The branch main has been updated by vmaffione:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=4ba9ad0dc316940f32065b05f24259f942c0692d

commit 4ba9ad0dc316940f32065b05f24259f942c0692d
Author:     Vincenzo Maffione <vmaffi...@freebsd.org>
AuthorDate: 2021-01-10 13:49:51 +0000
Commit:     Vincenzo Maffione <vmaffi...@freebsd.org>
CommitDate: 2021-01-10 13:59:20 +0000

    iflib: add assert to prevent out-of-bounds array access
    
    The iflib_queues_alloc() allocates isc_nrxqs iflib_dma_info structs
    for each rxqset, and links each struct to a different free list.
    As a result, it must be isc_nrxqs >= isc_nfl (plus the completion
    queue, if present).
    Add an assertion to make this constraint explicit.
    
    MFC after:      2 weeks
---
 sys/net/iflib.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/sys/net/iflib.c b/sys/net/iflib.c
index 3de80ecaeb0c..e53c5031d3a7 100644
--- a/sys/net/iflib.c
+++ b/sys/net/iflib.c
@@ -5547,11 +5547,14 @@ iflib_queues_alloc(if_ctx_t ctx)
        uint8_t nrxqs = sctx->isc_nrxqs;
        uint8_t ntxqs = sctx->isc_ntxqs;
        int nfree_lists = sctx->isc_nfl ? sctx->isc_nfl : 1;
+       int fl_offset = (sctx->isc_flags & IFLIB_HAS_RXCQ ? 1 : 0);
        caddr_t *vaddrs;
        uint64_t *paddrs;
 
        KASSERT(ntxqs > 0, ("number of queues per qset must be at least 1"));
        KASSERT(nrxqs > 0, ("number of queues per qset must be at least 1"));
+       KASSERT(nrxqs >= fl_offset + nfree_lists,
+           ("there must be at least a rxq for each free list"));
 
        /* Allocate the TX ring struct memory */
        if (!(ctx->ifc_txqs =
@@ -5659,11 +5662,7 @@ iflib_queues_alloc(if_ctx_t ctx)
                }
                rxq->ifr_ctx = ctx;
                rxq->ifr_id = i;
-               if (sctx->isc_flags & IFLIB_HAS_RXCQ) {
-                       rxq->ifr_fl_offset = 1;
-               } else {
-                       rxq->ifr_fl_offset = 0;
-               }
+               rxq->ifr_fl_offset = fl_offset;
                rxq->ifr_nfl = nfree_lists;
                if (!(fl =
                          (iflib_fl_t) malloc(sizeof(struct iflib_fl) * 
nfree_lists, M_IFLIB, M_NOWAIT | M_ZERO))) {
_______________________________________________
dev-commits-src-main@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main
To unsubscribe, send any mail to "dev-commits-src-main-unsubscr...@freebsd.org"

Reply via email to