Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fc428175 authored by Michal Schmidt's avatar Michal Schmidt Committed by Greg Kroah-Hartman
Browse files

bnx2x: fix possible overrun of VFPF multicast addresses array 




[ Upstream commit 22118d861cec5da6ed525aaf12a3de9bfeffc58f ]

It is too late to check for the limit of the number of VF multicast
addresses after they have already been copied to the req->multicast[]
array, possibly overflowing it.

Do the check before copying.

Also fix the error path to not skip unlocking vf2pf_mutex.

Signed-off-by: default avatarMichal Schmidt <mschmidt@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent b263f04c

drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c

+11 −12
Original line number Diff line number Diff line
@@ -826,7 +826,7 @@ int bnx2x_vfpf_set_mcast(struct net_device *dev) 
	struct bnx2x *bp = netdev_priv(dev);

	struct vfpf_set_q_filters_tlv *req = &bp->vf2pf_mbox->req.set_q_filters;

	struct pfvf_general_resp_tlv *resp = &bp->vf2pf_mbox->resp.general_resp;

	int rc, i = 0;

	int rc = 0, i = 0;

	struct netdev_hw_addr *ha;



	if (bp->state != BNX2X_STATE_OPEN) {
@@ -841,6 +841,15 @@ int bnx2x_vfpf_set_mcast(struct net_device *dev) 
	/* Get Rx mode requested */

	DP(NETIF_MSG_IFUP, "dev->flags = %x\n", dev->flags);



	/* We support PFVF_MAX_MULTICAST_PER_VF mcast addresses tops */

	if (netdev_mc_count(dev) > PFVF_MAX_MULTICAST_PER_VF) {

		DP(NETIF_MSG_IFUP,

		   "VF supports not more than %d multicast MAC addresses\n",

		   PFVF_MAX_MULTICAST_PER_VF);

		rc = -EINVAL;

		goto out;

	}



	netdev_for_each_mc_addr(ha, dev) {

		DP(NETIF_MSG_IFUP, "Adding mcast MAC: %pM\n",

		   bnx2x_mc_addr(ha));
@@ -848,16 +857,6 @@ int bnx2x_vfpf_set_mcast(struct net_device *dev) 
		i++;

	}



	/* We support four PFVF_MAX_MULTICAST_PER_VF mcast

	  * addresses tops

	  */

	if (i >= PFVF_MAX_MULTICAST_PER_VF) {

		DP(NETIF_MSG_IFUP,

		   "VF supports not more than %d multicast MAC addresses\n",

		   PFVF_MAX_MULTICAST_PER_VF);

		return -EINVAL;

	}



	req->n_multicast = i;

	req->flags |= VFPF_SET_Q_FILTERS_MULTICAST_CHANGED;

	req->vf_qid = 0;
@@ -882,7 +881,7 @@ int bnx2x_vfpf_set_mcast(struct net_device *dev) 
out:

	bnx2x_vfpf_finalize(bp, &req->first_tlv);



	return 0;

	return rc;

}



int bnx2x_vfpf_storm_rx_mode(struct bnx2x *bp)