Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2196549/?format=api
{ "id": 2196549, "url": "http://patchwork.ozlabs.org/api/patches/2196549/?format=api", "web_url": "http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20260214191502.267670-1-kohei@enjuk.jp/", "project": { "id": 46, "url": "http://patchwork.ozlabs.org/api/projects/46/?format=api", "name": "Intel Wired Ethernet development", "link_name": "intel-wired-lan", "list_id": "intel-wired-lan.osuosl.org", "list_email": "intel-wired-lan@osuosl.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260214191502.267670-1-kohei@enjuk.jp>", "list_archive_url": null, "date": "2026-02-14T19:14:25", "name": "[v1,iwl-net] iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "1171d946330fd171c0ce8c986c4978afc6032d91", "submitter": { "id": 92459, "url": "http://patchwork.ozlabs.org/api/people/92459/?format=api", "name": "Kohei Enju", "email": "kohei@enjuk.jp" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20260214191502.267670-1-kohei@enjuk.jp/mbox/", "series": [ { "id": 492191, "url": "http://patchwork.ozlabs.org/api/series/492191/?format=api", "web_url": "http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=492191", "date": "2026-02-14T19:14:25", "name": "[v1,iwl-net] iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/492191/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2196549/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2196549/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<intel-wired-lan-bounces@osuosl.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "intel-wired-lan@lists.osuosl.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "intel-wired-lan@lists.osuosl.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=osuosl.org header.i=@osuosl.org header.a=rsa-sha256\n header.s=default header.b=poT7QFL3;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=osuosl.org\n (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;\n envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fCzJz6nxpz1xr1\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 15 Feb 2026 06:15:45 +1100 (AEDT)", "from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 3D05040782;\n\tSat, 14 Feb 2026 19:15:43 +0000 (UTC)", "from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id rWkfzJD743uW; Sat, 14 Feb 2026 19:15:41 +0000 (UTC)", "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 0B8E540788;\n\tSat, 14 Feb 2026 19:15:41 +0000 (UTC)", "from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n by lists1.osuosl.org (Postfix) with ESMTP id 95BF0270\n for <intel-wired-lan@lists.osuosl.org>; Sat, 14 Feb 2026 19:15:39 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id 8390940485\n for <intel-wired-lan@lists.osuosl.org>; Sat, 14 Feb 2026 19:15:39 +0000 (UTC)", "from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 4qBZ2GmF8pfb for <intel-wired-lan@lists.osuosl.org>;\n Sat, 14 Feb 2026 19:15:38 +0000 (UTC)", "from www2881.sakura.ne.jp (www2881.sakura.ne.jp [49.212.198.91])\n by smtp2.osuosl.org (Postfix) with ESMTPS id 4788740484\n for <intel-wired-lan@lists.osuosl.org>; Sat, 14 Feb 2026 19:15:37 +0000 (UTC)", "from ms-a2 (211.4.31.150.dy.iij4u.or.jp [150.31.4.211])\n (authenticated bits=0)\n by www2881.sakura.ne.jp (8.16.1/8.16.1) with ESMTPSA id 61EJF37h055530\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);\n Sun, 15 Feb 2026 04:15:03 +0900 (JST) (envelope-from kohei@enjuk.jp)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp4.osuosl.org 0B8E540788", "OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4788740484" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=osuosl.org;\n\ts=default; t=1771096541;\n\tbh=3tuBNW7MlsXilikpV8VmhY8TrLvBWcUFtWlZqhCYla0=;\n\th=From:To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From;\n\tb=poT7QFL35uHqBP4FZfisKnMpe/4X+3Jir01Zgjyc75Fgbdvsp0AWsYDZJ+HWAm0aG\n\t j0WZsBSZrOMUUL6Y49EGXgTh2O5giUqqWaE3mZVxO9zIqXG9BKY186SqnAz8XYzOO4\n\t BlKs1/wPjIeCjM/wXjH8lmYSx/PMOGlIdXt5UmA27wudbDOD4CwyxiLjYvEfgEfLd8\n\t n40//aMRwSBkqn/YuY2jwuAaPY/QjTOIvMTiSOm50aO28HkHw+g4T0S1EG0H++chWg\n\t 