Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2144782rwd; Fri, 2 Jun 2023 05:38:24 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7eA6JJZzbdtw7a8iCoySvMCAW0qSg5bs5qqenOgUXLfzJQPKJyUkuwMh5W+2Jbv4Wf+E1R X-Received: by 2002:a05:6a20:d81b:b0:10c:5745:3f44 with SMTP id iv27-20020a056a20d81b00b0010c57453f44mr8460046pzb.61.1685709504398; Fri, 02 Jun 2023 05:38:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685709504; cv=none; d=google.com; s=arc-20160816; b=uimnp5rLCU7DoIaZXwTYqvnUH6ZIHqLjW/Ih/p/hxXOMJv/bZFrCERRQb4HibTAecD titDb5w6iD/LcJdt+H1GwP0TOOf1T92XWg4FyoJaNbYaGtNQsGG3ST1UeY+6jDFx9IyP F62wPtNoVoC5Vcc3IzSaeJNgJEVpaZpVjFJSD20l1rkXvQeuUL0663DZUNInhMQBmlAo vqGa0h0EzXPQsTjFXD/AQnqHblMDiN6v8RX/fATQYYpkFFiweYIEI2pvP4L47dX9WTaP Y3iT2xJEWucrdmarscRxkDZwgJnUGu6vCS/ZWvyoFgqSgugR0Qbej7A0b9HpTGuE/v/E uecg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=rYQR8bOrJkw5CscO46dN+AC+qv5NIBbmKe5bpcO+QiU=; b=tH9OT0z/xX6b1F50A1BOrNQrpQLs+k/CQ13jCiNx8X/VjgWaybQ0fW/49ocrKFTYUR S+cTLoi9Jta0DL6G4FERi5wsNeZz1SwKk8IQmQQL+HMAb3YhK6MSznY+RwLzO/VZpGF4 t7Wko8I+SiAkcpIGQOcTROsixpBgOk+gL0h2+PrleG84VZAT9yCVz5XVt6vSVOmcJYxR hNSXptvDj67QNkpgLI4I+dclSWww6VPvJYPeUOJsHrxHbmpnSBLdFV84Na/QUIC0IZBA 61KYe0XUZQbMrm2MEqJDxotWhdI7hqsPOxQP4LMEJv1IghRQCAkA6Fp/wrHzDif7CYvP jq3A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lunn.ch header.s=20171124 header.b=dYl9Bi53; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lunn.ch Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l187-20020a6391c4000000b0051b2893b8c9si917896pge.442.2023.06.02.05.38.10; Fri, 02 Jun 2023 05:38:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@lunn.ch header.s=20171124 header.b=dYl9Bi53; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lunn.ch Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235542AbjFBM0x (ORCPT + 99 others); Fri, 2 Jun 2023 08:26:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37234 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234281AbjFBM0v (ORCPT ); Fri, 2 Jun 2023 08:26:51 -0400 Received: from vps0.lunn.ch (vps0.lunn.ch [156.67.10.101]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3738397; Fri, 2 Jun 2023 05:26:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lunn.ch; s=20171124; h=In-Reply-To:Content-Disposition:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:From:Sender:Reply-To:Subject: Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Content-Disposition:In-Reply-To:References; bh=rYQR8bOrJkw5CscO46dN+AC+qv5NIBbmKe5bpcO+QiU=; b=dYl9Bi53H/sQHVncl6ZUk03S2v 6avzLyGjYH2y0e9R0O8QNoTAohWLONOsuv8rnsk7Gku6uk5GlmH/LvJW7DSHto7l6Q+w945Nu4jZH 9bIfL++Jdd+7cyozGJ/T/kFM/1e63XV6hG6KROTJPIBaR2Q9j6j3AjoAiVa5Q9u6fdoQ=; Received: from andrew by vps0.lunn.ch with local (Exim 4.94.2) (envelope-from ) id 1q53rb-00Efsd-98; Fri, 02 Jun 2023 14:26:39 +0200 Date: Fri, 2 Jun 2023 14:26:39 +0200 From: Andrew Lunn To: Ding Hui Cc: Alexander H Duyck , davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, pengdonglin@sangfor.com.cn, huangcun@sangfor.com.cn Subject: Re: [PATCH net-next] net: ethtool: Fix out-of-bounds copy to user Message-ID: <6110cf9f-c10e-4b9b-934d-8d202b7f5794@lunn.ch> References: <20230601112839.13799-1-dinghui@sangfor.com.cn> <135a45b2c388fbaf9db4620cb01b95230709b9ac.camel@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > > Changing the copy size would not fix this. The problem is the driver > > will be overwriting with the size that it thinks it should be using. > > Reducing the value that is provided for the memory allocations will > > cause the driver to corrupt memory. > > > > I noticed that, in fact I did use the returned length to allocate > kernel memory, and only use adjusted length to copy to user. This is also something i checked when quickly looking at the patch. It does look correct. Also, RTNL should be held during the time both calls are made into the driver. So nothing from userspace should be able to get in the middle of these calls to change the number of queues. Andrew