From nobody Mon Feb 9 13:59:45 2026 Received: from mx13.kaspersky-labs.com (mx13.kaspersky-labs.com [91.103.66.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C50A033D6C1; Thu, 13 Nov 2025 11:28:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.103.66.164 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763033313; cv=none; b=s9GYY2pZ6MhKVKqVFFdE8OP6WQuWQrIis6BlTG2IDg87+2WhXC0Qp1ReF7ldHEDtmXoyZkQ4pmDhotvHy826s5yiR/39kQL5OsHCBnWqFeCuqzozWy5/JsmjMpmoVor8syPte/zQTDpHek84qaeK+dGur6XZuzoIm2+GCpgxIKs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763033313; c=relaxed/simple; bh=o8dEOJw7frbNkJT3d0SlXgnjHlKba/atKkTeRzZLd+c=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=CzYQ+byVnFaUhtGpu14uL5rNfemCC2b0QbtDzVufXkFDaSWzth5KWDzB4m9AdI49p8SedV4L+n4VI++hT3+q+AUKF/fLcnAReKjL63A89m3Nk+KgIUP0a/UFjCqeV9jheSH+nF3IedGSOzsn+9uBrnghq3SwOYzHGfo/i0IeE/U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=kaspersky.com; spf=pass smtp.mailfrom=kaspersky.com; dkim=pass (2048-bit key) header.d=kaspersky.com header.i=@kaspersky.com header.b=xTYduw1v; arc=none smtp.client-ip=91.103.66.164 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=kaspersky.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kaspersky.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kaspersky.com header.i=@kaspersky.com header.b="xTYduw1v" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kaspersky.com; s=mail202505; t=1763033303; bh=QeQWTdUb5RiL3N3OR5TUSanrtr0MLR8vPqPzwjSUr6k=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=xTYduw1voFYtKpGwYA9H6Z/KUylYYoWlIFx9bW8rCgAf2bEOGX49LvdzFwcd9GCf6 pgCuiwvwA1Xi2oexN/Raax1xppoKECvn6aeA/wAas9e9TkZhuYJfUsGX+XhC6Fo7eY 4z/wwQKGMHcaeal/ZP384+u0bdKLdAi2getSEjiCnI+sW3tWFeqFUgVy8VO+LTkCpA 8h7cdNV7GAhQcLktvbqQOh5/oa464gHeyoDonWVqOCt49sgYY+QloMrdxNB6FP1rd6 cMahRCIxemqx9liEvPP7j0wmBMInsPcpP9aXnQUYGTU80hrH46d476vG2iNXmcGNck ER9WpH/EWea/g== Received: from relay13.kaspersky-labs.com (localhost [127.0.0.1]) by relay13.kaspersky-labs.com (Postfix) with ESMTP id 032A83E47F7; Thu, 13 Nov 2025 14:28:23 +0300 (MSK) Received: from mail-hq2.kaspersky.com (unknown [91.103.66.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail-hq2.kaspersky.com", Issuer "Kaspersky MailRelays CA G3" (verified OK)) by mailhub13.kaspersky-labs.com (Postfix) with ESMTPS id B6C163E4518; Thu, 13 Nov 2025 14:28:21 +0300 (MSK) Received: from zhigulin-p.avp.ru (10.16.104.190) by HQMAILSRV2.avp.ru (10.64.57.52) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.29; Thu, 13 Nov 2025 14:27:58 +0300 From: Pavel Zhigulin To: Manish Chopra CC: Pavel Zhigulin , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Yuval Mintz , , , Subject: [PATCH net] net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() Date: Thu, 13 Nov 2025 14:27:56 +0300 Message-ID: <20251113112757.4166625-1-Pavel.Zhigulin@kaspersky.