4hJYGTagTsq3jeJiUXFMr4+o6GzrqEPZJBPfaR4EoctrhPlH4ZMAZs4IoZYywhVqY+\n\t nrla8qGuxPw9w==", "Received-SPF": "Pass (mailfrom) identity=mailfrom; client-ip=49.212.198.91;\n helo=www2881.sakura.ne.jp; envelope-from=kohei@enjuk.jp; receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp2.osuosl.org 4788740484", "From": "Kohei Enju <kohei@enjuk.jp>", "To": "intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org", "Cc": "Tony Nguyen <anthony.l.nguyen@intel.com>,\n Przemek Kitszel <przemyslaw.kitszel@intel.com>,\n Andrew Lunn <andrew+netdev@lunn.ch>,\n \"David S. Miller\" <davem@davemloft.net>,\n Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,\n Paolo Abeni <pabeni@redhat.com>,\n Jedrzej Jagielski <jedrzej.jagielski@intel.com>,\n Mateusz Palczewski <mateusz.palczewski@intel.com>,\n Witold Fijalkowski <witoldx.fijalkowski@intel.com>,\n Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>,\n kohei.enju@gmail.com, Kohei Enju <kohei@enjuk.jp>", "Date": "Sat, 14 Feb 2026 19:14:25 +0000", "Message-ID": "<20260214191502.267670-1-kohei@enjuk.jp>", "X-Mailer": "git-send-email 2.51.0", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-Mailman-Original-DKIM-Signature": "a=rsa-sha256;\n bh=3tuBNW7MlsXilikpV8VmhY8TrLvBWcUFtWlZqhCYla0=;\n c=relaxed/relaxed; d=enjuk.jp;\n h=From:To:Subject:Date:Message-ID;\n s=rs20251215; t=1771096504; v=1;\n b=P/SylkNaygaNL0FXfhhe9fMfsfZP3/TEPY7/vRIeiSxlc5CT/beDopeVrYg+RdY/\n xduJecF5e/0Ml5e0cl73CKirQRLAcihWoDSQ3/kbUacWMDdvtQWxGvCpleH7bzLg\n eotmZIxXY4PqG/69Aq7bpLW+a76UXFSkdAx21Jyh34YRkO/7ez9m8iAcZ35N7L5Z\n 6JT+aJyvfEOTpxVxTmcVPUGZDN7qYPnrGvr3q1gpHMZl84x38daOhFzD7Ebts5ho\n YeW/5l1+KzueFlNvmImkhbWiFGOBmr7ZfJ4vAB/dsA2FTomGzKdaH9PSb9b5lCdq\n nInglUDRnXUji5DItQwQTw==", "X-Mailman-Original-Authentication-Results": [ "smtp2.osuosl.org;\n dmarc=pass (p=none dis=none)\n header.from=enjuk.jp", "smtp2.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=enjuk.jp header.i=@enjuk.jp header.a=rsa-sha256\n header.s=rs20251215 header.b=P/SylkNa" ], "Subject": "[Intel-wired-lan] [PATCH v1 iwl-net] iavf: fix out-of-bounds writes\n in iavf_get_ethtool_stats()", "X-BeenThere": "intel-wired-lan@osuosl.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Intel Wired Ethernet Linux Kernel Driver Development\n <intel-wired-lan.osuosl.org>", "List-Unsubscribe": "<https://lists.osuosl.org/mailman/options/intel-wired-lan>,\n <mailto:intel-wired-lan-request@osuosl.org?subject=unsubscribe>", "List-Archive": "<http://lists.osuosl.org/pipermail/intel-wired-lan/>", "List-Post": "<mailto:intel-wired-lan@osuosl.org>", "List-Help": "<mailto:intel-wired-lan-request@osuosl.org?subject=help>", "List-Subscribe": "<https://lists.osuosl.org/mailman/listinfo/intel-wired-lan>,\n <mailto:intel-wired-lan-request@osuosl.org?subject=subscribe>", "Errors-To": "intel-wired-lan-bounces@osuosl.org", "Sender": "\"Intel-wired-lan\" <intel-wired-lan-bounces@osuosl.org>" }, "content": "iavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the\nvalue could change in runtime, we should use num_tx_queues instead.\n\nMoreover iavf_get_ethtool_stats() uses num_active_queues while\niavf_get_sset_count() and iavf_get_stat_strings() use\nreal_num_tx_queues, which triggers out-of-bounds writes when we do\n\"ethtool -L\" and \"ethtool -S\" simultaneously [1].\n\nFor example when we change channels from 1 to 8, Thread 3 could be\nscheduled before Thread 2, and out-of-bounds writes could be triggered\nin Thread 3:\n\nThread 1 (ethtool -L) Thread 2 (work) Thread 3 (ethtool -S)\niavf_set_channels()\n...\niavf_alloc_queues()\n-> num_active_queues = 8\niavf_schedule_finish_config()\n iavf_get_sset_count()\n real_num_tx_queues: 1\n -> buffer for 1 queue\n iavf_get_ethtool_stats()\n num_active_queues: 8\n -> out-of-bounds!\n iavf_finish_config()\n -> real_num_tx_queues = 8\n\nUse immutable num_tx_queues in all related functions to avoid the issue.