Received: by 2002:a05:6a10:6d25:0:0:0:0 with SMTP id gq37csp1890192pxb; Mon, 13 Sep 2021 07:36:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwoI67mpIh7/DSOxWa/nvHxYOG38adNn6oOm/CYzkrk+/snEVN87qqMYDrqfBjdaAqGgf/X X-Received: by 2002:a17:906:fcad:: with SMTP id qw13mr12977259ejb.127.1631543785465; Mon, 13 Sep 2021 07:36:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631543785; cv=none; d=google.com; s=arc-20160816; b=RvnBnggjZbliH5aL6cFt26fkZLKQntAQOHMBU5WmTXQ/jj1XLyZNBuM/CHekIYXRd4 JN8HYd8+SmZX8szpS0xfyd3YNJBGwqHraUQupyC8d3izbK33gzLN8qfs0ymoU2MpPnlL ImseQGc6+zRF8jNsA8ZAOc6p3OjbuM65f1iN5ufpRvWUcspMFWNvQx+m4eBzwZ7Aa1OX 8ytv80CuBxzF7gO0dRF0NQIZ7IvTr0g1AT1WgQn715vVVLEi7NoN/WnCrwm9e1ukUx0i 3TzBGC+z9qxYhiaGUqO3DQcsZaqcyv3xjcSmkIYNY/1+E0MXbgci82z8feuQYk6zQKiS JWrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=c25LLhw/cTDfluVledjqWX3bLTHSRS7ee+M//le2dnA=; b=E4+fYEvtSLD9mNudQb2OXr5zAxXXKCj/6Cj1XmY/2gWXqxyQh2O5cPMIw+tX1dFGAg U8uF6/Xeyh0tp1YboUjwQySlf8Ud3aAkLZzaXkHIwXyVhvAFZH+458XrXCYrW74w95nZ WMh+xgKP8HcjivggV+gL6Qbqx05BEjpXoglrlDL1cPH7muCGBBj9epuzoSs+ur2JuopD 8HlPf7AcwAed1Jnx7NxumSq2ZXrOxMMJfckfrzcCoiDiKHbXx3SV/JQvbsZSeMIEG4Ug NQfzTI6MmGEZzx6HxMV6gnBFBiDGmz3Zjc13OIQYX9WtCJcsF/po2Pr7uE9h3SzViYIF tb9g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=AesD8LO5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c102si7805739edf.195.2021.09.13.07.35.58; Mon, 13 Sep 2021 07:36:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=AesD8LO5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344218AbhIMOa7 (ORCPT + 99 others); Mon, 13 Sep 2021 10:30:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:45378 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345668AbhIMO0n (ORCPT ); Mon, 13 Sep 2021 10:26:43 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id A13B6615E0; Mon, 13 Sep 2021 13:49:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631540956; bh=RnTGpitOVSK49PGxxzBG9ysRsU0zQvCJoT8zuvJi518=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AesD8LO52uH1np/1l6deALA6zI8UjG4d2wMrcCL7amh1QYM/0SHHOtlaa6OnX/65p nyTBvmofVV7f6HOKIQHP4GoMDAgIhrNGkU4Vj2X1VZaj1H/FAJ1l+YzO1x2HagVEgD wzjFivlk7ccSK1bvH3/1qrLUhVBXh3F8mkLcWL0I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Haiyue Wang , Catherine Sullivan , "David S. Miller" , Sasha Levin Subject: [PATCH 5.14 096/334] gve: fix the wrong AdminQ buffer overflow check Date: Mon, 13 Sep 2021 15:12:30 +0200 Message-Id: <20210913131116.622442421@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210913131113.390368911@linuxfoundation.org> References: <20210913131113.390368911@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Haiyue Wang [ Upstream commit 63a9192b8fa1ea55efeba1f18fad52bb24d9bf12 ] The 'tail' pointer is also free-running count, so it needs to be masked as 'adminq_prod_cnt' does, to become an index value of AdminQ buffer. Fixes: 5cdad90de62c ("gve: Batch AQ commands for creating and destroying queues.") Signed-off-by: Haiyue Wang Reviewed-by: Catherine Sullivan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/google/gve/gve_adminq.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/google/gve/gve_adminq.c b/drivers/net/ethernet/google/gve/gve_adminq.c index 5bb56b454541..f089d33dd48e 100644 --- a/drivers/net/ethernet/google/gve/gve_adminq.c +++ b/drivers/net/ethernet/google/gve/gve_adminq.c @@ -322,7 +322,8 @@ static int gve_adminq_issue_cmd(struct gve_priv *priv, tail = ioread32be(&priv->reg_bar0->adminq_event_counter); // Check if next command will overflow the buffer. - if (((priv->adminq_prod_cnt + 1) & priv->adminq_mask) == tail) { + if (((priv->adminq_prod_cnt + 1) & priv->adminq_mask) == + (tail & priv->adminq_mask)) { int err; // Flush existing commands to make room. @@ -332,7 +333,8 @@ static int gve_adminq_issue_cmd(struct gve_priv *priv, // Retry. tail = ioread32be(&priv->reg_bar0->adminq_event_counter); - if (((priv->adminq_prod_cnt + 1) & priv->adminq_mask) == tail) { + if (((priv->adminq_prod_cnt + 1) & priv->adminq_mask) == + (tail & priv->adminq_mask)) { // This should never happen. We just flushed the // command queue so there should be enough space. return -ENOMEM; -- 2.30.2