Received: by 2002:a05:6a10:6d25:0:0:0:0 with SMTP id gq37csp1862349pxb; Mon, 13 Sep 2021 07:08:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy5YwK4GN+kpYga6qWSzbshir6dKRg0+EeL7xwlIgOqoeCQLHhAix3ziic0pQjvKmhIVfV8 X-Received: by 2002:a50:eac4:: with SMTP id u4mr3281215edp.259.1631542108924; Mon, 13 Sep 2021 07:08:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631542108; cv=none; d=google.com; s=arc-20160816; b=HJkZjWO3yEXXb6XJKh8NGivrfNLvzu4rqLznLXw5b65M5gZ/gxpsDhy5hmFIRTypp+ IwxFreAj2xZmgYtKTyfX0cyDZm488Eb479hBz5z7IbmIZ3F1iZzSgCIRwlIALc0Q2d0y b4g8XLjBN1T//7DGUSk1AQhX+hoTe3CiScWUi3/mxasnnKIzuPXs/pNkv5FM7z7HODXc 54T7ocFWgoyte/LPO7/kdMG8qJbFWzBBAWuh5xiAUiXa/7y5p8av6rKbXLsWyqdP3Oij wyCX2IRtpaYqcz+VUY9n80AX8JF8+V5e0Jx6czFMqPxPsnyiK6KkL29u9Pf8c1fLLXc7 CevA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=v3olKldJvLBr0DkevxJBnMGLlkWYoc4GvjN6sEUFOFU=; b=oQrt/LwIhf/mYwBBTl5abkHnMOjjEqkHxVBu8ccHhFCoYei26LldjEaKd0abYevwoy z+pxR0i9CGKg32MtQ9SrG3FscrfrcLzf+SIk7YgxbZ072EnLpGlOBsKl5NIecSfxMl/K xK3XUCWIAU3PIsR7fk8FxM1cpzxa/5vR5lacuVz5gu7bbBfsc39kxmb24ufAots7HGf8 n7cAxuMLGVCOzRi4bvnWm0dsa1ME16Vxg0PpQIVp+ag4nlNC9kbYOypQBiigRBMsMDmK UenCL0lBTPOiXwgfL2+i4oc9OyTuebVZIDQ4XZ6c0SjoRpSiJJ7dIydYOsrbHnVcqkjn mX6A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=A2C908+B; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j11si7807317edw.382.2021.09.13.07.08.04; Mon, 13 Sep 2021 07:08:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=A2C908+B; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245307AbhIMOEH (ORCPT + 99 others); Mon, 13 Sep 2021 10:04:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:50896 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343929AbhIMOB3 (ORCPT ); Mon, 13 Sep 2021 10:01:29 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3BAF661A60; Mon, 13 Sep 2021 13:37:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631540274; bh=GJNOncqH2W/ivQ9e4eSevRzDSsul7NmD2/lW4RAA1Mc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=A2C908+BmkW4TCBCZBgm8EQfpPkb/jdr1TUtcNEmAiXzoVvl+aU8Vf1oBsu1Xk0AS D81SUJHi07GC6ynJPrL/4mT084xFHA8onfTSKjYonwr50eB0DLnoptW4ZHJ6NqiGYG 2xhx9J0JQXn9LGuQrOEBx0bmfncgvhwszsXKxmEM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Haiyue Wang , Catherine Sullivan , "David S. Miller" , Sasha Levin Subject: [PATCH 5.13 093/300] gve: fix the wrong AdminQ buffer overflow check Date: Mon, 13 Sep 2021 15:12:34 +0200 Message-Id: <20210913131112.525394716@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210913131109.253835823@linuxfoundation.org> References: <20210913131109.253835823@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Haiyue Wang [ Upstream commit 63a9192b8fa1ea55efeba1f18fad52bb24d9bf12 ] The 'tail' pointer is also free-running count, so it needs to be masked as 'adminq_prod_cnt' does, to become an index value of AdminQ buffer. Fixes: 5cdad90de62c ("gve: Batch AQ commands for creating and destroying queues.") Signed-off-by: Haiyue Wang Reviewed-by: Catherine Sullivan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/google/gve/gve_adminq.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/google/gve/gve_adminq.c b/drivers/net/ethernet/google/gve/gve_adminq.c index 53864f200599..b175f2b2f5bc 100644 --- a/drivers/net/ethernet/google/gve/gve_adminq.c +++ b/drivers/net/ethernet/google/gve/gve_adminq.c @@ -233,7 +233,8 @@ static int gve_adminq_issue_cmd(struct gve_priv *priv, tail = ioread32be(&priv->reg_bar0->adminq_event_counter); // Check if next command will overflow the buffer. - if (((priv->adminq_prod_cnt + 1) & priv->adminq_mask) == tail) { + if (((priv->adminq_prod_cnt + 1) & priv->adminq_mask) == + (tail & priv->adminq_mask)) { int err; // Flush existing commands to make room. @@ -243,7 +244,8 @@ static int gve_adminq_issue_cmd(struct gve_priv *priv, // Retry. tail = ioread32be(&priv->reg_bar0->adminq_event_counter); - if (((priv->adminq_prod_cnt + 1) & priv->adminq_mask) == tail) { + if (((priv->adminq_prod_cnt + 1) & priv->adminq_mask) == + (tail & priv->adminq_mask)) { // This should never happen. We just flushed the // command queue so there should be enough space. return -ENOMEM; -- 2.30.2