Hi!
[ Upstream commit 6c19d772618fea40d9681f259368f284a330fd90 ]
Ensure that the adapter->q_vector[MAX_Q_VECTORS] array isn't accessed beyond its size. It was fixed by using a local variable num_q_vectors as a limit for loop index, and ensure that num_q_vectors is not bigger than MAX_Q_VECTORS.
Ok, so this is interesting design.
+++ b/drivers/net/ethernet/intel/igb/igb_main.c @@ -945,6 +945,7 @@ static void igb_configure_msix(struct igb_adapter *adapter) **/ static int igb_request_msix(struct igb_adapter *adapter) {
- unsigned int num_q_vectors = adapter->num_q_vectors; struct net_device *netdev = adapter->netdev; int i, err = 0, vector = 0, free_vector = 0;
@@ -953,7 +954,13 @@ static int igb_request_msix(struct igb_adapter *adapter) if (err) goto err_out;
- for (i = 0; i < adapter->num_q_vectors; i++) {
- if (num_q_vectors > MAX_Q_VECTORS) {
num_q_vectors = MAX_Q_VECTORS;dev_warn(&adapter->pdev->dev,"The number of queue vectors (%d) is higher than max allowed (%d)\n",adapter->num_q_vectors, MAX_Q_VECTORS);- }
- for (i = 0; i < num_q_vectors; i++) { struct igb_q_vector *q_vector = adapter->q_vector[i];
vector++;
We limit num_q_vectors here, but too big value remains in adapter->num_q_vectors. Loop in igb_request_msix is fixed, but there's similar loop in igb_configure_msix() and in igb_free_irq() and igp_up() and ...
Either adapter->num_q_vectors should be limited, or all those places need fixing, no?
Best regards, Pavel