{"id":2223536,"url":"http://patchwork.ozlabs.org/api/patches/2223536/?format=json","web_url":"http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20260415142841.3222399-3-aleksandr.loktionov@intel.com/","project":{"id":46,"url":"http://patchwork.ozlabs.org/api/projects/46/?format=json","name":"Intel Wired Ethernet development","link_name":"intel-wired-lan","list_id":"intel-wired-lan.osuosl.org","list_email":"intel-wired-lan@osuosl.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260415142841.3222399-3-aleksandr.loktionov@intel.com>","list_archive_url":null,"date":"2026-04-15T14:28:37","name":"[iwl-net,v3,2/6] ixgbe: add bounds check for debugfs register access","commit_ref":null,"pull_url":null,"state":"under-review","archived":false,"hash":"f5d5a7bb29c3de2e0a00137fd4a99267a00cb94f","submitter":{"id":75597,"url":"http://patchwork.ozlabs.org/api/people/75597/?format=json","name":"Aleksandr Loktionov","email":"aleksandr.loktionov@intel.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20260415142841.3222399-3-aleksandr.loktionov@intel.com/mbox/","series":[{"id":499995,"url":"http://patchwork.ozlabs.org/api/series/499995/?format=json","web_url":"http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=499995","date":"2026-04-15T14:28:35","name":"ixgbe: six bug fixes","version":3,"mbox":"http://patchwork.ozlabs.org/series/499995/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2223536/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2223536/checks/","tags":{},"related":[],"headers":{"Return-Path":"<intel-wired-lan-bounces@osuosl.org>","X-Original-To":["incoming@patchwork.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=osuosl.org header.i=@osuosl.org header.a=rsa-sha256\n header.s=default header.b=Nspk/CxB;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=osuosl.org\n (client-ip=140.211.166.136; helo=smtp3.osuosl.org;\n envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwk6G6j0Xz1yHd\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 00:28:54 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id EA2536F766;\n\tWed, 15 Apr 2026 14:28:52 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id qoH3myCD7lRb; Wed, 15 Apr 2026 14:28:51 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 356DE6F753;\n\tWed, 15 Apr 2026 14:28:51 +0000 (UTC)","from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n by lists1.osuosl.org (Postfix) with ESMTP id 2C519283\n for <intel-wired-lan@lists.osuosl.org>; Wed, 15 Apr 2026 14:28:49 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id 0F15785477\n for <intel-wired-lan@lists.osuosl.org>; Wed, 15 Apr 2026 14:28:49 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id eyHNTkCmwO2W for <intel-wired-lan@lists.osuosl.org>;\n Wed, 15 Apr 2026 14:28:48 +0000 (UTC)","from mgamail.intel.com (mgamail.intel.com [198.175.65.16])\n by smtp1.osuosl.org (Postfix) with ESMTPS id 05B6F825C3\n for <intel-wired-lan@lists.osuosl.org>; Wed, 15 Apr 2026 14:28:47 +0000 (UTC)","from orviesa003.jf.intel.com ([10.64.159.143])\n by orvoesa108.