array_index_nospec() clamp the rxq_idx within the range of
[0, dev->real_num_rx_queues), move the check before it.

Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
---
 net/core/netdev_rx_queue.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/net/core/netdev_rx_queue.c b/net/core/netdev_rx_queue.c
index d126f10197bf..3bf1151d8061 100644
--- a/net/core/netdev_rx_queue.c
+++ b/net/core/netdev_rx_queue.c
@@ -97,14 +97,12 @@ int __net_mp_open_rxq(struct net_device *dev, unsigned int rxq_idx,
 	if (!netdev_need_ops_lock(dev))
 		return -EOPNOTSUPP;
 
-	if (rxq_idx >= dev->real_num_rx_queues)
-		return -EINVAL;
-	rxq_idx = array_index_nospec(rxq_idx, dev->real_num_rx_queues);
-
 	if (rxq_idx >= dev->real_num_rx_queues) {
 		NL_SET_ERR_MSG(extack, "rx queue index out of range");
 		return -ERANGE;
 	}
+	rxq_idx = array_index_nospec(rxq_idx, dev->real_num_rx_queues);
+
 	if (dev->cfg->hds_config != ETHTOOL_TCP_DATA_SPLIT_ENABLED) {
 		NL_SET_ERR_MSG(extack, "tcp-data-split is disabled");
 		return -EINVAL;
-- 
2.34.1

On Tue, Jun 24, 2025 at 6:44 AM Yue Haibing <yuehaibing@huawei.com> wrote:
>
> array_index_nospec() clamp the rxq_idx within the range of
> [0, dev->real_num_rx_queues), move the check before it.
>
> Signed-off-by: Yue Haibing <yuehaibing@huawei.com>

Fix looks valid to me. The current code looks wrong because the
dev->real_num_rx_queues check is done twice, so we'll never hit the
NL_SET_ERR_MSG.

One side effect of this is that userspace code that does an out of
range rxq bind will see EINVAL before this patch and it will see an
ERANGE with a netlink error message after this patch. I think this
change is fine even though it's a minor uapi change.

Reviewed-by: Mina Almasry <almasrymina@google.com>

-- 
Thanks,
Mina