Message ID | 34603f41-1d51-48df-9bca-a28fd5b27a53@moroto.mountain (mailing list archive) |
---|---|
State | Awaiting Upstream |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [net-next,1/2] igb: Fix an end of loop test | expand |
On Thu, Oct 05, 2023 at 04:58:01PM +0300, Dan Carpenter wrote: > The list iterator in a list_for_each_entry() loop can never be NULL. > If the loop exits without hitting a break then the iterator points > to an offset off the list head and dereferencing it is an out of > bounds access. > > Before we transitioned to using list_for_each_entry() loops, then > it was possible for "entry" to be NULL and the comments mention > this. I have updated the comments to match the new code. > > Fixes: c1fec890458a ("ethernet/intel: Use list_for_each_entry() helper") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Simon Horman <horms@kernel.org>
On 10/5/2023 6:58 AM, Dan Carpenter wrote: > The list iterator in a list_for_each_entry() loop can never be NULL. > If the loop exits without hitting a break then the iterator points > to an offset off the list head and dereferencing it is an out of > bounds access. > > Before we transitioned to using list_for_each_entry() loops, then > it was possible for "entry" to be NULL and the comments mention > this. I have updated the comments to match the new code. > > Fixes: c1fec890458a ("ethernet/intel: Use list_for_each_entry() helper") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
> -----Original Message----- > From: Intel-wired-lan <intel-wired-lan-bounces@osuosl.org> On Behalf Of > Jesse Brandeburg > Sent: Monday, October 9, 2023 5:18 PM > To: Dan Carpenter <dan.carpenter@linaro.org>; Jinjie Ruan > <ruanjinjie@huawei.com> > Cc: netdev@vger.kernel.org; kernel-janitors@vger.kernel.org; Eric Dumazet > <edumazet@google.com>; Nguyen, Anthony L > <anthony.l.nguyen@intel.com>; Simon Horman <horms@kernel.org>; Jakub > Kicinski <kuba@kernel.org>; Keller, Jacob E <jacob.e.keller@intel.com>; intel- > wired-lan@lists.osuosl.org; Paolo Abeni <pabeni@redhat.com>; David S. > Miller <davem@davemloft.net> > Subject: Re: [Intel-wired-lan] [PATCH net-next 2/2] ixgbe: fix end of loop test > in ixgbe_set_vf_macvlan() > > On 10/5/2023 6:58 AM, Dan Carpenter wrote: > > The list iterator in a list_for_each_entry() loop can never be NULL. > > If the loop exits without hitting a break then the iterator points to > > an offset off the list head and dereferencing it is an out of bounds > > access. > > > > Before we transitioned to using list_for_each_entry() loops, then it > > was possible for "entry" to be NULL and the comments mention this. I > > have updated the comments to match the new code. > > > > Fixes: c1fec890458a ("ethernet/intel: Use list_for_each_entry() > > helper") > > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> > > Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com> > > > _______________________________________________ > Intel-wired-lan mailing list > Intel-wired-lan@osuosl.org > https://lists.osuosl.org/mailman/listinfo/intel-wired-lan Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c index 4c6e2a485d8e..a703ba975205 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c @@ -639,6 +639,7 @@ static int ixgbe_set_vf_macvlan(struct ixgbe_adapter *adapter, int vf, int index, unsigned char *mac_addr) { struct vf_macvlans *entry; + bool found = false; int retval = 0; if (index <= 1) { @@ -660,22 +661,22 @@ static int ixgbe_set_vf_macvlan(struct ixgbe_adapter *adapter, if (!index) return 0; - entry = NULL; - list_for_each_entry(entry, &adapter->vf_mvs.l, l) { - if (entry->free) + if (entry->free) { + found = true; break; + } } /* * If we traversed the entire list and didn't find a free entry - * then we're out of space on the RAR table. Also entry may - * be NULL because the original memory allocation for the list - * failed, which is not fatal but does mean we can't support - * VF requests for MACVLAN because we couldn't allocate - * memory for the list management required. + * then we're out of space on the RAR table. It's also possible + * for the &adapter->vf_mvs.l list to be empty because the original + * memory allocation for the list failed, which is not fatal but does + * mean we can't support VF requests for MACVLAN because we couldn't + * allocate memory for the list management required. */ - if (!entry || !entry->free) + if (!found) return -ENOSPC; retval = ixgbe_add_mac_filter(adapter, mac_addr, vf);
The list iterator in a list_for_each_entry() loop can never be NULL. If the loop exits without hitting a break then the iterator points to an offset off the list head and dereferencing it is an out of bounds access. Before we transitioned to using list_for_each_entry() loops, then it was possible for "entry" to be NULL and the comments mention this. I have updated the comments to match the new code. Fixes: c1fec890458a ("ethernet/intel: Use list_for_each_entry() helper") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- .../net/ethernet/intel/ixgbe/ixgbe_sriov.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-)