| Message ID | 55acc5dc-8d5a-45bc-a59c-9304071e4579@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | i40e: fix MMIO write access to an invalid page in i40e_clear_hw | expand |
On 3/6/25 06:25, Kyungwook Boo wrote: > In i40e_clear_hw(), when the device sends a specific input(e.g., 0), > an integer underflow in the num_{pf,vf}_int variables can occur, > leading to MMIO write access to an invalid page. > > To fix this, we change the type of the unsigned integer variables > num_{pf,vf}_int to signed integers. Additionally, in the for-loop where the > integer underflow occurs, we also change the type of the loop variable i to > a signed integer. > > Signed-off-by: Kyungwook Boo <bookyungwook@gmail.com> > Signed-off-by: Loktionov, Aleksandr <aleksandr.loktionov@intel.com> when Alex said "make sure I signed too" he meant: "make sure the variable @i is signed too", not the Sign-off ;) (please wait 24h for the next submission, and also put "iwl-next" after the "PATCH" word) > Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> I didn't signed that either > Link: https://lore.kernel.org/lkml/ffc91764-1142-4ba2-91b6-8c773f6f7095@gmail.com/T/ > --- > drivers/net/ethernet/intel/i40e/i40e_common.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c > index 370b4bddee44..9a73cb94dc5e 100644 > --- a/drivers/net/ethernet/intel/i40e/i40e_common.c > +++ b/drivers/net/ethernet/intel/i40e/i40e_common.c > @@ -817,8 +817,8 @@ int i40e_pf_reset(struct i40e_hw *hw) > void i40e_clear_hw(struct i40e_hw *hw) > { > u32 num_queues, base_queue; > - u32 num_pf_int; > - u32 num_vf_int; > + s32 num_pf_int; > + s32 num_vf_int; > u32 num_vfs; > u32 i, j; It's fine to move the declaration of @i into the for loop, but you have to remove it here, otherwise it's shadowing, which we avoid. > u32 val; > @@ -848,18 +848,18 @@ void i40e_clear_hw(struct i40e_hw *hw) > /* stop all the interrupts */ > wr32(hw, I40E_PFINT_ICR0_ENA, 0); > val = 0x3 << I40E_PFINT_DYN_CTLN_ITR_INDX_SHIFT; > - for (i = 0; i < num_pf_int - 2; i++) > + for (s32 i = 0; i < num_pf_int - 2; i++) > wr32(hw, I40E_PFINT_DYN_CTLN(i), val); > > /* Set the FIRSTQ_INDX field to 0x7FF in PFINT_LNKLSTx */ > val = eol << I40E_PFINT_LNKLST0_FIRSTQ_INDX_SHIFT; > wr32(hw, I40E_PFINT_LNKLST0, val); > - for (i = 0; i < num_pf_int - 2; i++) > + for (s32 i = 0; i < num_pf_int - 2; i++) > wr32(hw, I40E_PFINT_LNKLSTN(i), val); > val = eol << I40E_VPINT_LNKLST0_FIRSTQ_INDX_SHIFT; > for (i = 0; i < num_vfs; i++) > wr32(hw, I40E_VPINT_LNKLST0(i), val); > - for (i = 0; i < num_vf_int - 2; i++) > + for (s32 i = 0; i < num_vf_int - 2; i++) > wr32(hw, I40E_VPINT_LNKLSTN(i), val); > > /* warn the HW of the coming Tx disables */
On 25. 3. 6. 16:59, Przemek Kitszel wrote: > On 3/6/25 06:25, Kyungwook Boo wrote: >> In i40e_clear_hw(), when the device sends a specific input(e.g., 0), >> an integer underflow in the num_{pf,vf}_int variables can occur, >> leading to MMIO write access to an invalid page. >> >> To fix this, we change the type of the unsigned integer variables >> num_{pf,vf}_int to signed integers. Additionally, in the for-loop where the >> integer underflow occurs, we also change the type of the loop variable i to >> a signed integer. >> >> Signed-off-by: Kyungwook Boo <bookyungwook@gmail.com> >> Signed-off-by: Loktionov, Aleksandr <aleksandr.loktionov@intel.com> > > when Alex said "make sure I signed too" he meant: > "make sure the variable @i is signed too", not the Sign-off ;) > > (please wait 24h for the next submission, and also put "iwl-next" after > the "PATCH" word) > >> Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> > > I didn't signed that either Oh.. I totally misunderstood the comment. I apologize for mistakenly adding the sign. >> Link: https://lore.kernel.org/lkml/ffc91764-1142-4ba2-91b6-8c773f6f7095@gmail.com/T/ >> --- >> drivers/net/ethernet/intel/i40e/i40e_common.c | 10 +++++----- >> 1 file changed, 5 insertions(+), 5 deletions(-) >> >> diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c >> index 370b4bddee44..9a73cb94dc5e 100644 >> --- a/drivers/net/ethernet/intel/i40e/i40e_common.c >> +++ b/drivers/net/ethernet/intel/i40e/i40e_common.c >> @@ -817,8 +817,8 @@ int i40e_pf_reset(struct i40e_hw *hw) >> void i40e_clear_hw(struct i40e_hw *hw) >> { >> u32 num_queues, base_queue; >> - u32 num_pf_int; >> - u32 num_vf_int; >> + s32 num_pf_int; >> + s32 num_vf_int; >> u32 num_vfs; >> u32 i, j; > > It's fine to move the declaration of @i into the for loop, but > you have to remove it here, otherwise it's shadowing, which we > avoid. > >> u32 val; >> @@ -848,18 +848,18 @@ void i40e_clear_hw(struct i40e_hw *hw) >> /* stop all the interrupts */ >> wr32(hw, I40E_PFINT_ICR0_ENA, 0); >> val = 0x3 << I40E_PFINT_DYN_CTLN_ITR_INDX_SHIFT; >> - for (i = 0; i < num_pf_int - 2; i++) >> + for (s32 i = 0; i < num_pf_int - 2; i++) >> wr32(hw, I40E_PFINT_DYN_CTLN(i), val); >> /* Set the FIRSTQ_INDX field to 0x7FF in PFINT_LNKLSTx */ >> val = eol << I40E_PFINT_LNKLST0_FIRSTQ_INDX_SHIFT; >> wr32(hw, I40E_PFINT_LNKLST0, val); >> - for (i = 0; i < num_pf_int - 2; i++) >> + for (s32 i = 0; i < num_pf_int - 2; i++) >> wr32(hw, I40E_PFINT_LNKLSTN(i), val); >> val = eol << I40E_VPINT_LNKLST0_FIRSTQ_INDX_SHIFT; >> for (i = 0; i < num_vfs; i++) >> wr32(hw, I40E_VPINT_LNKLST0(i), val); >> - for (i = 0; i < num_vf_int - 2; i++) >> + for (s32 i = 0; i < num_vf_int - 2; i++) >> wr32(hw, I40E_VPINT_LNKLSTN(i), val); >> /* warn the HW of the coming Tx disables */ > Thank you for reviewing the patch. I will correct the patch and resubmit it. Best, Kyungwook Boo
> -----Original Message----- > From: Kyungwook Boo <bookyungwook@gmail.com> > Sent: Thursday, March 6, 2025 6:26 AM > To: Loktionov, Aleksandr <aleksandr.loktionov@intel.com>; Kitszel, > Przemyslaw <przemyslaw.kitszel@intel.com>; Nguyen, Anthony L > <anthony.l.nguyen@intel.com> > Cc: intel-wired-lan@lists.osuosl.org; netdev@vger.kernel.org > Subject: [PATCH] i40e: fix MMIO write access to an invalid page in > i40e_clear_hw Please follow the rules, add v2 to the patch > > In i40e_clear_hw(), when the device sends a specific input(e.g., 0), an integer > underflow in the num_{pf,vf}_int variables can occur, leading to MMIO write > access to an invalid page. > > To fix this, we change the type of the unsigned integer variables > num_{pf,vf}_int to signed integers. Additionally, in the for-loop where the > integer underflow occurs, we also change the type of the loop variable i to a > signed integer. Please do follow the linux kernel > > Signed-off-by: Kyungwook Boo <bookyungwook@gmail.com> > Signed-off-by: Loktionov, Aleksandr <aleksandr.loktionov@intel.com> > Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> > Link: https://lore.kernel.org/lkml/ffc91764-1142-4ba2-91b6- > 8c773f6f7095@gmail.com/T/ > --- Please up here versions history. > drivers/net/ethernet/intel/i40e/i40e_common.