[{"id":3687783,"web_url":"http://patchwork.ozlabs.org/comment/3687783/","msgid":"<20260507125431.947371-2-horms@kernel.org>","list_archive_url":null,"date":"2026-05-07T12:54:32","subject":"Re: [Intel-wired-lan] [PATCH iwl-net v2] idpf: fix RSS LUT memcpy\n size","submitter":{"id":82748,"url":"http://patchwork.ozlabs.org/api/people/82748/","name":"Simon Horman","email":"horms@kernel.org"},"content":"From: 'Simon Horman' <horms@kernel.org>\n\nThis is an AI-generated review of your patch. The human sending this\nemail has considered the AI review valid, or at least plausible.\nFull review at: https://sashiko.dev\n---\nidpf: fix RSS LUT memcpy size\n\nThis commit increases the memcpy size when retrieving the RSS lookup table\nto account for the full buffer size rather than just the number of entries.\nIt also adjusts the required Rx buffer size check to include the structure\nsize.\n\nLink: https://sashiko.dev/#/patchset/20260323174052.5355-1-larysa.zaremba%40intel.com?part=8\n\n> diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c\n> index be66f9b2e101c..0fc7c68447f83 100644\n> --- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c\n> +++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c\n> @@ -2915,8 +2915,9 @@ int idpf_send_get_set_rss_lut_msg(struct idpf_adapter *adapter,\n>  \tif (reply_sz < sizeof(struct virtchnl2_rss_lut))\n>  \t\treturn -EIO;\n>  \n> -\tlut_buf_size = le16_to_cpu(recv_rl->lut_entries) * sizeof(u32);\n> -\tif (reply_sz < lut_buf_size)\n> +\tlut_buf_size = flex_array_size(recv_rl, lut,\n> +\t\t\t\t       le16_to_cpu(recv_rl->lut_entries));\n> +\tif (reply_sz < lut_buf_size + sizeof(struct virtchnl2_rss_lut))\n>  \t\treturn -EIO;\n\nCould this cause an out-of-bounds read if the message size exceeds the\nallocated buffer?\n\nLooking at the allocation of recv_rl earlier in this function, it has a\nfixed size:\n\n    recv_rl = kzalloc(IDPF_CTLQ_MAX_BUF_LEN, GFP_KERNEL);\n\nIf the hardware-controlled recv_rl->lut_entries yields a calculated structure\nsize larger than IDPF_CTLQ_MAX_BUF_LEN, reply_sz may also exceed\nIDPF_CTLQ_MAX_BUF_LEN.\n\nWhile this check ensures reply_sz is large enough for lut_buf_size, does it\nensure we don't read past the end of the IDPF_CTLQ_MAX_BUF_LEN allocation\nduring the memcpy?\n\n[ ... ]\n> @@ -2933,7 +2934,7 @@ int idpf_send_get_set_rss_lut_msg(struct idpf_adapter *adapter,\n>  \t}\n>  \n>  do_memcpy:\n> -\tmemcpy(rss_data->rss_lut, recv_rl->lut, rss_data->rss_lut_size);\n> +\tmemcpy(rss_data->rss_lut, recv_rl->lut, lut_buf_size);\n\nDoes this copy skip necessary byte-order conversions?\n\nThe hardware response recv_rl->lut contains __le32 (little-endian) values,\nbut the destination rss_data->rss_lut is an array of host-order u32\nintegers.\n\nThe set path correctly applies cpu_to_le32() to elements before sending\nthem:\n\n    rl->lut[i] = rxhash_ena ? cpu_to_le32(rss_data->rss_lut[i]) : 0;\n\nOn big-endian architectures, copying little-endian bytes directly with\nmemcpy() will result in byte-swapped queue indices. Does the driver need to\niterate over the entries and convert each using le32_to_cpu() instead?","headers":{"Return-Path":"<intel-wired-lan-bounces@osuosl.org>","X-Original-To":["incoming@patchwork.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=osuosl.org header.i=@osuosl.org header.a=rsa-sha256\n header.s=default header.b=es5t178g;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=osuosl.org\n (client-ip=140.211.166.137; helo=smtp4.osuosl.org;\n envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4gBC3Z6pyMz1yKd\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 07 May 2026 22:58:16 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 04AC141113;\n\tThu,  7 May 2026 12:58:14 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id wToaorwMH269; Thu,  7 May 2026 12:58:13 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 3C8E941110;\n\tThu,  7 May 2026 12:58:13 +0000 (UTC)","from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n by lists1.osuosl.org (Postfix) with ESMTP id D5048280\n for <intel-wired-lan@lists.osuosl.org>; Thu,  7 May 2026 12:58:11 