From: Jian Shen <[email protected]>
Add checking for vf id of mailbox, in order to avoid array
out-of-bounds risk.
Signed-off-by: Jian Shen <[email protected]>
Signed-off-by: Jijie Shao <[email protected]>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
index 4b0d07ca2505..d4a0e0be7a72 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
@@ -1123,10 +1123,11 @@ void hclge_mbx_handler(struct hclge_dev *hdev)
req = (struct hclge_mbx_vf_to_pf_cmd *)desc->data;
flag = le16_to_cpu(crq->desc[crq->next_to_use].flag);
- if (unlikely(!hnae3_get_bit(flag, HCLGE_CMDQ_RX_OUTVLD_B))) {
+ if (unlikely(!hnae3_get_bit(flag, HCLGE_CMDQ_RX_OUTVLD_B) ||
+ req->mbx_src_vfid > hdev->num_req_vfs)) {
dev_warn(&hdev->pdev->dev,
- "dropped invalid mailbox message, code = %u\n",
- req->msg.code);
+ "dropped invalid mailbox message, code = %u, vfid = %u\n",
+ req->msg.code, req->mbx_src_vfid);
/* dropping/not processing this invalid message */
crq->desc[crq->next_to_use].flag = 0;
--
2.30.0
> -----Original Message-----
> From: Jijie Shao <[email protected]>
> Sent: Thursday, March 7, 2024 6:31 AM
> To: [email protected]; [email protected];
> [email protected]; [email protected]; [email protected];
> [email protected]
> Cc: [email protected]; [email protected];
> [email protected]; [email protected]; [email protected];
> [email protected]
> Subject: [EXTERNAL] [PATCH net 8/8] net: hns3: add checking for vf id of
> mailbox
>
> From: Jian Shen <[email protected]>
>
> Add checking for vf id of mailbox, in order to avoid array out-of-bounds risk.
>
> Signed-off-by: Jian Shen <[email protected]>
> Signed-off-by: Jijie Shao <[email protected]>
> ---
> drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
> b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
> index 4b0d07ca2505..d4a0e0be7a72 100644
> --- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
> +++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
> @@ -1123,10 +1123,11 @@ void hclge_mbx_handler(struct hclge_dev
> *hdev)
> req = (struct hclge_mbx_vf_to_pf_cmd *)desc->data;
>
> flag = le16_to_cpu(crq->desc[crq->next_to_use].flag);
> - if (unlikely(!hnae3_get_bit(flag,
> HCLGE_CMDQ_RX_OUTVLD_B))) {
> + if (unlikely(!hnae3_get_bit(flag,
> HCLGE_CMDQ_RX_OUTVLD_B) ||
> + req->mbx_src_vfid > hdev->num_req_vfs)) {
> dev_warn(&hdev->pdev->dev,
> - "dropped invalid mailbox message, code =
> %u\n",
> - req->msg.code);
> + "dropped invalid mailbox message, code =
> %u, vfid = %u\n",
> + req->msg.code, req->mbx_src_vfid);
>
> /* dropping/not processing this invalid message */
> crq->desc[crq->next_to_use].flag = 0;
> --
> 2.30.0
>
Reviewed-by: Sunil Goutham <[email protected]>