[PATCH iwl-net v2] idpf: fix RSS LUT memcpy size
From: Larysa Zaremba <hidden>
Date: 2026-05-04 14:44:03
Also in:
intel-wired-lan, lkml
Subsystem:
intel ethernet drivers, networking drivers, the rest · Maintainers:
Tony Nguyen, Przemek Kitszel, Andrew Lunn, "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds
Based on the following feedback from Sashiko (received for iXD phase 1 patchset, but valid for the net tree): "Is the bounds check xn_params.recv_mem.iov_len < lut_buf_size sufficient? Since lut_buf_size only represents the size of the array elements, should this check instead verify that the payload is at least sizeof(struct virtchnl2_rss_lut) + lut_buf_size? [...] Does memcpy copy the correct amount of data here? rss_lut_size stores the number of 32-bit entries, not the size in bytes. Should it use lut_buf_size or rss_data->rss_lut_size * sizeof(u32) instead?" After inspecting the code, it was concluded that RSS memcpy size is in fact 4 times smaller than it has to be, since a single array entry in a u32, and rss_data->rss_lut_size is clearly used as an array size. Required Rx buffer size is also too small, but this is a common issue in the idpf code. Use a full buffer size (lut_buf_size) instead of the array length (rss_data->rss_lut_size) when doing memcpy of RSS lookup table. While at it, increase required Rx buffer size to a whole flex-array containing structure instead of just the array. Link: https://sashiko.dev/#/patchset/20260323174052.5355-1-larysa.zaremba%40intel.com?part=8 Fixes: 95af467d9a4e ("idpf: configure resources for RX queues") Reviewed-by: Aleksandr Loktionov <redacted> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: Larysa Zaremba <redacted> --- v1 -> v2: replace manual array size calculation with flex_array_size() v1: https://lore.kernel.org/netdev/20260429074232.180528-1-larysa.zaremba@intel.com/ (local) drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
index be66f9b2e101..0fc7c68447f8 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c@@ -2915,8 +2915,9 @@ int idpf_send_get_set_rss_lut_msg(struct idpf_adapter *adapter, if (reply_sz < sizeof(struct virtchnl2_rss_lut)) return -EIO; - lut_buf_size = le16_to_cpu(recv_rl->lut_entries) * sizeof(u32); - if (reply_sz < lut_buf_size) + lut_buf_size = flex_array_size(recv_rl, lut, + le16_to_cpu(recv_rl->lut_entries)); + if (reply_sz < lut_buf_size + sizeof(struct virtchnl2_rss_lut)) return -EIO; /* size didn't change, we can reuse existing lut buf */
@@ -2933,7 +2934,7 @@ int idpf_send_get_set_rss_lut_msg(struct idpf_adapter *adapter, } do_memcpy: - memcpy(rss_data->rss_lut, recv_rl->lut, rss_data->rss_lut_size); + memcpy(rss_data->rss_lut, recv_rl->lut, lut_buf_size); return 0; }
--
2.47.0