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id C6F9541110\n for <intel-wired-lan@lists.osuosl.org>; Thu,  7 May 2026 12:58:11 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id MDjz1RFR6SMr for <intel-wired-lan@lists.osuosl.org>;\n Thu,  7 May 2026 12:58:11 +0000 (UTC)","from sea.source.kernel.org (sea.source.kernel.org\n [IPv6:2600:3c0a:e001:78e:0:1991:8:25])\n by smtp4.osuosl.org (Postfix) with ESMTPS id 0ECB741047\n for <intel-wired-lan@lists.osuosl.org>; Thu,  7 May 2026 12:58:10 +0000 (UTC)","from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])\n by sea.source.kernel.org (Postfix) with ESMTP id F1A6141A31;\n Thu,  7 May 2026 12:58:09 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id EA6BDC2BCB2;\n Thu,  7 May 2026 12:58:06 +0000 (UTC)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp4.osuosl.org 3C8E941110","OpenDKIM Filter v2.11.0 smtp4.osuosl.org 0ECB741047"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=osuosl.org;\n\ts=default; t=1778158693;\n\tbh=76R3vnZ6x747dl29vgm2RvvdX/IZbVFK4/0RUO0M6Yk=;\n\th=From:To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From;\n\tb=es5t178gbvDrUnGzoUjeG0vjwUxCvRrolV4h2ZZ2ZvuZ616Uwmd1Dk0PurTlTdrDz\n\t 9y+5AUHPeUEgkhX1KhKu8BDeKyE6eUK9Tl+DF7iJkW2wqAWnQ21hKyz65LH/AhXcrK\n\t coFZueOEyA2aBgIkf9k/RjMALOIIj+KlLRfnuZcm6aBJhUxPa1ZamoDZWQ13IDxtqA\n\t dOEmzYUG8FLVgpGV8GF+x1mZEsL1uWDbmiLJYzjSGuh+D8Th9d11CD5+T9C06V+eCi\n\t 5dKZIKhzvVviOt+oqbX4AhGLx2DplYV0io+k3H7Y0uKpxLioXPYMVRRwsq5PDENAnt\n\t sbwkBwCzNnxpw==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2600:3c0a:e001:78e:0:1991:8:25; helo=sea.source.kernel.org;\n envelope-from=horms@kernel.org; receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp4.osuosl.org 0ECB741047","From":"Simon Horman <horms@kernel.org>","To":"larysa.zaremba@intel.com","Cc":"'Simon Horman' <horms@kernel.org>, intel-wired-lan@lists.osuosl.org,\n jacob.e.keller@intel.com, przemyslaw.kitszel@intel.com,\n andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com,\n kuba@kernel.org, pabeni@redhat.com, joshua.a.hay@intel.com,\n willemb@google.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org,\n aleksandr.loktionov@intel.com, anthony.l.nguyen@intel.com","Date":"Thu,  7 May 2026 13:54:32 +0100","Message-ID":"<20260507125431.947371-2-horms@kernel.org>","X-Mailer":"git-send-email 2.54.0","In-Reply-To":"<20260504144345.293219-1-larysa.zaremba@intel.com>","References":"<20260504144345.293219-1-larysa.zaremba@intel.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple;\n d=kernel.org; s=k20201202; t=1778158689;\n bh=WDjhH006pjr7DO1odgRVIbkbsVw1XbJABURX23J9bC8=;\n h=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n b=MC5yDTjVffa9Vy/D/mKcZft6etWRgTFNpxHsSa0fT7lqvB3QMgusLbDCsNCtSg0EB\n gSb87FVTAcrr+15ntAazrE5yIZhnLooOS6iakT9MpNTPWg2hOnaLsrHKltGCh9hRaa\n DCWNCqjrUgPK6WCGspntCMOxg+52vSM5n/ZkQ29NgTeOPBGy+ztBrCWZSxR4PWyyaX\n 6ML3pW0OnLGr7//mffaVCCzcdDGx7r4L1FYpZjb8/AaQPYWjnuXlj0cHozXbt2tGNh\n VHMvXJSO50Y9W4H7UjKo1bmNuOZxVgaX08zSw34NhZmdq+2rVa2FlCWEfQxW393Ggz\n 2MQlN2Ap+VCyQ==","X-Mailman-Original-Authentication-Results":["smtp4.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=kernel.org","smtp4.osuosl.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.a=rsa-sha256 header.s=k20201202 header.b=MC5yDTjV"],"Subject":"Re: [Intel-wired-lan] [PATCH iwl-net v2] idpf: fix RSS LUT memcpy\n size","X-BeenThere":"intel-wired-lan@osuosl.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Intel Wired Ethernet Linux Kernel Driver Development\n <intel-wired-lan.osuosl.org>","List-Unsubscribe":"<https://lists.osuosl.org/mailman/options/intel-wired-lan>,\n <mailto:intel-wired-lan-request@osuosl.org?subject=unsubscribe>","List-Archive":"<http://lists.osuosl.org/pipermail/intel-wired-lan/>","List-Post":"<mailto:intel-wired-lan@osuosl.org>","List-Help":"<mailto:intel-wired-lan-request@osuosl.org?subject=help>","List-Subscribe":"<https://lists.osuosl.org/mailman/listinfo/intel-wired-lan>,\n <mailto:intel-wired-lan-request@osuosl.org?subject=subscribe>","Errors-To":"intel-wired-lan-bounces@osuosl.org","Sender":"\"Intel-wired-lan\" <intel-wired-lan-bounces@osuosl.org>"}}]