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 15 Apr 2026 07:28:47 -0700","from amlin-019-225.igk.intel.com ([10.102.19.225])\n by orviesa003.jf.intel.com with ESMTP; 15 Apr 2026 07:28:45 -0700"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp3.osuosl.org 356DE6F753","OpenDKIM Filter v2.11.0 smtp1.osuosl.org 05B6F825C3"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=osuosl.org;\n\ts=default; t=1776263331;\n\tbh=7wYmwSeUp+Aku806hwrnJe5X66IdlSRkkdfHuqJdCjc=;\n\th=From:To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From;\n\tb=Nspk/CxBkSrnvP23ad1J+r2VVloCO9ELD9FyxTVTnIcoFHZzzmwdj2VT6HPkGAfQI\n\t XeaUGMfhJ7/I3FnjludqnY2krHcZGZrpgam1Rwsr9QBlvBu1NArpNsWcW5ICrK8QPm\n\t ulIj8fJ0oONbS0UONILS7guv+FGJB2n7MTTnXF4w6CF78lunjKh4YZVWCrHw0qwTzq\n\t Op2p+eNhOhndbWq3F1p7aY0cxUutsiWNBOLnVMJlXyEQvwAfHXlyckpIRk7wZXGz5n\n\t vA6V0/RlDFIH66U4r/9ckC8xaAbjo4WCZ3MzgKka4/rm5m/7vsrxq14T8iKdGKtNiO\n\t HXwK5wZDBTrRA==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=198.175.65.16;\n helo=mgamail.intel.com; envelope-from=aleksandr.loktionov@intel.com;\n receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp1.osuosl.org 05B6F825C3","X-CSE-ConnectionGUID":["+zNJ+Wo2TyS1kXFHVGk0Aw==","SOHqTdJeQsaxJ5FIc2m7SA=="],"X-CSE-MsgGUID":["rwnn3bHaTiO66SFnqtvaNA==","a9nUnyS4SQCZ01l5LPg53g=="],"X-IronPort-AV":["E=McAfee;i=\"6800,10657,11760\"; a=\"77423733\"","E=Sophos;i=\"6.23,179,1770624000\"; d=\"scan'208\";a=\"77423733\"","E=Sophos;i=\"6.23,179,1770624000\"; d=\"scan'208\";a=\"234467850\""],"X-ExtLoop1":"1","From":"Aleksandr Loktionov <aleksandr.loktionov@intel.com>","To":"intel-wired-lan@lists.osuosl.org, anthony.l.nguyen@intel.com,\n aleksandr.loktionov@intel.com","Cc":"netdev@vger.kernel.org, Paul Greenwalt <paul.greenwalt@intel.com>,\n Simon Horman <horms@kernel.org>","Date":"Wed, 15 Apr 2026 16:28:37 +0200","Message-ID":"<20260415142841.3222399-3-aleksandr.loktionov@intel.com>","X-Mailer":"git-send-email 2.52.0","In-Reply-To":"<20260415142841.3222399-1-aleksandr.loktionov@intel.com>","References":"<20260415142841.3222399-1-aleksandr.loktionov@intel.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple;\n d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n t=1776263328; x=1807799328;\n h=from:to:cc:subject:date:message-id:in-reply-to:\n references:mime-version:content-transfer-encoding;\n bh=7SKNB46uDZXM8jxmPX4sCXW57soOfjv8FO2okC82C6E=;\n b=UpWZcdYYmlBe8b1RvlBBmRc5J6mgoF6lVZGo7Vk3+dVxKkzxuJtu7xNy\n Ed1YcqlfmCEtn1XigZd0ISP8ZQOJLB9l0y76yGC0DFntjrE3ZdHPgeT58\n upi33c+AGn2miuu6qGvkncU+iU1zsDZIc4xYh1rZtu+WQOLpmMq5dDGmT\n YOYUQMSh9bhTaEL9KFWaxRW0ZR9ikm5HXZtUbrk16prAMQMkK3UhZOqDp\n 7gitnnEHBPJxKvLSkQ5o1skwceKjQ5GSEYvAa0z+e+ahTjjIVqa16AzCG\n p9iG1Idv1cRDhYP2yMQJaUX8a0h1T5vs1O+3LiomSyO2+vxTVa1Jsm1aD\n Q==;","X-Mailman-Original-Authentication-Results":["smtp1.osuosl.org;\n dmarc=pass (p=none dis=none)\n header.from=intel.com","smtp1.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=UpWZcdYY"],"Subject":"[Intel-wired-lan] [PATCH iwl-net v3 2/6] ixgbe: add bounds check\n for debugfs register access","X-BeenThere":"intel-wired-lan@osuosl.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Intel Wired Ethernet Linux Kernel Driver Development\n <intel-wired-lan.osuosl.org>","List-Unsubscribe":"<https://lists.osuosl.org/mailman/options/intel-wired-lan>,\n <mailto:intel-wired-lan-request@osuosl.org?subject=unsubscribe>","List-Archive":"<http://lists.osuosl.org/pipermail/intel-wired-lan/>","List-Post":"<mailto:intel-wired-lan@osuosl.org>","List-Help":"<mailto:intel-wired-lan-request@osuosl.org?subject=help>","List-Subscribe":"<https://lists.osuosl.org/mailman/listinfo/intel-wired-lan>,\n <mailto:intel-wired-lan-request@osuosl.org?subject=subscribe>","Errors-To":"intel-wired-lan-bounces@osuosl.org","Sender":"\"Intel-wired-lan\" <intel-wired-lan-bounces@osuosl.org>"},"content":"From: Paul Greenwalt <paul.greenwalt@intel.com>\n\nPrevent out-of-bounds MMIO accesses triggered through user-controlled\nregister offsets.  