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: HQMAILSRV2.avp.ru (10.64.57.52) To HQMAILSRV2.avp.ru (10.64.57.52) X-KSE-ServerInfo: HQMAILSRV2.avp.ru, 9 X-KSE-AntiSpam-Interceptor-Info: scan successful X-KSE-AntiSpam-Version: 6.1.1, Database issued on: 11/13/2025 11:04:19 X-KSE-AntiSpam-Status: KAS_STATUS_NOT_DETECTED X-KSE-AntiSpam-Method: none X-KSE-AntiSpam-Rate: 0 X-KSE-AntiSpam-Info: Lua profiles 198040 [Nov 13 2025] X-KSE-AntiSpam-Info: Version: 6.1.1.11 X-KSE-AntiSpam-Info: Envelope from: Pavel.Zhigulin@kaspersky.com X-KSE-AntiSpam-Info: LuaCore: 75 0.3.75 aab2175a55dcbd410b25b8694e49bbee3c09cdde X-KSE-AntiSpam-Info: {Tracking_cluster_exceptions} X-KSE-AntiSpam-Info: {Tracking_real_kaspersky_domains} X-KSE-AntiSpam-Info: {Tracking_uf_ne_domains} X-KSE-AntiSpam-Info: {Tracking_from_domain_doesnt_match_to} X-KSE-AntiSpam-Info: zhigulin-p.avp.ru:7.1.1,5.0.1;kaspersky.com:7.1.1,5.0.1;127.0.0.199:7.1.2;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1 X-KSE-AntiSpam-Info: {Tracking_white_helo} X-KSE-AntiSpam-Info: FromAlignment: s X-KSE-AntiSpam-Info: Rate: 0 X-KSE-AntiSpam-Info: Status: not_detected X-KSE-AntiSpam-Info: Method: none X-KSE-Antiphishing-Info: Clean X-KSE-Antiphishing-ScanningType: Deterministic X-KSE-Antiphishing-Method: None X-KSE-Antiphishing-Bases: 11/13/2025 11:06:00 X-KSE-AttachmentFiltering-Interceptor-Info: no applicable attachment filtering rules found X-KSE-Antivirus-Interceptor-Info: scan successful X-KSE-Antivirus-Info: Clean, bases: 11/13/2025 10:11:00 AM X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit X-KSE-AttachmentFiltering-Interceptor-Info: no applicable attachment filtering rules found X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit X-KSMG-AntiPhishing: NotDetected X-KSMG-AntiSpam-Interceptor-Info: not scanned X-KSMG-AntiSpam-Status: not scanned, disabled by settings X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 2.1.1.8310, bases: 2025/11/13 09:15:00 #27919685 X-KSMG-AntiVirus-Status: NotDetected, skipped X-KSMG-LinksScanning: NotDetected X-KSMG-Message-Action: skipped X-KSMG-Rule-ID: 52 Content-Type: text/plain; charset="utf-8" The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate over 'cqe->len_list[]' using only a zero-length terminator as the stopping condition. If the terminator was missing or malformed, the loop could run past the end of the fixed-size array. Add an explicit bound check using ARRAY_SIZE() in both loops to prevent a potential out-of-bounds access. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 55482edc25f0 ("qede: Add slowpath/fastpath support and enable hardwa= re GRO") Signed-off-by: Pavel Zhigulin --- drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ether= net/qlogic/qede/qede_fp.c index 847fa62c80df..e338bfc8b7b2 100644 --- a/drivers/net/ethernet/qlogic/qede/qede_fp.c +++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c @@ -4,6 +4,7 @@ * Copyright (c) 2019-2020 Marvell International Ltd. */ +#include #include #include #include @@ -960,7 +961,7 @@ static inline void qede_tpa_cont(struct qede_dev *edev, { int i; - for (i =3D 0; cqe->len_list[i]; i++) + for (i =3D 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, le16_to_cpu(cqe->len_list[i])); @@ -985,7 +986,7 @@ static int qede_tpa_end(struct qede_dev *edev, dma_unmap_page(rxq->dev, tpa_info->buffer.mapping, PAGE_SIZE, rxq->data_direction); - for (i =3D 0; cqe->len_list[i]; i++) + for (i =3D 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, le16_to_cpu(cqe->len_list[i])); if (unlikely(i > 1)) -- 2.43.0