\n\n[1]\n BUG: KASAN: vmalloc-out-of-bounds in iavf_add_one_ethtool_stat+0x200/0x270\n Write of size 8 at addr ffffc900031c9080 by task ethtool/5800\n\n CPU: 1 UID: 0 PID: 5800 Comm: ethtool Not tainted 6.19.0-enjuk-08403-g8137e3db7f1c #241 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n Call Trace:\n <TASK>\n dump_stack_lvl+0x6f/0xb0\n print_report+0x170/0x4f3\n kasan_report+0xe1/0x180\n iavf_add_one_ethtool_stat+0x200/0x270\n iavf_get_ethtool_stats+0x14c/0x2e0\n __dev_ethtool+0x3d0c/0x5830\n dev_ethtool+0x12d/0x270\n dev_ioctl+0x53c/0xe30\n sock_do_ioctl+0x1a9/0x270\n sock_ioctl+0x3d4/0x5e0\n __x64_sys_ioctl+0x137/0x1c0\n do_syscall_64+0xf3/0x690\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f7da0e6e36d\n ...\n </TASK>\n\n The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900031c9000 allocated at __dev_ethtool+0x3cc9/0x5830\n The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000\n index:0xffff88813a013de0 pfn:0x13a013\n flags: 0x200000000000000(node=0|zone=2)\n raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000\n raw: ffff88813a013de0 0000000000000000 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffffc900031c8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc900031c9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffffc900031c9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ^\n ffffc900031c9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc900031c9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n\nFixes: 64430f70ba6f (\"iavf: Fix displaying queue statistics shown by ethtool\")\nSigned-off-by: Kohei Enju <kohei@enjuk.jp>\n---\n .../net/ethernet/intel/iavf/iavf_ethtool.c | 31 +++++++++----------\n 1 file changed, 15 insertions(+), 16 deletions(-)", "diff": "diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c\nindex 6ff3842a1ff1..98bec3afc200 100644\n--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c\n+++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c\n@@ -313,14 +313,13 @@ static int iavf_get_sset_count(struct net_device *netdev, int sset)\n {\n \t/* Report the maximum number queues, even if not every queue is\n \t * currently configured. Since allocation of queues is in pairs,\n-\t * use netdev->real_num_tx_queues * 2. The real_num_tx_queues is set\n-\t * at device creation and never changes.\n+\t * use netdev->num_tx_queues * 2. The num_tx_queues is set at\n+\t * device creation and never changes.\n \t */\n \n \tif (sset == ETH_SS_STATS)\n \t\treturn IAVF_STATS_LEN +\n-\t\t\t(IAVF_QUEUE_STATS_LEN * 2 *\n-\t\t\t netdev->real_num_tx_queues);\n+\t\t (IAVF_QUEUE_STATS_LEN * 2 * netdev->num_tx_queues);\n \telse\n \t\treturn -EINVAL;\n }\n@@ -345,19 +344,19 @@ static void iavf_get_ethtool_stats(struct net_device *netdev,\n \tiavf_add_ethtool_stats(&data, adapter, iavf_gstrings_stats);\n \n \trcu_read_lock();\n-\t/* As num_active_queues describe both tx and rx queues, we can use\n-\t * it to iterate over rings' stats.\n+\t/* Use num_tx_queues to report stats for the maximum number of queues.\n+\t * Queues beyond num_active_queues will report zero.\n \t */\n-\tfor (i = 0; i < adapter->num_active_queues; i++) {\n-\t\tstruct iavf_ring *ring;\n+\tfor (i = 0; i < netdev->num_tx_queues; i++) {\n+\t\tstruct iavf_ring *tx_ring = NULL, *rx_ring = NULL;\n \n-\t\t/* Tx rings stats */\n-\t\tring = &adapter->tx_rings[i];\n-\t\tiavf_add_queue_stats(&data, ring);\n+\t\tif (i < adapter->num_active_queues) {\n+\t\t\ttx_ring = &adapter->tx_rings[i];\n+\t\t\trx_ring = &adapter->rx_rings[i];\n+\t\t}\n \n-\t\t/* Rx rings stats */\n-\t\tring = &adapter->rx_rings[i];\n-\t\tiavf_add_queue_stats(&data, ring);\n+\t\tiavf_add_queue_stats(&data, tx_ring);\n+\t\tiavf_add_queue_stats(&data, rx_ring);\n \t}\n \trcu_read_unlock();\n }\n@@ -376,9 +375,9 @@ static void iavf_get_stat_strings(struct net_device *netdev, u8 *data)\n \tiavf_add_stat_strings(&data, iavf_gstrings_stats);\n \n \t/* Queues are always allocated in pairs, so we just use\n-\t * real_num_tx_queues for both Tx and Rx queues.\n+\t * num_tx_queues for both Tx and Rx queues.\n \t */\n-\tfor (i = 0; i < netdev->real_num_tx_queues; i++) {\n+\tfor (i = 0; i < netdev->num_tx_queues; i++) {\n \t\tiavf_add_stat_strings(&data, iavf_gstrings_queue_stats,\n \t\t\t\t \"tx\", i);\n \t\tiavf_add_stat_strings(&data, iavf_gstrings_queue_stats,\n", "prefixes": [ "v1", "iwl-net" ] }