IXGBE_HFDR (0x15FE8) is the highest valid MMIO\nregister in the ixgbe register map; any offset beyond it would address\nunmapped memory.\n\nAdd a defense-in-depth check at two levels:\n\n1. ixgbe_read_reg() -- the noinline register read accessor.  A\n   WARN_ON_ONCE() guard here catches any future code path (including\n   ioctl extensions) that might inadvertently pass an out-of-range\n   offset without relying on higher layers to catch it first.\n   ixgbe_write_reg() is a static inline called from the TX/RX hot path;\n   adding WARN_ON_ONCE there would inline the check at every call site,\n   so only the read path gets this guard.\n\n2. ixgbe_dbg_reg_ops_write() -- the debugfs 'reg_ops' interface is the\n   only current path where a raw, user-supplied offset enters the driver.\n   Gating it before invoking the register accessors provides a clean,\n   user-visible failure (silent ignore with no kernel splat) for\n   deliberately malformed debugfs writes.\n\nAdd a reg <= IXGBE_HFDR guard to both the read and write paths in\nixgbe_dbg_reg_ops_write(), and a WARN_ON_ONCE + early-return guard to\nixgbe_read_reg().\n\nFixes: 91fbd8f081e2 (\"ixgbe: added reg_ops file to debugfs\")\nSigned-off-by: Paul Greenwalt <paul.greenwalt@intel.com>\nCc: stable@vger.kernel.org\nReviewed-by: Simon Horman <horms@kernel.org>\nSigned-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>\n---\nv2 -> v3:\n - Add Reviewed-by: Simon Horman; no code change.\n\nv1 -> v2:\n - Add Fixes: tag; reroute from iwl-next to iwl-net (security-relevant\n   hardening for user-controllable out-of-bounds MMIO).\n\n drivers/net/ethernet/intel/ixgbe/ixgbe_debugfs.c | 6 ++++--\n drivers/net/ethernet/intel/ixgbe/ixgbe_main.c    | 2 ++\n 2 files changed, 6 insertions(+), 2 deletions(-)","diff":"diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_debugfs.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_debugfs.c\nindex 5b1cf49d..a6a19c0 100644\n--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_debugfs.c\n+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_debugfs.c\n@@ -86,7 +86,8 @@ static ssize_t ixgbe_dbg_reg_ops_write(struct file *filp,\n \t\tu32 reg, value;\n \t\tint cnt;\n \t\tcnt = sscanf(&ixgbe_dbg_reg_ops_buf[5], \"%x %x\", &reg, &value);\n-\t\tif (cnt == 2) {\n+\t\t/* bounds-check register offset */\n+\t\tif (cnt == 2 && reg <= IXGBE_HFDR) {\n \t\t\tIXGBE_WRITE_REG(&adapter->hw, reg, value);\n \t\t\tvalue = IXGBE_READ_REG(&adapter->hw, reg);\n \t\t\te_dev_info(\"write: 0x%08x = 0x%08x\\n\", reg, value);\n@@ -97,7 +98,8 @@ static ssize_t ixgbe_dbg_reg_ops_write(struct file *filp,\n \t\tu32 reg, value;\n \t\tint cnt;\n \t\tcnt = sscanf(&ixgbe_dbg_reg_ops_buf[4], \"%x\", &reg);\n-\t\tif (cnt == 1) {\n+\t\t/* bounds-check register offset */\n+\t\tif (cnt == 1 && reg <= IXGBE_HFDR) {\n \t\t\tvalue = IXGBE_READ_REG(&adapter->hw, reg);\n \t\t\te_dev_info(\"read 0x%08x = 0x%08x\\n\", reg, value);\n \t\t} else {\n\ndiff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c\nindex 210c7b9..4a1f3c2 100644\n--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c\n+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c\n@@ -354,4 +354,6 @@ u32 ixgbe_read_reg(struct ixgbe_hw *hw, u32 reg)\n \tif (ixgbe_removed(reg_addr))\n \t\treturn IXGBE_FAILED_READ_REG;\n+\tif (WARN_ON_ONCE(reg > IXGBE_HFDR))\n+\t\treturn IXGBE_FAILED_READ_REG;\n \tif (unlikely(hw->phy.nw_mng_if_sel &\n \t\t     IXGBE_NW_MNG_IF_SEL_SGMII_ENABLE)) {\n","prefixes":["iwl-net","v3","2/6"]}