Received: by 2002:a17:90a:9307:0:0:0:0 with SMTP id p7csp3948510pjo;
        Tue, 3 Mar 2020 09:56:47 -0800 (PST)
X-Google-Smtp-Source: ADFU+vu0nr5eoR3JF+vmEJKkhEpzq6kQvVBf+A1d9TPL25UDR99fKLG13s6ud1I9HBDJwYVjH11w
X-Received: by 2002:a05:6830:1645:: with SMTP id h5mr4459531otr.317.1583258207705;
        Tue, 03 Mar 2020 09:56:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1583258207; cv=none;
        d=google.com; s=arc-20160816;
        b=SbWLeyMk+hSTf/aDNKS07qtKLRvLvDWP1NpFObLUcEKl8Oq0RIgh4ewMsKbH13i/tj
         Wl7Msl+RNL3j7EKwN4CylyZN56ByrFZ/Ly3NKn53jAys290K8psaecY85TuBMI/mFR+/
         K77T/crTncXgIvczU446XAGEmV101jmh42tOC/H+0TX2o+CDxSQG9Uk971HmBY5d3Yvx
         3A8Lt7BDV+T6gxumd+gYrPQbXe6+ZGNc1KVueNakU7wFi4DoqjIy9nTpZ4Wvohuu7lWR
         NffhCP1oT0+rnUEGeRkQ/c8x3vGonYQ2FBZufgTsLGxDAZMEBKqRu3szP99EF2Lxq+Wx
         cz4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=dhVrWqhGtFd+WKSqcjGeSqBDhHWYgS8AbBbWqL9nZQs=;
        b=UcwVqCic3b0neFPEpzVrLYWNrMfK1al9AwTTp1ymHFUpn5Bsaw6ptsry5Ez7DL+TQe
         s+3rbwRMqRaJ2WJylmdrPkxQ0WLY/p9BEM4Jw7AjYxkPkM/YbxfigBts5KHDAkdLPsI2
         e83SsxWYYkbyl/u+jQ6oba16jkMHBOXqorsEgcLI2kBrFjhLPj8vADSEpETxe/VlCCAe
         NY0iyanLdkMEOxISmtsNI19naNdDwjASWllWr9S56DA/4QQO5JpyXv20I8bdkPqNN3fl
         Iq3t7Y9y2Dmfo1YcHqVSCorb8PErhr9Qcnb7Pw21uGqLXU5LCV8YA/MY+yHnztm01Vcy
         uEEQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=zaCXxsL7;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w31si46288otb.59.2020.03.03.09.56.35;
        Tue, 03 Mar 2020 09:56:47 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=zaCXxsL7;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732825AbgCCR4B (ORCPT <rfc822;ulfalizer@gmail.com> + 99 others);
        Tue, 3 Mar 2020 12:56:01 -0500
Received: from mail.kernel.org ([198.145.29.99]:37922 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1732807AbgCCRz6 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Mar 2020 12:55:58 -0500
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 9BC6120728;
        Tue,  3 Mar 2020 17:55:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1583258158;
        bh=/wvHWtSABa6XrGoPvgU/g74uNC1TiUDqH775k+bJX6s=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=zaCXxsL7stFUekPnvx49QlTSUeJM8dVMROcKW9cLiSGAtDVexzTmxzWYcVGacKJcp
         fmq1w8ibWu/INt+OjPYHoWP0lCZa5esIHOytWLCAq0VhWrcn1kvs+0z0tbUA6xSWjc
         alvE6sqaCm69T5Cq4arw67IqCachvdFEMGgO4x9o=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Sameeh Jubran <sameehj@amazon.com>,
        Arthur Kiyanovski <akiyano@amazon.com>,
        "David S. Miller" <davem@davemloft.net>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 057/152] net: ena: fix corruption of dev_idx_to_host_tbl
Date:   Tue,  3 Mar 2020 18:42:35 +0100
Message-Id: <20200303174308.924336440@linuxfoundation.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200303174302.523080016@linuxfoundation.org>
References: <20200303174302.523080016@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Arthur Kiyanovski <akiyano@amazon.com>

[ Upstream commit e3f89f91e98ce07dc0f121a3b70d21aca749ba39 ]

The function ena_com_ind_tbl_convert_from_device() has an overflow
bug as explained below. Either way, this function is not needed at
all since we don't retrieve the indirection table from the device
at any point which means that this conversion is not needed.

The bug:
The for loop iterates over all io_sq_queues, when passing the actual
number of used queues the io_sq_queues[i].idx equals 0 since they are
uninitialized which results in the following code to be executed till
the end of the loop:

dev_idx_to_host_tbl[0] = i;

This results dev_idx_to_host_tbl[0] in being equal to
ENA_TOTAL_NUM_QUEUES - 1.

Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
Signed-off-by: Sameeh Jubran <sameehj@amazon.com>
Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/amazon/ena/ena_com.c | 28 -----------------------
 1 file changed, 28 deletions(-)

diff --git a/drivers/net/ethernet/amazon/ena/ena_com.c b/drivers/net/ethernet/amazon/ena/ena_com.c
index 8ab192cb26b74..74743fd8a1e0a 100644
--- a/drivers/net/ethernet/amazon/ena/ena_com.c
+++ b/drivers/net/ethernet/amazon/ena/ena_com.c
@@ -1281,30 +1281,6 @@ static int ena_com_ind_tbl_convert_to_device(struct ena_com_dev *ena_dev)
 	return 0;
 }
 
-static int ena_com_ind_tbl_convert_from_device(struct ena_com_dev *ena_dev)
-{
-	u16 dev_idx_to_host_tbl[ENA_TOTAL_NUM_QUEUES] = { (u16)-1 };
-	struct ena_rss *rss = &ena_dev->rss;
-	u8 idx;
-	u16 i;
-
-	for (i = 0; i < ENA_TOTAL_NUM_QUEUES; i++)
-		dev_idx_to_host_tbl[ena_dev->io_sq_queues[i].idx] = i;
-
-	for (i = 0; i < 1 << rss->tbl_log_size; i++) {
-		if (rss->rss_ind_tbl[i].cq_idx > ENA_TOTAL_NUM_QUEUES)
-			return -EINVAL;
-		idx = (u8)rss->rss_ind_tbl[i].cq_idx;
-
-		if (dev_idx_to_host_tbl[idx] > ENA_TOTAL_NUM_QUEUES)
-			return -EINVAL;
-
-		rss->host_rss_ind_tbl[i] = dev_idx_to_host_tbl[idx];
-	}
-
-	return 0;
-}
-
 static void ena_com_update_intr_delay_resolution(struct ena_com_dev *ena_dev,
 						 u16 intr_delay_resolution)
 {
@@ -2638,10 +2614,6 @@ int ena_com_indirect_table_get(struct ena_com_dev *ena_dev, u32 *ind_tbl)
 	if (!ind_tbl)
 		return 0;
 
-	rc = ena_com_ind_tbl_convert_from_device(ena_dev);
-	if (unlikely(rc))
-		return rc;
-
 	for (i = 0; i < (1 << rss->tbl_log_size); i++)
 		ind_tbl[i] = rss->host_rss_ind_tbl[i];
 
-- 
2.20.1