On 5/4/2026 6:26 AM, Larysa Zaremba wrote: > On Thu, Apr 30, 2026 at 09:38:44AM -0700, Jacob Keller wrote: >> On 4/29/2026 12:42 AM, Larysa Zaremba wrote: >>> Based on the following feedback from Sashiko (received for iXD phase 1 >>> patchset, but valid for the net tree): >>> >>> "Is the bounds check xn_params.recv_mem.iov_len < lut_buf_size sufficient? >>> Since lut_buf_size only represents the size of the array elements, should >>> this check instead verify that the payload is at least >>> sizeof(struct virtchnl2_rss_lut) + lut_buf_size? >>> >>> [...] >>> >>> Does memcpy copy the correct amount of data here? rss_lut_size stores the >>> number of 32-bit entries, not the size in bytes. Should it use >>> lut_buf_size or rss_data->rss_lut_size * sizeof(u32) instead?" >>> >>> After inspecting the code, it was concluded that RSS memcpy size is in fact >>> 4 times smaller than it has to be, since a single array entry in a u32, and >>> rss_data->rss_lut_size is clearly used as an array size. Required Rx buffer >>> size is also too small, but this is a common issue in the idpf code. >>> >>> Use a full buffer size (lut_buf_size) instead of the array length >>> (rss_data->rss_lut_size) when doing memcpy of RSS lookup table. >>> While at it, increase required Rx buffer size to a whole flex-array >>> containing structure instead of just the array. >>> >>> Link: >>> https://sashiko.dev/#/patchset/20260323174052.5355-1-larysa.zaremba%40intel.com?part=8 >>> Fixes: 95af467d9a4e ("idpf: configure resources for RX queues") >>> Reviewed-by: Aleksandr Loktionov <[email protected]> >>> Signed-off-by: Larysa Zaremba <[email protected]> >>> --- >>> drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 4 ++-- >>> 1 file changed, 2 insertions(+), 2 deletions(-) >>> >>> diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c >>> b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c >>> index be66f9b2e101..a97d2e9b54d4 100644 >>> --- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c >>> +++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c >>> @@ -2916,7 +2916,7 @@ int idpf_send_get_set_rss_lut_msg(struct idpf_adapter >>> *adapter, >>> return -EIO; >>> >>> lut_buf_size = le16_to_cpu(recv_rl->lut_entries) * sizeof(u32); >>> - if (reply_sz < lut_buf_size) >>> + if (reply_sz < lut_buf_size + sizeof(struct virtchnl2_rss_lut)) >> >> This feels like it should be using struct_size or flex_array_size... >> > > struct_size() does not really fit here, as lut_buf_size is needed later for > flex-array-only memcpy, but flex_array_size() I can use. >
Right. I am mostly thinking in terms of the intent of the safety mechanisms provided by these macros. (part of what they do is prevent accidental overflow by capping at SIZE_T_MAX for example). >>> return -EIO; >>> >>> /* size didn't change, we can reuse existing lut buf */ >>> @@ -2933,7 +2933,7 @@ int idpf_send_get_set_rss_lut_msg(struct idpf_adapter >>> *adapter, >>> } >>> >>> do_memcpy: >>> - memcpy(rss_data->rss_lut, recv_rl->lut, rss_data->rss_lut_size); >>> + memcpy(rss_data->rss_lut, recv_rl->lut, lut_buf_size); >>> >>> return 0; >>> } >>
