lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <202205221009.XjbSXonE-lkp@intel.com>
Date:   Mon, 23 May 2022 16:20:53 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     kbuild@...ts.01.org, Sunil Goutham <sgoutham@...vell.com>
Cc:     lkp@...el.com, kbuild-all@...ts.01.org,
        linux-kernel@...r.kernel.org,
        Subbaraya Sundeep <sbhatta@...vell.com>
Subject: drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c:4360
 rvu_mbox_handler_nix_bandprof_free() error: testing array offset 'idx' after
 use.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   eaea45fc0e7b6ae439526b4a41d91230c8517336
commit: e8e095b3b37004a4048af69de60c9af2d2268a1d octeontx2-af: cn10k: Bandwidth profiles config support
config: s390-randconfig-m031-20220522 (https://download.01.org/0day-ci/archive/20220522/202205221009.XjbSXonE-lkp@intel.com/config)
compiler: s390-linux-gcc (GCC) 11.3.0

If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>

smatch warnings:
drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c:4360 rvu_mbox_handler_nix_bandprof_free() error: testing array offset 'idx' after use.

vim +/idx +4360 drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c

e8e095b3b37004 Sunil Goutham 2021-06-15  4318  int rvu_mbox_handler_nix_bandprof_free(struct rvu *rvu,
e8e095b3b37004 Sunil Goutham 2021-06-15  4319  				       struct nix_bandprof_free_req *req,
e8e095b3b37004 Sunil Goutham 2021-06-15  4320  				       struct msg_rsp *rsp)
e8e095b3b37004 Sunil Goutham 2021-06-15  4321  {
e8e095b3b37004 Sunil Goutham 2021-06-15  4322  	int blkaddr, layer, prof_idx, idx, err;
e8e095b3b37004 Sunil Goutham 2021-06-15  4323  	u16 pcifunc = req->hdr.pcifunc;
e8e095b3b37004 Sunil Goutham 2021-06-15  4324  	struct nix_ipolicer *ipolicer;
e8e095b3b37004 Sunil Goutham 2021-06-15  4325  	struct nix_hw *nix_hw;
e8e095b3b37004 Sunil Goutham 2021-06-15  4326  
e8e095b3b37004 Sunil Goutham 2021-06-15  4327  	if (req->free_all)
e8e095b3b37004 Sunil Goutham 2021-06-15  4328  		return nix_free_all_bandprof(rvu, pcifunc);
e8e095b3b37004 Sunil Goutham 2021-06-15  4329  
e8e095b3b37004 Sunil Goutham 2021-06-15  4330  	if (!rvu->hw->cap.ipolicer)
e8e095b3b37004 Sunil Goutham 2021-06-15  4331  		return NIX_AF_ERR_IPOLICER_NOTSUPP;
e8e095b3b37004 Sunil Goutham 2021-06-15  4332  
e8e095b3b37004 Sunil Goutham 2021-06-15  4333  	err = nix_get_struct_ptrs(rvu, pcifunc, &nix_hw, &blkaddr);
e8e095b3b37004 Sunil Goutham 2021-06-15  4334  	if (err)
e8e095b3b37004 Sunil Goutham 2021-06-15  4335  		return err;
e8e095b3b37004 Sunil Goutham 2021-06-15  4336  
e8e095b3b37004 Sunil Goutham 2021-06-15  4337  	mutex_lock(&rvu->rsrc_lock);
e8e095b3b37004 Sunil Goutham 2021-06-15  4338  	/* Free the requested profile indices */
e8e095b3b37004 Sunil Goutham 2021-06-15  4339  	for (layer = 0; layer < BAND_PROF_NUM_LAYERS; layer++) {
e8e095b3b37004 Sunil Goutham 2021-06-15  4340  		if (layer == BAND_PROF_INVAL_LAYER)
e8e095b3b37004 Sunil Goutham 2021-06-15  4341  			continue;
e8e095b3b37004 Sunil Goutham 2021-06-15  4342  		if (!req->prof_count[layer])
e8e095b3b37004 Sunil Goutham 2021-06-15  4343  			continue;
e8e095b3b37004 Sunil Goutham 2021-06-15  4344  
e8e095b3b37004 Sunil Goutham 2021-06-15  4345  		ipolicer = &nix_hw->ipolicer[layer];
e8e095b3b37004 Sunil Goutham 2021-06-15  4346  		for (idx = 0; idx < req->prof_count[layer]; idx++) {
e8e095b3b37004 Sunil Goutham 2021-06-15  4347  			prof_idx = req->prof_idx[layer][idx];

"idx" is used here

e8e095b3b37004 Sunil Goutham 2021-06-15  4348  			if (prof_idx >= ipolicer->band_prof.max ||
e8e095b3b37004 Sunil Goutham 2021-06-15  4349  			    ipolicer->pfvf_map[prof_idx] != pcifunc)
e8e095b3b37004 Sunil Goutham 2021-06-15  4350  				continue;
e8e095b3b37004 Sunil Goutham 2021-06-15  4351  
e8e095b3b37004 Sunil Goutham 2021-06-15  4352  			/* Clear ratelimit aggregation, if any */
e8e095b3b37004 Sunil Goutham 2021-06-15  4353  			if (layer == BAND_PROF_LEAF_LAYER &&
e8e095b3b37004 Sunil Goutham 2021-06-15  4354  			    ipolicer->match_id[prof_idx])
e8e095b3b37004 Sunil Goutham 2021-06-15  4355  				nix_clear_ratelimit_aggr(rvu, nix_hw, prof_idx);
e8e095b3b37004 Sunil Goutham 2021-06-15  4356  
e8e095b3b37004 Sunil Goutham 2021-06-15  4357  			ipolicer->pfvf_map[prof_idx] = 0x00;
e8e095b3b37004 Sunil Goutham 2021-06-15  4358  			ipolicer->match_id[prof_idx] = 0;
e8e095b3b37004 Sunil Goutham 2021-06-15  4359  			rvu_free_rsrc(&ipolicer->band_prof, prof_idx);
e8e095b3b37004 Sunil Goutham 2021-06-15 @4360  			if (idx == MAX_BANDPROF_PER_PFFUNC)

So if it's == MAX_BANDPROF_PER_PFFUNC then we are already one element
beyond the end of the array.

e8e095b3b37004 Sunil Goutham 2021-06-15  4361  				break;
e8e095b3b37004 Sunil Goutham 2021-06-15  4362  		}
e8e095b3b37004 Sunil Goutham 2021-06-15  4363  	}
e8e095b3b37004 Sunil Goutham 2021-06-15  4364  	mutex_unlock(&rvu->rsrc_lock);
e8e095b3b37004 Sunil Goutham 2021-06-15  4365  	return 0;
e8e095b3b37004 Sunil Goutham 2021-06-15  4366  }

-- 
0-DAY CI Kernel Test Service
https://01.org/lkp

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