driver inclusion category: bugfix bugzilla: NA CVE: NA DTS: DTS2021090316794
----------------------------
The bd_num is from firmware, it may be bigger than the ring size, and may cause memory override problem.
Signed-off-by: Yonglong Liu liuyonglong@huawei.com --- .../net/ethernet/hisilicon/hns3/hns3_cae/hns3_cae_port.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_cae/hns3_cae_port.c b/drivers/net/ethernet/hisilicon/hns3/hns3_cae/hns3_cae_port.c index cede7eb5ef33..5404048ad60d 100644 --- a/drivers/net/ethernet/hisilicon/hns3/hns3_cae/hns3_cae_port.c +++ b/drivers/net/ethernet/hisilicon/hns3/hns3_cae/hns3_cae_port.c @@ -88,6 +88,12 @@ int hns3_get_port_info(const struct hns3_nic_priv *net_priv, desc_data = (__le32 *)(&desc.data[0]); bd_num = le32_to_cpu(*desc_data);
+ if (bd_num > hdev->hw.cmq.csq.desc_num) { + dev_err(&hdev->pdev->dev, "get invalid BD num %u(max %u)\n", + bd_num, hdev->hw.cmq.csq.desc_num); + return -EINVAL; + } + port_desc = kcalloc(bd_num, sizeof(struct hclge_desc), GFP_KERNEL); if (ZERO_OR_NULL_PTR(port_desc)) return -ENOMEM;