Message ID | 20200724080657.19182-1-dinghao.liu@zju.edu.cn |
---|---|
State | Changes Requested |
Delegated to: | David Miller |
Headers | show |
Series | octeontx2-af: Fix use of uninitialized pointer bmap | expand |
From: Dinghao Liu <dinghao.liu@zju.edu.cn> Date: Fri, 24 Jul 2020 16:06:57 +0800 > If req->ctype does not match any of NIX_AQ_CTYPE_CQ, > NIX_AQ_CTYPE_SQ or NIX_AQ_CTYPE_RQ, pointer bmap will remain > uninitialized and be accessed in test_bit(), which can lead > to kernal crash. This can never happen. > Fix this by returning an error code if this case is triggered. > > Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> I strongly dislike changes like this. Most callers of nix_lf_hwctx_disable() inside of rvu_nix.c set req->ctype to one of the handled values. The only other case, rvu_mbox_handler_nix_hwctx_disable(), is a completely unused function and should be removed. There is no functional problem in this code at all. It is not possible show a code path where the stated problem can actually occur.
> From: Dinghao Liu <dinghao.liu@zju.edu.cn> > Date: Fri, 24 Jul 2020 16:06:57 +0800 > > > If req->ctype does not match any of NIX_AQ_CTYPE_CQ, > > NIX_AQ_CTYPE_SQ or NIX_AQ_CTYPE_RQ, pointer bmap will remain > > uninitialized and be accessed in test_bit(), which can lead > > to kernal crash. > > This can never happen. > > > Fix this by returning an error code if this case is triggered. > > > > Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> > > I strongly dislike changes like this. > > Most callers of nix_lf_hwctx_disable() inside of rvu_nix.c set > req->ctype to one of the handled values. > > The only other case, rvu_mbox_handler_nix_hwctx_disable(), is a > completely unused function and should be removed. > > There is no functional problem in this code at all. > > It is not possible show a code path where the stated problem can > actually occur. It's clear to me now. Thanks. Regards, Dinghao
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c index 36953d4f51c7..20a64ed24474 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c @@ -869,19 +869,18 @@ static int nix_lf_hwctx_disable(struct rvu *rvu, struct hwctx_disable_req *req) aq_req.cq_mask.bp_ena = 1; q_cnt = pfvf->cq_ctx->qsize; bmap = pfvf->cq_bmap; - } - if (req->ctype == NIX_AQ_CTYPE_SQ) { + } else if (req->ctype == NIX_AQ_CTYPE_SQ) { aq_req.sq.ena = 0; aq_req.sq_mask.ena = 1; q_cnt = pfvf->sq_ctx->qsize; bmap = pfvf->sq_bmap; - } - if (req->ctype == NIX_AQ_CTYPE_RQ) { + } else if (req->ctype == NIX_AQ_CTYPE_RQ) { aq_req.rq.ena = 0; aq_req.rq_mask.ena = 1; q_cnt = pfvf->rq_ctx->qsize; bmap = pfvf->rq_bmap; - } + } else + return NIX_AF_ERR_AQ_ENQUEUE; aq_req.ctype = req->ctype; aq_req.op = NIX_AQ_INSTOP_WRITE;
If req->ctype does not match any of NIX_AQ_CTYPE_CQ, NIX_AQ_CTYPE_SQ or NIX_AQ_CTYPE_RQ, pointer bmap will remain uninitialized and be accessed in test_bit(), which can lead to kernal crash. Fix this by returning an error code if this case is triggered. Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> --- drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-)