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c > b/drivers/net/ethernet/intel/i40e/i40e_common.c > index 370b4bddee44..9a73cb94dc5e 100644 > --- a/drivers/net/ethernet/intel/i40e/i40e_common.c > +++ b/drivers/net/ethernet/intel/i40e/i40e_common.c > @@ -817,8 +817,8 @@ int i40e_pf_reset(struct i40e_hw *hw) void > i40e_clear_hw(struct i40e_hw *hw) { > u32 num_queues, base_queue; > - u32 num_pf_int; > - u32 num_vf_int; > + s32 num_pf_int; > + s32 num_vf_int; > u32 num_vfs; > u32 i, j; What about this vars? Are they used? > u32 val; > @@ -848,18 +848,18 @@ void i40e_clear_hw(struct i40e_hw *hw) > /* stop all the interrupts */ > wr32(hw, I40E_PFINT_ICR0_ENA, 0); > val = 0x3 << I40E_PFINT_DYN_CTLN_ITR_INDX_SHIFT; > - for (i = 0; i < num_pf_int - 2; i++) > + for (s32 i = 0; i < num_pf_int - 2; i++) > wr32(hw, I40E_PFINT_DYN_CTLN(i), val); > > /* Set the FIRSTQ_INDX field to 0x7FF in PFINT_LNKLSTx */ > val = eol << I40E_PFINT_LNKLST0_FIRSTQ_INDX_SHIFT; > wr32(hw, I40E_PFINT_LNKLST0, val); > - for (i = 0; i < num_pf_int - 2; i++) > + for (s32 i = 0; i < num_pf_int - 2; i++) > wr32(hw, I40E_PFINT_LNKLSTN(i), val); > val = eol << I40E_VPINT_LNKLST0_FIRSTQ_INDX_SHIFT; > for (i = 0; i < num_vfs; i++) > wr32(hw, I40E_VPINT_LNKLST0(i), val); > - for (i = 0; i < num_vf_int - 2; i++) > + for (s32 i = 0; i < num_vf_int - 2; i++) > wr32(hw, I40E_VPINT_LNKLSTN(i), val); > > /* warn the HW of the coming Tx disables */ > -- > 2.25.1
diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c index 370b4bddee44..9a73cb94dc5e 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_common.c +++ b/drivers/net/ethernet/intel/i40e/i40e_common.c @@ -817,8 +817,8 @@ int i40e_pf_reset(struct i40e_hw *hw) void i40e_clear_hw(struct i40e_hw *hw) { u32 num_queues, base_queue; - u32 num_pf_int; - u32 num_vf_int; + s32 num_pf_int; + s32 num_vf_int; u32 num_vfs; u32 i, j; u32 val; @@ -848,18 +848,18 @@ void i40e_clear_hw(struct i40e_hw *hw) /* stop all the interrupts */ wr32(hw, I40E_PFINT_ICR0_ENA, 0); val = 0x3 << I40E_PFINT_DYN_CTLN_ITR_INDX_SHIFT; - for (i = 0; i < num_pf_int - 2; i++) + for (s32 i = 0; i < num_pf_int - 2; i++) wr32(hw, I40E_PFINT_DYN_CTLN(i), val); /* Set the FIRSTQ_INDX field to 0x7FF in PFINT_LNKLSTx */ val = eol << I40E_PFINT_LNKLST0_FIRSTQ_INDX_SHIFT; wr32(hw, I40E_PFINT_LNKLST0, val); - for (i = 0; i < num_pf_int - 2; i++) + for (s32 i = 0; i < num_pf_int - 2; i++) wr32(hw, I40E_PFINT_LNKLSTN(i), val); val = eol << I40E_VPINT_LNKLST0_FIRSTQ_INDX_SHIFT; for (i = 0; i < num_vfs; i++) wr32(hw, I40E_VPINT_LNKLST0(i), val); - for (i = 0; i < num_vf_int - 2; i++) + for (s32 i = 0; i < num_vf_int - 2; i++) wr32(hw, I40E_VPINT_LNKLSTN(i), val); /* warn the HW of the coming Tx disables */
In i40e_clear_hw(), when the device sends a specific input(e.g., 0), an integer underflow in the num_{pf,vf}_int variables can occur, leading to MMIO write access to an invalid page. To fix this, we change the type of the unsigned integer variables num_{pf,vf}_int to signed integers. Additionally, in the for-loop where the integer underflow occurs, we also change the type of the loop variable i to a signed integer. Signed-off-by: Kyungwook Boo <bookyungwook@gmail.com> Signed-off-by: Loktionov, Aleksandr <aleksandr.loktionov@intel.com> Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> Link: https://lore.kernel.org/lkml/ffc91764-1142-4ba2-91b6-8c773f6f7095@gmail.com/T/ --- drivers/net/ethernet/intel/i40e/i40e_common.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)