() and
igp_up() and ...
Either adapter->num_q_vectors should be limited, or all those places
need fixing, no?
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Attachment:
signature.asc
Description: Digital signature